@kev I hate it because of the captcha implementation it does. That one is sooo annoying that even I am annoyed by how frequent it is
@kev it seems that some people an offence in the way it operates by terminating TLS connections. This obviously breaks the trust of TLS as now the connection is between you and Cloudflare and no longer you and the site owner. (At the same time people might don't mind hosting providers like wordpress.com which also terminate TLS sessions on someone's behalf.)
Another critique point is of course the never ending CAPTCHA thingy.
@sheogorath great point. I know I’d personally prefer it if my TLS chain wasn’t MiTM, especially when services like Let’s Encrypt exist.
I suppose what’s important here is to understand what they’re doing with that data when the carry out TLS inspection.
@kev Privacy reasons. I am forced to trust that they are not collecting, selling, or processing my data and especially meta data.
@floppy that’s hyperbolic IMO. That’s the same for any service, with any provider. It’s not unique to Cloudflare.
@kev Any service can collect data, yes, but CDN has access to different data. I respectfully object that this is hyperbolic.
Separate web services can collect data separately for their own use. A CDN backing those services can associate and correlate separate requests to several services. It possesses an overview of what collection of services are used by an individual, which is information that cannot be acquired trivially by individual services.
@kev Depending how the CDN is integrated, it can collect more or less meta data, e.g. when were requests made (and when not). Meta data can be used for creepy correlations to work out e.g. when somebody is on holidays, who your friends are, or what you like. Due to the various sources for the CDN, the available meta data is more potent.
@kev Yes, here I may get a bit hyperbolic regarding what intentions I assume. Problem is: The technical possibilities exist. I don't see any technical limitations that make abuse impossible. So I am required to trust, which I don't think is a good model in this case.
@floppy @kev @be @MindOfJoe Decentraleyes is a bit different, because it replaces CDN for third-party resources. Thankfully, browsers nowadays use first-party isolation, so third-party resources leak very little information to the CDN (the CDN can’t just set a cookie when you browse one site and retrieve it when you browse another). Probably the largest vulnerability would be the CDN injecting malicious code, but that can be avoided by the developers with subresource integrity. That is not to say that local CDN emulation is not useful (that’s one fewer HTTP request to analyze and correlate, the very least), but it can’t do much against willful MITM use for first-party resources, where the request may carry much more relevant information (like usernames, first-party cookies and session IDs).
@MindOfJoe @be @floppy @kev Yeah, probably only the names of resources requested close to each other (or in the same TLS connection) would be most of the time enough to identify the site a given IP address is visiting. Although with aggressive enough browser caching, that fingerprinting vector can be plugged up, but then you’d have just created another one.
Re: cloudflare, privacy
@kev @floppy Their quantity has a quality of its own. Due to the sheer number of sites they MITM, they have a nearly exceptional ability to correlate and analyze user behavior across sites. Granted, a site may still chose to share data with trackers and data aggregators, which gives aggregators the same correlation ability, but at least that’s overt, while sites opting to use a CDN with MITM inadvertently give away connection data for free (or even pay for the ‘privilege’).
@kev 13 minutes and already we found factual reasons to hate them. Says much about hoe prople hate it dontcha think?
@kev they act as a MITM, Cloudflare decrypts all your traffic. All the usernames, passwords, have passed in plain text through cloudflare’s server.
Here you have more information about Cloudflare
@werwolf yeah, I know that Cloudflare basically MiTM your traffic, but that's the same as any corporation who uses systems like Alteon to do SSL inspection.
It's what they do with that data that counts - which the link you posts doesn't offer any credible sources.
I agree that we should assume worst case and hope for best case and that's where the layered InfoSec comes in - unique passwords, multi-factor etc.
@kev since we don't know what's running at cloudflare's servers we should assume that Cloudflare is malware. That's why I have it blocked on my browser and I distrust Cloudflare's certs.
@werwolf if that's the case, you should probably block traffic to the vast majority of large enterprises too, as many of them do content inspection too.
@kev yeah, I try to do it. I have my Pihole blocking a ton of dangerous domains and hosts. Then on my browser I have uBlock Origin blocking third parties by default and with custom filter lists.
Sometimes when I really need to use a site that's broken I may make an exception. But only if it's completely necessary.
@kev Urgh...thank you for asking that. I've asked this question for myself, too.
People often say, it was "the biggest privacy abuser", while linking to some dubious websites and Github comments/README's (!)
@kev I’m personally a bit torn. Cloudflare have done many good things, such as making it easy for website operators to use HTTPS, help haveibeenpwned with caching (for free!), and recently help keep icanhazip online.
At the same time their spam filtering is way to aggressive. It was rare, but I sometimes couldn’t open websites while I lived in the Philippines because of Cloudflare’s filtering. That’s my primary reason for disliking them.
Because it’s an exponential improvement over plain HTTP.
Because it’s infinitely easier to set up than managing certs on your servers.
Because Cloudflare doesn’t have a business incentive to read the traffic going through their servers.
Because it’s only Cloudflare and your server communicating through HTTP, all other connections are encrypted.
@kev people in this sphere can be self-important, and paranoid. But this is anecdotal based on what I see.
As in: major trust issues. I often see that they view Cloudflare’s infrastructure as a MitM. Especially using their edge network for CDN or for proxy.
Also as in: believing ideology comes at the expense of infrastructure. “Cloudflare is for profit, trust is implicit, they are not FOSS, and therefore should be abandoned.” When that’s not how the rest of the world thinks, acts or does work.
@kev It's quite interesting how the thread escalated. And a lot of it, is a bit like anti-vaxxer discussions.
"The vaccines are evil because the pharma industry is evil."
I mean, … In this discussion I feel like I have to defend Cloudflare many times, just because a lot of people completely overshoot the target. Cloudflare are sure not angels, but they also don't sit in their little office, thinking about how to bring terror into the world.
What a bee nest…
There’s plenty of tinfoil hatters or people who spiral down the literal dementia that is “everyone wants to watch you, they’re stealing your information, you have no control, the govt and corps are out to get us.”
And suddenly we have libre vegan hippie kind of idealogies that are more of a pain to accommodate or involve than they are to sideline in the name of normal users, profit and greater adoption.
Corps and govts aren’t saints.
“No. You’re not being watched by the govt because you like free software.
You’re not being watched for knowing how a computer works and believing you should control it.
You’re being watched by the government if for ANYTHING, it’s for being a crazy (expletive) that goes online and advocates instability through “fighting for information freedom” and aggressively pushing extreme opinions on the government.“
@kev for me it was because if Cloudflare has any issues then my site could be down and it's completely out of my control.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.