Back

@sklc There are some account migration tools, however they require to enter you credentials, so you'd need to decide if you trust them or maybe review the code yourself.

https://github.com/CMahaff/lasim
https://github.com/wescode/lemmy_migrate

If you’re concerned about username & password being shared, you should certainly avoid both #Fosstodon & #LemmyWorld. They are both centralized in #Cloudflare so your acct creds are exposed to Cloudflare Inc. every time you login, along with all your traffic.

@bojkotiMalbona I'd love to understand how that's the case? We don't use Cloudflare's certificates (which is basically MiTM). So they can't content inspect any traffic that traverses their infra.

CF is basically a DNS provider for us, and we turn on the anti-DDoS stuff if/when we need it. We don't even proxy through their service when we're not under attack.

Please get your facts straight before spreading FUD.

@kev I’ve detected a bit of intellectual dishonesty here. #Fosstodon used the standard default #Cloudflare configs as early as March & for months thereafter, certainly at least as late as May 29th confirmed by someone’s complaint specifically about the block screen.The timeline shows complaints about CF are littered around before & after that point. If you expand some of the threads in that timeline, it’s clear the default CF configs persisted despite Fosstodon staff being told that the default configs were resulting in users being forced to run non-free software & that the configs needed to change. That change never happened because I know I saw the block screen whenever I tried to directly visit fosstodon.

Fosstodon finally made a recent move from CF proxy to CF NS, which was just yesterday announced, a day after my post. I am not checking every day to see what fosstodon does next.

Under the current config, you can spontaneously switch on the CF reverse proxy at any moment with immediate effect without even telling users all their traffic will be seen by Cloudflare (including passwords). It’s in fact the only way that the reverse proxy can work. If you don’t use the MitM certs, CF cannot process the requests for you during an attack.

So the compromise is still in place. The only difference is that now it’s spontaneous instead of continuously ongoing. And most likely you’ve probably not fixed the CF configs, so when you flip that switch users will get a captcha that pushes #nonfreesoftware. The goal should be to get off CF entirely including nameservers.