@garow @twann I distrust Cloudflare's certificates https://www.ssl.com/how-to/remove-root-certificate-firefox/ and I block all of their domains using the hosts file and in uBlock Origin.
You may also want to use Tor as your DNS resolver or block Cloudflare at the DNS level with something like a Pihole
So you're blocking 17.7% of ALL websites.
I'd be interested to know what benefits that brings.
And ok, let's say that somehow you trust Cloudflare, even in that case it's a huge security and privacy vulnerability since there could be a data breach.
Come on. I call bullshit.
The whole point of SSL certificates is to prevent man in the middle attacks.
Are you seriously saying that if I log in (using https) to one of my WordPress sites, and its DNS is at Cloudflare, that Cloudflare can get my username and password from the encrypted https POST?
I think you're misinterpreting things completely.
OK, did some more reading & checked my browser, and yes, it seems the browser-cloudflare route is governed by Cloudflare's own SSL cert, then the cloudflare-server route is governed by my server SSL cert.
So yes, I have to concede that CF could, if it chose, see my traffic.
However, considering the reputation they have to protect, I'm not going to lose sleep over it. If I didn't trust them I wouldn't use them in the first place.
Cloudflare is incompatible with privacy. And they demonstrate it with their acts:
It's impossible to access a Cloudflare site using Tor, the same for VPNs
If you're using fingerprinting resistant techniques they make you solve annoying recaptchas
@fossil @werwolf @shitpisscum @twann @garow I must say from the outside I'm a little sad about how this conversation went. You came in with 'citation needed', were given a citation; moved goalposts to 'that's not how I use it', were shown that it *is* how you use it; moved goalposts to 'they're big enough that I trust them inherently' and are now discussing js shenanigans instead.
It really feels like the privacy paradox condensed into one conversation.
1. No goalposts were shifted even a millimetre.
2. OP's explanations were so poor that I had to read elsewhere to understand the issue.
3. My trust of CF is not based on size and is not inherent.
4. It wasn't me who introduced JS into the conversation. It was Mr Tinhat Fingerprint.
I'm going to block you all shortly since this conversation is no longer sparking joy.
@fossil @marty @shitpisscum @twann @garow @thenewoil Mr tinhat? You've made clear that you can't be taken seriously. You may have blocked by now, but just in case here are some external references so you can read more about Cloudflare's hostility towards privacy:
@werwolf whoa! I'm not sure how practical is to block all CF domains (don't they tend to grow over time?), but stripping their deceitful, downright-betraying SSL from your trust list sounds like a great start.
Definitely will give it a try and see how bad the web *really* is today.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.