be like:

β€œOh, your browser seems to resist fingerprinting. Let's show you this so that you are forced to enable in order to access the website.”

> Most browser technologies use Javascript.

@werwolf @twann how do you block them? How do you know the site your are visiting is hosted by #Cloudflare

Follow

@garow @twann I distrust Cloudflare's certificates ssl.com/how-to/remove-root-cer and I block all of their domains using the hosts file and in uBlock Origin.

You may also want to use Tor as your DNS resolver or block Cloudflare at the DNS level with something like a Pihole

Β· Β· Tusky Β· 5 Β· 7 Β· 5

@werwolf @garow @twann

So you're blocking 17.7% of ALL websites.

I'd be interested to know what benefits that brings.

w3techs.com/technologies/detai

@fossil @garow @twann privacy benefits, since Cloudflares can see all your traffic in plain text even when using https, including usernames, passwords and other sort of sensitive data.

They're Tor and VPN hostile, they waist your time solving captchas and they make you enable JavaScript so you they can fingerprint you.

And ok, let's say that somehow you trust Cloudflare, even in that case it's a huge security and privacy vulnerability since there could be a data breach.

@fossil @garow @twann but the biggest concern is that they're centralizing the internet and making it harder and harder to be anonymous online.

Any site using Cloudflare isn't secure or private, so it's better to just block them.

@werwolf @garow @twann
"Cloudflares can see all your traffic in plain text even when using https, including usernames, passwords and other sort of sensitive data."

I'd love a citation for that.

@fossil @werwolf @garow @twann It's literally no their website, they decrypt all HTTPS traffic. There's even the "flexible" option where the visitor connects to Cloudflare over HTTPS but they connect to the origin web server over plaintext HTTP (although they say it's not recommended)
https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options

@shitpisscum @twann @werwolf @garow

That certainly doesn't describe my use of Cloudflare. I have my own SSL certificates on my own servers. Cloudflare just holds the DNS records and proxies them. Still not sure how Cloudflare can decrypt my traffic.

@fossil @twann @werwolf @garow If it's just DNS it shouldn't be an issue, I was talking about sites that are proxying entire traffic through Cloudflare. Like, the DNS records point directly to your hosting and not to Cloudflare, right?

@shitpisscum @twann @werwolf @garow

Well yes obviously. I set up my A and CNAME records in Cloudflare, they point at my servers (which have my SSL certs and webapps on them), and Cloudflare proxies them so no-one knows the server IP. I thought everyone used it that way.

@fossil @twann @werwolf @garow
>Cloudflare proxies them so no-one knows the server IP
Then it's decrypting HTTPS. Say I'm loading your website. I'm establishing the encrypted connection to Cloudflare's proxy, which then makes a separate encrypted connection to your server. It's decrypted and then re-encrypted by them. Note the "session key" on the following graph. And yes, that's how most people use Cloudflare.
One more thing, how do you think tools like CSAM scanner work witout decrypting traffic?
https://blog.cloudflare.com/the-csam-scanning-tool/

@shitpisscum @twann @werwolf @garow

Come on. I call bullshit.

The whole point of SSL certificates is to prevent man in the middle attacks.

Are you seriously saying that if I log in (using https) to one of my WordPress sites, and its DNS is at Cloudflare, that Cloudflare can get my username and password from the encrypted https POST?

I think you're misinterpreting things completely.

@werwolf @shitpisscum @twann @garow

OK, did some more reading & checked my browser, and yes, it seems the browser-cloudflare route is governed by Cloudflare's own SSL cert, then the cloudflare-server route is governed by my server SSL cert.

So yes, I have to concede that CF could, if it chose, see my traffic.

However, considering the reputation they have to protect, I'm not going to lose sleep over it. If I didn't trust them I wouldn't use them in the first place.

@fossil @shitpisscum @twann @garow The reputation of being one of the biggest privacy violators of the modern internet?

Cloudflare is incompatible with privacy. And they demonstrate it with their acts:

If you have JavaScript disabled, they'll make you enable it so they can fingerprint you.

It's impossible to access a Cloudflare site using Tor, the same for VPNs

If you're using fingerprinting resistant techniques they make you solve annoying recaptchas

@werwolf @shitpisscum @twann @garow

I access my sites with JS disabled all the time. Nothing stops me. Really not sure what you're getting at.

@fossil @werwolf @shitpisscum @twann @garow I must say from the outside I'm a little sad about how this conversation went. You came in with 'citation needed', were given a citation; moved goalposts to 'that's not how I use it', were shown that it *is* how you use it; moved goalposts to 'they're big enough that I trust them inherently' and are now discussing js shenanigans instead.

It really feels like the privacy paradox condensed into one conversation.
blog.thenewoil.xyz/the-privacy

@thenewoil

@marty @werwolf @shitpisscum @twann @garow @thenewoil

1. No goalposts were shifted even a millimetre.

2. OP's explanations were so poor that I had to read elsewhere to understand the issue.

3. My trust of CF is not based on size and is not inherent.

4. It wasn't me who introduced JS into the conversation. It was Mr Tinhat Fingerprint.

I'm going to block you all shortly since this conversation is no longer sparking joy.

@fossil @marty @werwolf @twann @garow @thenewoil
>I'd love a citation for that
gets citation
>I call bullshit
>Ok I did some more rading and looks like you're right
>I'm going to block you all
I mean, if you really want... Β―\_(ツ)_/Β―

Also this thread made me realize there's probably a lot of people using CloudFlare like you without even being aware how it works

@fossil @marty @shitpisscum @twann @garow @thenewoil Mr tinhat? You've made clear that you can't be taken seriously. You may have blocked by now, but just in case here are some external references so you can read more about Cloudflare's hostility towards privacy:

crimeflare.net:83/cfssl.html

git.nogafam.es/deCloudflare/de

You're sparking short-term joy by burning down your long-term foundations.

@twann @garow domains owned by Cloudflare or domains under Cloudflare services?

@werwolf whoa! I'm not sure how practical is to block all CF domains (don't they tend to grow over time?), but stripping their deceitful, downright-betraying SSL from your trust list sounds like a great start.

Definitely will give it a try and see how bad the web *really* is today.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.