This part seems pretty pertinent to this site considering its political nature:

Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by browsers by setting itself up as a man in the middle. Cloudflare doesn’t do actual DDoS protection, they just make the request to the origin server for you. Once they have received the data, they decrypt it and re-encrypts it with their own certificate. This means that Cloudflare has access to all requests in plain text and can optionally modify the data you see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care very little.

If we would consider Cloudflare to be a benevolent entity and surely never modify any data ever, this is still an issue. Much data can be mined from the plain text communications between you and the origin server. This data can be used for all kinds of purposes. It is not uncommon for the USA government to request a massive amount of surveillance information from companies without the companies being able to speak up about it due to a gag order. This has become clear once more by the subpoena on Signal. It should be clear to anyone that end-to-end encryption has to be a standard and implemented properly. Cloudflare goes out of its way to break this implementation.

Considering that this site uses Cloudflare, I don't think it would be great if the feds could intercept all of our passwords and impersonate us.

    • IlIlIlIlIlIlIl [any]
      hexagon
      ·
      edit-2
      3 years ago

      No. Because the thing is: you're not connecting to the Hexbear servers at all; you're connecting to Cloudflare which then (decrypts your request) makes requests to Hexbear's servers (and then decrypts the response to send back to you) on your behalf. Since you're not connecting to Hexbear's servers at all, the status of its cert is completely irrelevant.

      • SolidaritySplodarity [they/them]
        ·
        3 years ago

        My understanding is that a site user's browser will ask for the cert and validate it before setting up a TLS session. The order would be domain -> resolved to IP -> ask for and check cert -> sign session request with cert public key -> server sets up TLS session. I've never used Cloudflare, but I assume it operates by setting up your DNS records to point to their servers and you set up proxy things on your Cloudflare account.

        Cloudflare would need to furnish a Hexbear.net cert, according to my possibly flawed logic. The part where I get confused is how that could work, have mitm, and not have Cloudflare have the private key. If it's just proxying the initial cert request, it won't have the private key (it's only on the server in this scenario) so it can't decrypt. To decrypt, it needs to have a provided hexbear private key or be handling all of TLS itself, providing its very own cert for hexbear.net, with Hexbear not handling TLS to users at all. Instead, it might implemented TLS just for hexbear<->Cloudflare connections when requests are sent between them. I must be going wrong somewhere.

        Sorry if this is tedious or doesn't make sense and thanks for your patience!