This part seems pretty pertinent to this site considering its political nature:
Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by browsers by setting itself up as a man in the middle. Cloudflare doesn’t do actual DDoS protection, they just make the request to the origin server for you. Once they have received the data, they decrypt it and re-encrypts it with their own certificate. This means that Cloudflare has access to all requests in plain text and can optionally modify the data you see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care very little.
If we would consider Cloudflare to be a benevolent entity and surely never modify any data ever, this is still an issue. Much data can be mined from the plain text communications between you and the origin server. This data can be used for all kinds of purposes. It is not uncommon for the USA government to request a massive amount of surveillance information from companies without the companies being able to speak up about it due to a gag order. This has become clear once more by the subpoena on Signal. It should be clear to anyone that end-to-end encryption has to be a standard and implemented properly. Cloudflare goes out of its way to break this implementation.
Considering that this site uses Cloudflare, I don't think it would be great if the feds could intercept all of our passwords and impersonate us.
cloudflare is always suboptimal, but the other option is having no site because it gets DDoSed to hell every day ending in y
Even considering your false premise of "no Cloudflare = no site", it would legitimately be better to have no site than a compromised site considering this site's political nature.
This site routinely advocates for the overthrowing of the American government. It would be very unwise to use an American company's service while doing so.
And it is not like if this site was without Cloudflare, there'd be no site. There are plenty of actual anti-DDoS services that actually filter out DDoS attacks. This point is even refuted in the linked article:
And in this article which is linked in the linked article, it goes into further detail how Cloudflare doesn't even protect against DDoS attacks:
Cloudflare will literally kick you off their service and gouge you for money if you get attacked for long enough. This is not DDoS protection, this is literally giving in to the DDoSers! And even worse, they're gouging you for money while failing in their initial purpose!
Meanwhile: there are actual DDoS mitigation services that actually do what they are supposed to do:
And if you must use a Cloudflare-esque Varnish-as-a-service service, then please at least use something not located in the US (or any Five Eyes country (Australia, Canada, New Zealand, United Kingdom, United States) for that matter)! If you really must, then I would recommend using DDoS-Guard which is based in Russia and offers pretty much identical services to Cloudflare.
TL;DR: All of the "problems" solved by Cloudflare are solved better and more efficiently by other services. Use them instead.
you should post this whole comment as a new post in !feedback@hexbear.net
Done (with large additions): https://hexbear.net/post/126181