On Cloudflare - Tyil
www.tyil.nl
Cloudflare is a threat to online security and privacy. I am not the first on to address this issue, and I probably will not be the last either. Sadly, people still seem to be very uninformed as to what issues Cloudflare actually solves, or introduces.

This part seems pretty pertinent to this site considering its political nature:

Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by browsers by setting itself up as a man in the middle. Cloudflare doesn’t do actual DDoS protection, they just make the request to the origin server for you. Once they have received the data, they decrypt it and re-encrypts it with their own certificate. This means that Cloudflare has access to all requests in plain text and can optionally modify the data you see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care very little.

If we would consider Cloudflare to be a benevolent entity and surely never modify any data ever, this is still an issue. Much data can be mined from the plain text communications between you and the origin server. This data can be used for all kinds of purposes. It is not uncommon for the USA government to request a massive amount of surveillance information from companies without the companies being able to speak up about it due to a gag order. This has become clear once more by the subpoena on Signal. It should be clear to anyone that end-to-end encryption has to be a standard and implemented properly. Cloudflare goes out of its way to break this implementation.

Considering that this site uses Cloudflare, I don't think it would be great if the feds could intercept all of our passwords and impersonate us.

  • ancom20 [none/use name]
    ·
    3 years ago

    Cloudflare started as a "honeypot" http://www.crimeflare.org:82/honeypot.html https://www.projecthoneypot.org/cloudflare_beta.html

    Cloudflare is also a "trusted DNS over HTTPS" service on Firefox for US users. https://support.mozilla.org/en-US/kb/firefox-dns-over-https Unfortunately, that means that they can be easily controlled by US government, so if US government wants DNS lookup logs for millions of Firefox users, they don't have to go to more than one ISP, they can just go to Cloudflare.

    Tools to check if website is behind Cloudflare: https://suip.biz/?act=iscloudflare http://www.doesitusecloudflare.com/ (not sure if this one works properly)

    more info: https://miloserdov.org/?p=1362 https://www.tyil.nl/post/2017/12/17/on-cloudflare/