(parts of this post are transplanted from my other post about Cloudflare and my comments replying to others on that post)
TL;DR: This site routinely advocates for the overthrowing of the American government. Cloudflare is an American company. Cloudflare can intercept and modify all data sent to and from the Hexbear servers (this includes your passwords in plaintext!). The American government has a history of mass surveillance and would not hesitate to issue an order to Cloudflare to record (and perhaps even create fake interactions) all user (and because Cloudflare is a MITM, all admin!) interactions on this site. I recommend that the admins migrate the site off of Cloudflare. Alternatives are discussed in the body text.
It is well known in technical communities that Cloudflare is a threat to the open web. (Every single word is a different link.)
Cloudflare is a security hazard. It intercepts and modifies all data (including your passwords in plaintext) sent to and from websites (including this one) using its service.
Here's how you can prove that Cloudflare is intercepting and modifying data in your connection to Hexbear:
If you go into the network tab of the developer menu (inspect element) of your browser and then click around the site, you will see a bunch of requests pop up. If you click on any one of them and look at its headers, you will see the headers in the response: https://hexbear.net/pictrs/image/4pMZxhYszm.png
If we were connecting directly to the Hexbear servers (which we are not, we are connecting to them through Cloudflare), TLS (the encryption protocol that HTTPS uses) should make it impossible to view or edit any of the contents of the data sent between the servers. Yet here we clearly see that Cloudflare has added some new data in the form of HTTP headers. This must mean that Cloudflare can intercept and edit the contents of the requests and responses. In effect, Cloudflare is MITMing the connection.
If you have ever seen a Cloudflare "checking your browser" screen you would already know this, as it is impossible for Cloudflare to show you that page without intercepting and editing the data in the connection.
In conclusion, yes, Cloudflare can really see all (this includes your passwords in plaintext!) the data between the user and the site, after all, you're not even connecting to the site: you're connecting to Cloudflare which then makes requests to the site on your behalf.
https://hexbear.net/post/126082/comment/1446972
You can also prove this by checking the website's HTTPS (TLS) certificate:
Another very serious problem with CloudFlare is that they act as a MITM (man-in-the-middle) with their CDN (content delivery network) service in which they, amongst other things, cache your website content and display that to your visitors. If you're running a normal website, like a blog, many times people will never actually visit your website, they'll just get the content from CloudFlare. However, this is not the serious problem, the serious problem is that they provide SSL connections for all who use their service in a way that they become a man-in-the-middle. Your connection is only really encrypted up until the CloudFlare servers, after that the connection can simply be clear text. The connection is encrypted between the browser and CloudFlare, and between CloudFlare and the website if the website has a SSL certificate, but the communication in-between remains completely visible to CloudFlare.
You can check this by going to any website that uses a CloudFlare's SSL connection. Check the certificate for the website. You'll notice that it's a CloudFlare certificate and not a certificate for the website you're actually visiting.
https://unixsheikh.com/articles/stay-away-from-cloudflare.html
A screenshot of what you will see after following the instructions in the text: https://hexbear.net/pictrs/image/J7pX1oJx8s.png As you can see, it is Cloudflare's certificate, not Hexbear's.
So do you really want CloudFlare to snatch the communication between your website and your visitors or customers? CloudFlare will be able to see everything even when you have a SSL certificate running on your webserver.
You need to understand that users, the visitors to your website, are being mislead by the padlock icon that falsely state that the connection to your website is secure. Users believe, when they see the padlock icon, that the have a secure end-to-end tunnel to your website, while they unwittingly have a tunnel to CloudFlare, who sees all the trafic before it reaches your website.
This is NOT OK.
https://unixsheikh.com/articles/stay-away-from-cloudflare.html
Cloudflare intercepts and modifies all data sent to and from Hexbear. Now why is this a problem? Cloudflare is an American company. This site routinely advocates for the overthrowing of the American government. It would be very unwise to use an American company’s service while doing so.
It is well known that the American government has a long history of mass surveillance. Do we want the American government, who we advocate against, who has a long history of brazen mass surveillance, to have full access and control over all data sent to and from Hexbear? (This includes all our posts, comments, DMs, emails, passwords, etc... EVERYTHING!)
Do we really want this? Do we really want the feds, who we are against, to have such a degree of control over us?
The feds exercising their control over Cloudflare, an American company wouldn't be anything new either.
Simply refer to Snowden's revelations. There was this old post (that I cannot find now!) that included a part of a FBI report that showed that they monitored online leftist spaces (including r/chapotraphouse)! It would be ridiculously naive to think that after monitoring the old subreddit, they are just not going to monitor its successor site?
Many think that the only time Cloudflare has ever censored people was when they censored the neo-Nazi site "the Daily Stormer". (Obligatory fuck Nazis, they deserve anything people do to them, including censorship. But we will see that Nazis are not the only people Cloudflare censors.)
That is not true.
Cloudflare has censored safe-spaces for sex workers before.
Cloudflare has censored LGBTQ+ sites before.
Cloudflare has censored Sci-Hub (essentially the Pirate Bay but for scientific papers) before.
There are many other instances of Cloudflare censoring sites. But this all pales in comparison when we learn of this fucking gem of an incident:
Cloudflare Ordered to Expose YTS, Showbox, and Popcorn Time Site ‘Operators’
Holy fucking shit!
Holy fucking shit!!!
Let this be clear:
Cloudflare has acted on the interests of the American Government multiple times in the past and will not hesitate to do so another time.
My plea: please stop using Cloudflare. We will be absolutely fucked when the feds finally decide to end the party.
Alternatives to Cloudflare:
Now many of you will criticize me for listing all the wrongs but not providing an alternative, I already have a comment detailing alternatives. I would paste it in its entirety in this post, but it seems as if I have reached the character limit. Said comment can be found here: https://hexbear.net/post/126082/comment/1447488