Daily reminder that sites “protected” by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.

And if you think Cloudflare aren’t being tapped by the NSA, you’re sadly sadly naive.

All the “privacy respecting” sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they’ve modified.

Edit: good info link below https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

  • Citizen@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    Well put!

    I’ve been saying this since they made their services available…Nobody listened to me.

    Usually when I said sth. like you mentioned, people look at me like they look today:

    Ohhh…You are a conspiracy theorist…

    No mate, I have a better understanding of the fucking computers and technology because I do this for a few decades…

    Hoping they will listen to you!

  • Harrison@infosec.pub
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    Cloudflare is a MITM by design. Calling it an attack is disingenuous; you’re signing up for the service of your own free will, not a victim.

    If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren’t doing that.

    So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.

    But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don’t use it.

    • FaceDeer@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      I could imagine the NSA embedding an agent inside Cloudflare specifically to keep an eye out for any foreign agents also being embedded in Cloudflare, rather than to dig out its secrets for themselves.

    • Coasting0942@reddthat.com
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      I don’t believe that the NSA has a portal giving them direct access (probably naive).

      They definitely have a secret agent 🕵️‍♀️ nerd on the inside providing intel on the structure. Maybe inject exploits or guide them when needed.

      They definitely have a direct e-mail address to cloudflare legal to serve national security letters that cloud flare is obligated to comply with. Which is a portal with extra steps, but which cloud flare can raise a fuss if they notice the requests are turning into vacuum cleaners, and not union membership research.

      • plz1@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Internet traffic gets mirrored to NSA data centers, that’s old news from the Snowden leak.

    • waitmarks@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      the NSA (which lacks a mandate to act on US soil, and CF is a US company)

      They absolutely do have a mandate to operate on US soil, that is actually the main mandate and there is a separate military agency (CNMF) that operates on foreign soil. They are both headed by the same guy though so they might as well just be one agency.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      What concerns me is that we really do not know what the three letter agencies are capable of. They operate outside of the demographic government. Many Americans are increasingly losing faith in the government and secret government programs do not help. It causes what is known as a chilling effect. People start self censoring which is very dangerous and harmful to democracy. Democracy needs transparency not secrecy.

    • milicent_bystandr@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      1 year ago

      But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don’t use it.

      Or do use E2E encryption. You can still have a layer of encryption within the SSL tunnel that cloudflare controls. Like you’d do for an E2EE filestore: the webserver (and cloudflare) see the website woosh by, and all that you do on it, but the files themselves are encrypted opaquely to both, and decrypted only by a browser at the other end.

    • anar@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      Maybe I’m just jaded and cynical but it won’t “destroy the company” even if it comes out like that. The laws don’t apply to people at the top

    • Scolding0513@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      1 year ago

      If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren’t doing that.

      excuse me, what?? The Snowden documents came out showing all these companies literally giving over all their data to the NSA like it was water from a spring, and they are all still in business. AT&T, facebook, google, microsoft, dropbox, etc. Yet you claim somehow cloudflare would be destroyed?? This isnt even funny bro.

      more recently, Hetzner was showed to have given backdoor access to the feds, yet people still buy VPSs from them, and in fact, 20% of TOR guard nodes are sitting on their infra RIGHT NOW!

      Case in point: people using such companies either don’t care or are really ignorant or stupid.

  • cursed_technology@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    CloudFlare is a huge danger to a free and open internet, in my opinion. I cringe every time I hear privacy-conscious people recommend it.

    • voxel@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      there’s no alternative tho, and by definition alternatives will have the same level of access…

    • Scolding0513@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      absolute fax

      I cannot begin to tell how pissed this makes me.

      Please for the love of all that is holy, do NOT call your site or yourself “privacy-respecting” or “privacy-oriented”, and then meet me with a Cloudflare MITM to knowingly and willingly give over everything i input in your site to NSA Inc.

      I’m sick to my stomach of all these orgs and companies and people talking about privacy, and then they constantly do all these kinds of things thst prove that they don’t actually care about privacy or anonymity or anything in between. They are Vipers and Snakes trying to make a quick dollar on a buzzword. It’s become sadly trite.

      We must return to the dark ages of p2p. The age of self-hosting, blockchain (the truly good parts like monero), ipfs, bittorrent, tor onions, i2p, any other p2p or decentralized network - these kinds of things are all that stands between us and internet controlled by a handful of NSA-worshipping megacorps.

      • Citizen@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        This is why I like this community so much!

        I always learn from people like you!

        We discuss, sometimes we agree sometimes we don’t, but we speak our minds freely and come up with some neat solutions!

        Thank you!

        Its time to use the technology for the benefits of humans not against them!

        Let’s look into better solutions together!

  • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Oh, I searched it up and indeed that seems what it does.

    I thought it normally just forwarded all the traffic. I wouldn’t think people would just let someone else see all traffic between their servers and their users.
    I thought it was more like public SSH jump servers.
    Right, how else would the CF interstitial page work.

    I thought it was done just for the Quick Tunnels which don’t even require an account. I’ve used those a few times, but only in cases where plain HTTP would be OK.

  • youmaynotknow@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    I’m basically running all my self-hosted services over CF tunnels. Does anyone have a suggestion for an alternative to this? I’d like to remove CF from my life, but not at the expense of poking port holes in my FW.

    • Deebster@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      If you’re blocking everything that’s proxied via Cloudflare or hosted on Google, the internet must be a very small place for you. I think even a third of Lemmy is behind Cloudflare.

        • Deebster@programming.dev
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          I know how federation works, but look at the network inspector and you’ll see you’re pulling a lot of images from Cloudflare-proxied sites (or you’re missing a lot, if you’ve blacklisted them).

          Anyway, I only meant that even Lemmy, with its anti-corporate culture, is still heavily using Cloudflare. “Only” 22% is still a lot in my book.

          I’m interested as to your motives - are you doing this as a boycott, and/or to protect your privacy (or similar)? Also, are you blocking domains one-by-one, or are doing something like using firewall rules?

  • IphtashuFitz@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    I hope you realize that virtually every CDN provider does the exact same thing in similar ways. Sites that use Akamai, AWS, Google cloud, Fastly, etc. all give those companies access to unencrypted content. It’s just how CDNs work…

    • Scolding0513@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      ofc. they are all catch-alls for the NSA. people think the NSA is monitoring traffic as in looking over our shoulders. like direct interception. nope, they just let a few megacorps convince the entire internet to pass everything through their servers, then buy off all the data.

      Once again, the earthly principle of all things being ultimately voluntarily, is still true.

      • Reddfugee42@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        Yeah, the NSA isn’t already completely integrated into telco itself. It needs these other companies to execute its tasks. You get it.

          • tarmarbar@startrek.website
            link
            fedilink
            arrow-up
            0
            ·
            1 year ago

            I think he’s saying they don’t have to if they can read it off of your pc or the server before it’s even encrypted. OS backdoors, in-app backdoors, hardware backdoors inside the CPU like Intel ME…

            • Scolding0513@sh.itjust.worksOP
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              1 year ago

              there is a difference between targetted attacks like that and straight allowing them to dragnet you and millions of others

  • TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    And then there’s people using Cloudflare tunnels, Tailscale and others for self-hosting stuff… that also may have your keys or inject clients at some point…

    But we’re about to get downvoted to hell for pointing this out because our community is self-hosters that pride themselves on sovereignty can’t deal with the cognitive dissonance of having their favorite corporate solutions unmasked for what they are - spyware on steroids.

    • somethingsomethingidk@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      Tailscale keeps the private keys locally, . It just facillitates setting up wireguard. They could steal your private keys, as could any program you install with root access. But it would comepletely destroy their business, and it’s open source. I really dont think they have anything to gain by tricking everyone

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        Use headscale, I have no idea how people are OK with tailscale when they keep your keys and essentially have access to your network

  • starman@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    BTW, can someone recommend me nice alternative for fast and free static website hosting?

    I tried GitHub Pages, but I couldn’t get it working with subdomains.

  • TimLovesTech (AuDHD)(he/him)@badatbeing.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    So does everyone here that fears Cloudflare as secretly out to get them not believe that the NSA doesn’t have their hooks in all the major datacenters? The same datacenters used by all the major web hosts people are using to “self host” for privacy.

    Personally I think you have to have faith at some point that everything from your node to the destination is on the up-and-up unless you have a concrete reason to assume otherwise. Otherwise you should be suspicious of your ISP’s network and every switch/router/firewall/node your data traverses on the internet. And being that paranoid basically means anything you didn’t review the code of and compile yourself should be out of bounds.

  • SquiffSquiff@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    It’s not that you’re wrong. It’s more that I don’t understand what you’re proposing as an alternative. To add to the comments here pointing out that that’s how CDNs work: for many designs of website, the CDN essentially is the website, being served from a cache by the provider. Even when this isn’t the case, you would normally have a load balancer in front of whatever was serving your website so that if you need to swap out the server for maintenance upgrade, etc. you don’t need to tell who your visitors to go to a different address. In that case, your certificate would be attached to load balancer rather than the server behind it.

    If this was a 1990s and I were trying to run my own server on my own hardware in my bedroom, you might have a point, but please explain how you would implement an alternative in any meaningful way today.

    • myliltoehurts@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      Honestly, even if you don’t terminate SSL right until your very own app server, it’s still based on the assumption that whoever holds the root cert for your certificate is trustworthy.

      The thing that has actually scared me with CF is the way their rules work. I am not even sure what’s the verification step to get to this, but if there is a configured page rule in a different CF account for your domain that points at cloudflare (I.e. the orange cloud), you essentially can’t control your domain as long as it’s pointing at CF (I think this sentence is a bit confusing so an alternative explanation: your domain is pointing DNS at your own CF account, in your CF account you have enabled proxying for your domain, some other CF account has a page rule for your domain, that rule is now in control). The rule in some other account will control it.

      It has happened to us at work and I had to escalate with their support to get them to remove the rule from the other cloudflare account so we can get back control of our domain while using CF. Their standard response is for you to find and ask the other CF account to remove the rule for your domain.

      This is a pretty common issue with gitbook, even the gitbook CEO was surprised CF does this.

      • SquiffSquiff@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Thanks. This is pushing the limits of my current understanding, but unless I’m mistaken, this reads like ‘anyone who chooses may hijack part of your domain at any time if you both use cloudflare’. Sounds crazy.

  • bokherif@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    My man thinks he has privacy lol. Any CDN that provides WAF capabilities will inject themselves in the middle to inspect the traffic. This does not mean they don’t respect your privacy. If you think the three letter bureaus let you have your privacy with anything, you’re wrong. Privacy is a long dead thing of the past. You can’t even hide your data from companies that want to make a profit off your data, let alone the three letter government agencies. The government monitors and has access to every digital device known to regular consumers, beit in the US, CN or any other country.

      • bc93@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        I’m not sure what you mean by this - while their comment was a bit wild, it’s factually correct - you will never, ever be able to protect your privacy from state actors. Cloudflare and similar CDNs are one part of that but are by no means necessary. To be truly private from state actors would require such an onerous process that it’s essentially impossible for the average working class person.

        I think having HTTPS provided through Cloudflare is better than no HTTPS at all in almost every case.

  • Tinkerer@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    1 year ago

    So what provider does everyone recommend instead of cloudflare for proxy? I use cloudflare to protect all my websites but I’ve been trying to find some other place to proxy them from.