• redcalcium@lemmy.institute
    link
    fedilink
    arrow-up
    43
    ·
    6 months ago

    Remember when google was beloved by everyone back then when they’re still have “don’t be evil” motto? Cloudflare right now is like google back then: super useful, provides a lot of free services that would be expensive on other providers. But unlike google, if cloudflare go full evil in the future, the impact will be much larger because they’re an mitm proxy capable of seeing unencrypted traffics across all websites under their wing. Right now they’re serving ~30% of top 10,000 websites and growing.

    • CanadaPlus@lemmy.sdf.org
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      6 months ago

      Oh, okay, so I’m not wrong that they’re good right now.

      I’m a little unclear on how it works. Do they strip off HTTPS somehow? Otherwise, there’s not too much unencrypted traffic around anymore.

      • redcalcium@lemmy.institute
        link
        fedilink
        arrow-up
        16
        ·
        edit-2
        6 months ago

        Do they strip off HTTPS somehow?

        Well yes, how else they can provide their services such as page caching, image optimizing, email address obfuscation, js minifications, ddos mitigation, etc unless they can see all data flowing between your server and your visitors in the clear?

        Cloudflare is basically an MITM proxy. This blog post might be helpful if you want to know how mitm proxy works in general: https://vinodpattanshetti49.medium.com/how-the-mitm-proxy-works-8a329cc53fb

      • markstos@lemmy.world
        link
        fedilink
        arrow-up
        13
        ·
        6 months ago

        One of the services they provide is free SSL certificates. As part of that, they have the private key to decrypt the traffic. They aren’t trying to hide that— this is true of any service that hosts the SSL cert for your site.

        • SugarSnack@lemm.ee
          link
          fedilink
          arrow-up
          2
          ·
          6 months ago

          Does that mean it wouldn’t be an issue if you bring an SSL cert from say ZeroSSL but use Cloudflare for DNS, caching, DDoS protection etc?

          • SirQuackTheDuck@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            6 months ago

            For DNS and DDoS protection that wouldn’t directly be an issue.

            For caching it would be breaking. You cannot cache what you cannot read (encrypted traffic can only be cached by the decrypting party).

          • markstos@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            6 months ago

            It’s not who issues the cert that matters, it is who hosts it. Hosting it includes having the private key. You always have to trust your website host, full stop.

          • markstos@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            6 months ago

            With what? HTTPS has to terminate the encryption somewhere and that place has to have the private key to do so.

            CloudFlare is providing the same service here as all other hosts of HTTPS websites do.

            • CanadaPlus@lemmy.sdf.org
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              6 months ago

              Well, depends. If it’s hosted on AWS and HTTPS terminates there like it’s supposed to, Amazon could look inside, but a human being would have to personally hack your container and extract the data, so that’s a bit better. If it’s something more like Wix, though, sure. (Is Wix still a thing?)

              • markstos@lemmy.world
                link
                fedilink
                arrow-up
                3
                ·
                6 months ago

                If you use the AWS load balancer product or their certificates, they have access to the private key, regardless of whether you forward traffic from the LB to the container over HTTPS or not.

                If you terminate the SSL with your own certificate yourself, Amazon still installs the SSM agent by default on Linux boxes. That runs as root and they control it.

                If you disable the SSM agent and terminate SSL within Linux boxes you control at AWS, then I don’t think they can access inside your host as long as you are using encrypted EBS volumes encrypted with your key.

                • CanadaPlus@lemmy.sdf.org
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  6 months ago

                  Obviously, I’ve never actually done this. Good to know.

                  I’m starting to worry that HTTPS is entirely fake - in the sense that it’s purely decorative encryption that protects an insignificant part of the transaction. Like, maybe by design. The NSA’s been doing something all these years.

      • DessalinesA
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        6 months ago

        You have no proof that they’re “good right now”. The big five corporations were forwarding data to the NSA for years before the surveillance leaks exposed them.

        Your privacy default should not be to trust an MITM, ever.

    • DessalinesA
      link
      fedilink
      arrow-up
      9
      arrow-down
      3
      ·
      6 months ago

      There’s no proof they aren’t doing anything nefarious with that data right now, other than company statements saying, “trust us”.

      People default to trusting giant corporations first it seems.

        • DessalinesA
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          6 months ago

          I’m not sure if this is ironic bc I’ve been exposed to too many irony-poisoned comments lately, but cloudflare exists to profit off your data. They’re not there to help you, your data and its trends are the product.