Dessalines
admin
link
182M

Its a man in the middle that recieves every communication to any server that uses it, including ip addresses, signups, passwords, usernames, all in clear text for them. Since so many servers use it, its a giant aggregator as dangerous as a centralized password store.

CarrotsHaveEars
link
72M

Just wanna add that it’s impossible for them to have your encrypted messages if you use an HTTPS certificate from another CA.

@AgreeableLandscape
admin
link
6
edit-2
2M

Meta analysis of encrypted traffic is more powerful than you think. By analyzing things like the length and timing of requests and responses, researchers have been able to determine what search term a user typed (through the auto-completion suggestions being sent back), what images and videos are being viewed, which threads on a forum they accessed, among other things, without ever decrypting the HTTPS data.

@UnreliantGiant
link
62M

Is it? I have never used Cloudflare so I don’t know their exact feature set, but most of Cloudflares useful features require them to be able to act as your website (to display a 5xx error when your server is down, the “checking your browser” message, caching, compression, etc.). Most people use Cloudflare for those features (and they use it for easy https, which is kinda stupid since client<->cloudflare will be encrypted, but cloudflare<->server likely still goes through the internet over plain http).

@AgreeableLandscape
admin
link
62M

And they’re American so they absolutely have the NSA/CIA tapping into that data.

Tmpod
link
22M

I use Cloudflare solely for DNS management because I know of other alternative that is remotely close to it… Registrars are usually really awful. I never proxy A records, always pure DNS.

Quad9 is a great alternative to CF’s 1.1.1.1, but unfortunately they don’t provide a service like that :c

@Echedenyan
link
22M

What is about using OpenNIC servers.

Kinetix
link
02M

I am guessing you aren’t running any servers anywhere you could do your DNS on?

Tmpod
link
02M

Never considered that as a serious option. What kind of DNS server software would you recommend? What resource footprint does it have (my server is already pretty crowded and I’d like to not get a new one for now)? Does it work well?

Kinetix
link
02M

Works as flawlessly as anything, but I’d recommend two systems, you want to have at least 2 DNS servers. If two small VPSes doesn’t make sense for you (you hardly need any resources to run powerDNS or BIND), then I wouldn’t go with that option. Was just curious.

Tmpod
link
02M

Yeah, I just read a bit on the topic too and I came across the same thing. Atm I don’t run anything that would justify getting two servers for DNS, so I’d rather rely on a third-party. Thanks for the suggestion though and if you have any good alternatives to CF please let me know :)

Kinetix
link
02M

Well, I would be loathed to give CF money or data, so since I own domains at a registrar that does “meh, OK” services, if I wasn’t running my own DNS servers I’d just go with them. I would most registrars would provide reasonable DNS services for nothing.

I use Netfirms, btw, but that’s not necessarily a plug for them.

Tmpod
link
02M

I see. Yeah, I haven’t had the greatest of experiences with my registrars when it comes to DNS (mainly slow updates and inability to add some types of records). Also, I don’t give CF money nor data really, I use just DNS, no proxying. The distributed nature of DNS makes CF less prone to getting data than it would be otherwise. Do you know any other service similar to CF’s DNS thing?

@AgreeableLandscape
admin
link
12
edit-2
2M

Some good answers already, but I haven’t seen anyone talk about this: Sites “secured” by CloudFlare are almost impossible to use with Tor, some VPNs, or even simply with JavaScript disabled. Their Captcha page that pops up when you use any of these tends to be broken and just redirects back to itself even when you clear the captcha, instead of actually showing you the page itself (and the redirection is happening server side, so there’s also nothing you can change in the URL to get you to the right page).

@Echedenyan
link
32M

The article I linked includes all of that.

Multis
link
102M

This comment on GitHub perfectly captures the controversy surrounding CloudFlare

@xarvos
link
92M

They block access to legitimate users in name of protecting the website. You don’t even have to use Tor or do something fishy to be blocked from a cloudflared website.

JustEnoughDucks
link
22M

I’m no network engineer, so if you could ELI5, what would be the alternative to automatically let in legitimate users, but block hackers, spam, bots, etc…?

@xvf
link
82M

I just wanted to add that recently on firefox if you have resistfingerprinting enabled then some websites will stop working because cloudflare detects as of it was a tor browser. For example you can’t log in to GitLab

m-p{3}
link
6
edit-2
2M

It’s not hate against CloudFlare itself, but mostly against the centralization and siloing of private services that are incrusting themselves at the core of the Internet.

@AgreeableLandscape
admin
link
3
edit-2
2M

No, definitely it’s hate against the company (in addition to what you said). CloudFlare has done (and is doing) many dodgy things and are absolutely not trustworthy.

m-p{3}
link
12M

Do you mind enumerating some of these dodgy things?

They are one of the actors of the centralization of the internet.

@TheAnonymouseJoker
link
42M

Someone’s comment who I know:


CEO of CloudFlare once said:

Matthew: Back in 2003, Lee Holloway and I started Project Honey Pot as an open-source project to track online fraud and abuse. The Project allowed anyone with a website to install a piece of code and track hackers and spammers.

We ran it as a hobby and didn’t think much about it until, in 2008, the Department of Homeland Security called and said, “Do you have any idea how valuable the data you have is?” That started us thinking about how we could effectively deploy the data from Project Honey Pot, as well as other sources, in order to protect websites online. That turned into the initial impetus for CloudFlare.

(Source)

BBC reporter Zoe Kleinman wrote that Matthew Prince wanted $20,000 for the Honey Pot data. “That check showed up so fast,” said Prince. Michelle Zatlyn heard the story from Prince and replied, “If they’ll pay for it, other people will pay for it.” Soon she and Prince cofounded CloudFlare.

From an article:

Swearing off data collection

But wait, if Cloudflare is directing your website queries, then can’t it collect your browsing history for itself? Actually, they’re not going to keep that data at all, Prince said.

“At no time will we record the list of where everyone is going online,” Prince said. “That’s creepy.”

Cloudflare is working with third-party auditors at KPMG to examine their systems and guarantee they’re not actually collecting your data. That privacy commitment, Prince said, is what separates Cloudflare’s 1.1.1.1 from other DNS services that are free and open to the public.

[…]

Cloudflare’s promise to keep your data private is impressive, said Heidi Shey, a privacy and security expert at business analyst firm Forrester. “It’s a great thing that they’re coming out of the gate and being up front about that,” Shey said. Still, she added, “You’re kind of taking what they’re saying at face value.”

The company will need to continue to be transparent, showing what the auditors find in their logs, for consumers to continue to trust the service, Shey said.

(Source)

Concerning KPMG, “the well-respected auditing firm” as Cloudlfare puts it. Really?

Hmm… so much for “put our money where our mouth was” (source), interesting choice Cloudflare!

The gist of this is: DHS saying there is valuable data of those collections, hence the initial impetus for CloudFlare after having $20,000 from their Project Honey Pot! My question would rather be, who’s operating those DNS providers and who’s watching the watchers? Because, DNS queries can reveal a lot about a persons internet activity and usage. There is an interesting research about DNS on the topic of user privacy, though the research is about Tor and DNS (and thankfully Tor is still safe as they said that they “don’t believe that there is any immediate cause for concern.”), the researchers said:

We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites.

So, just like the internet is plagued with Google Analytics and other of their subsidiaries. We are then now plagued more by CloudFlare with their CDN and DNS.

Relevant:

Concerning DNS over HTTPS (DoH), internetsociety.org noted:

[RFC8484] specifies how to send and receive DNS queries over HTTPS. Server configuration is performed out of band, and the connection with the resolver is secured as any other HTTPS traffic. DoH is mostly targeted at web browsers and does not have the potential for improving the privacy properties of transactions between recursive resolvers and authoritative nameservers.

What people should understand as noted by internetsociety.org’s document concerning encrypted DNS is: the mechanisms should be seen as ways to improve, in specific scenarios, certain aspects of network privacy, but not as replacements for other privacy mechanisms such as VPNs or other implementations such as Tor.

@SrEstegosaurio
link
22M

nogafam is an amazing initiative and ran by a really nice dude. It’s from Spain and he offers fediverse services and stuff like that.

Gritty
creator
link
12M

Thanks for all the great responses

@pinknoise
link
02M

Because they make the web unusable and insecure. They also protect sites with content thats illegal in the US, so they’re obviously working for the US’s intelligence services.

@ree
link
12M

Lol. That’s a huge jump you’re making here. I guess if a bookstore doesn’t sell loliporn they are also working for thé CIA?

@pinknoise
link
12M

Their technically a provider so they aren’t responsible for the stuff they “host”. They would still have to help law enforcement to take it down. For some sites this very suspiciously doesn’t happen.

@ChinaNumberOne
banned
link
-42M

they host a lot of bigoted content (like 4ch*n)

A loosely moderated place to ask open ended questions

If your post is

  1. Open ended
  2. Not offensive
  3. Not regarding lemmy support (c/lemmy_support)
  4. not ad nauseam inducing (please make sure its a question that would be new to most members)

it’s welcome here!

  • 0 users online
  • 27 users / day
  • 79 users / week
  • 155 users / month
  • 529 users / 6 months
  • 2.13K subscribers
  • 674 Posts
  • 8.65K Comments
  • Modlog