@kev it seems that some people an offence in the way it operates by terminating TLS connections. This obviously breaks the trust of TLS as now the connection is between you and Cloudflare and no longer you and the site owner. (At the same time people might don't mind hosting providers like wordpress.com which also terminate TLS sessions on someone's behalf.)
Another critique point is of course the never ending CAPTCHA thingy.
@sheogorath great point. I know I’d personally prefer it if my TLS chain wasn’t MiTM, especially when services like Let’s Encrypt exist.
I suppose what’s important here is to understand what they’re doing with that data when the carry out TLS inspection.
@kev they act as a MITM, Cloudflare decrypts all your traffic. All the usernames, passwords, have passed in plain text through cloudflare’s server.
Here you have more information about Cloudflare
@kev Any service can collect data, yes, but CDN has access to different data. I respectfully object that this is hyperbolic.
Separate web services can collect data separately for their own use. A CDN backing those services can associate and correlate separate requests to several services. It possesses an overview of what collection of services are used by an individual, which is information that cannot be acquired trivially by individual services.
Re: cloudflare, privacy
@kev @floppy Their quantity has a quality of its own. Due to the sheer number of sites they MITM, they have a nearly exceptional ability to correlate and analyze user behavior across sites. Granted, a site may still chose to share data with trackers and data aggregators, which gives aggregators the same correlation ability, but at least that’s overt, while sites opting to use a CDN with MITM inadvertently give away connection data for free (or even pay for the ‘privilege’).
@kev Urgh...thank you for asking that. I've asked this question for myself, too.
People often say, it was "the biggest privacy abuser", while linking to some dubious websites and Github comments/README's (!)
@kev Depending how the CDN is integrated, it can collect more or less meta data, e.g. when were requests made (and when not). Meta data can be used for creepy correlations to work out e.g. when somebody is on holidays, who your friends are, or what you like. Due to the various sources for the CDN, the available meta data is more potent.
@kev Yes, here I may get a bit hyperbolic regarding what intentions I assume. Problem is: The technical possibilities exist. I don't see any technical limitations that make abuse impossible. So I am required to trust, which I don't think is a good model in this case.
@floppy @kev @be @MindOfJoe Decentraleyes is a bit different, because it replaces CDN for third-party resources. Thankfully, browsers nowadays use first-party isolation, so third-party resources leak very little information to the CDN (the CDN can’t just set a cookie when you browse one site and retrieve it when you browse another). Probably the largest vulnerability would be the CDN injecting malicious code, but that can be avoided by the developers with subresource integrity. That is not to say that local CDN emulation is not useful (that’s one fewer HTTP request to analyze and correlate, the very least), but it can’t do much against willful MITM use for first-party resources, where the request may carry much more relevant information (like usernames, first-party cookies and session IDs).
@MindOfJoe @be @floppy @kev Yeah, probably only the names of resources requested close to each other (or in the same TLS connection) would be most of the time enough to identify the site a given IP address is visiting. Although with aggressive enough browser caching, that fingerprinting vector can be plugged up, but then you’d have just created another one.
@kev I’m personally a bit torn. Cloudflare have done many good things, such as making it easy for website operators to use HTTPS, help haveibeenpwned with caching (for free!), and recently help keep icanhazip online.
At the same time their spam filtering is way to aggressive. It was rare, but I sometimes couldn’t open websites while I lived in the Philippines because of Cloudflare’s filtering. That’s my primary reason for disliking them.
@werwolf yeah, I know that Cloudflare basically MiTM your traffic, but that's the same as any corporation who uses systems like Alteon to do SSL inspection.
It's what they do with that data that counts - which the link you posts doesn't offer any credible sources.
I agree that we should assume worst case and hope for best case and that's where the layered InfoSec comes in - unique passwords, multi-factor etc.
@kev people in this sphere can be self-important, and paranoid. But this is anecdotal based on what I see.
As in: major trust issues. I often see that they view Cloudflare’s infrastructure as a MitM. Especially using their edge network for CDN or for proxy.
Also as in: believing ideology comes at the expense of infrastructure. “Cloudflare is for profit, trust is implicit, they are not FOSS, and therefore should be abandoned.” When that’s not how the rest of the world thinks, acts or does work.
@kev yeah, I try to do it. I have my Pihole blocking a ton of dangerous domains and hosts. Then on my browser I have uBlock Origin blocking third parties by default and with custom filter lists.
Sometimes when I really need to use a site that's broken I may make an exception. But only if it's completely necessary.