Nearly every website today seems to be hosted behind Cloudflare which is really concerning for the future of privacy on the internet.
Cloudflare no doubt logs, stores, and correlates network telemetry that can be used for a wide array of deanonymization attacks. Not only that, but Cloudflare acts as a man-in-the-middle for all encrypted traffic which means that not even TLS will prevent Cloudflare from snooping on you. Their position across the internet also lends them the ability to conduct netflow and traffic correlation attacks.
Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare… edit: i was wrong
So what options do we even have? What privacy concerns did I miss, and are there any workaround solutions?
Cf only acts as a mitm for encrypted traffic if you choose it in the options. If you provide your own cert then they can’t decrypt anything.
That’s really misleading. Most admins use Cloudflare’s gratis service and they use CF to handle the traffic load. This is only possible if CF has the private key and sees the traffic. If CF cannot see the traffic, it must pass it all through to the source webserver which defeats the purpose of using CF.
Most importantly, users have no way of knowing whether a web service opts to use their own key or CFs key. It’s impossible. So wise users have no choice but to assume the worst case (which is also the strong majority of cases): that CF sees the traffic.
deleted by creator
I can tell you that the owner of the DNS record sets the proxying settings, and cloudflare has absolutely nothing to do with the certificates in any way, if you choose. I use my own certificates for everything, my SSL terminates at the server.
https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/
deleted by creator
I mean, yeah, we’re in agreement. I am also a cloudflare user.
Im not sure what your disagreement with snowe was, then though. They stated they only handle the encryption if the site owner chooses it, which is what I said, and then you did as well. No clue on the downvotes.
Also I’m not certain why there seems to be paranoia over CF. They just offer the tools and haven’t shown me any reason to distrust them in any way, and if you’re blacklisting a major CDN you might as well just stay off of the internet entirely.
My opinion doesn’t actually matter though, I’m just a networking dude that had his curiosity piqued by a random post. I choose privacy by default but I don’t go out of my way to handicap myself in the name of privacy so I’m sure there are far more knowledgeable people here that can advise on much stricter threat models than mine.
I missed the post you replied to, but your comment is misleading. That’s probably around ~99% of the cases that you seem to imply are a rare case. If CF cannot see the traffic, it cannot respond to requests and the source webserver must handle the full workload (thus defeating the purpose of using CF). Most users are only using the free service, which requires CF to have the private keys.
Start here→ https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md
It’s normal for a normie see infosec-aware people as “paranoid” due to lack of widespread understanding of infosec principles. The rule of least privilege is a sound principle. The abstract idea is that you do not extend more privilege than necessary. It’s reckless to needlessly share confidential information. Of course “need” is the keyword there. You are using a CFd instance. Maybe sh.itjust.works determined that they need CF because they lack the infosec knowledge to protect their service and their budget is too small for them to hire a credible infosec admin. Whatever their reason is, the mistake is on your part (the user). You as a user do not need to expose all your traffic to CF because you can just as well have created an account on mander.xyz. So in a sense, you violated the rule of least privilege by needlessly oversharing. But note that’s a simplified scenario… maybe you trust both sh.itjust.works admins and US tech giants more than you trust mander.xyz admins.
This is a way of thinking that separates normies from street wise folks. Normies trust by default and look for reasons to distrust. This leaves them extending trust when in fact they need not trust at all. Infosec experts think this way: first, can we avoid the need to trust? If yes, then that’s a no brainer.
Trust by default is not the only problem with your comment. Cloudflare has given copious reasons to distrust them. They are caught in countless lies. This is covered in ¶11 of the above-linked page.
Why must it be all or nothing? Avoiding CF kills off around 25% of the web for me. And probably another 10% is killed off due to tor-hostile actors other than Cloudflare. But ~65% of the web is still reachable to me, and part of the 35% is reachable through mirrors. CF has only ruined the web for the most part. Non-web connections are mostly still viable.
You need to rethink that. The only thing I know about you is your choice to use sh.itjust.works and unless you have some obscure corner-case well-justified reason for that, you have not chosen privacy by default.
Privacy is about control. When you give up privacy you are opting to handicap yourself in terms of control. Indeed needless disclosure ultimately cripples your agency to be free from the consequences of that disclosure. So you are trading one handicap for another. That might be overly abstract for many so I’ll give a concrete scenario:
Suppose you live in the US and your credit union starts using Cloudflare and uses the default tor-hostile configuration. You are then forced to step outside of Tor and access your bank account. Since Trump gave ISPs permission to collect customer data and share it without getting the customer’s permission, your ISP records the fact that Mark banks at XYZ CU. Cloudflare might do the same (but let’s say it’s not relevant in this case). Your ISP sells that info to creditors. Then a debt collector learns they can do a money grab on Mark’s account at XYZ CU. You ultimately lost control of your money due to a simple disclosure of a website you visit regularly.
One important control that I care about is the ability to boycott bad companies. I boycott Microsoft. So what happens when I send email to recipient@outlook.com? MS gets a piece of data that they profit from. Boycotting is no longer simply a matter of not spending money in a certain way now that data is as good as cash. So control over my ability to boycott a harmful force in the world requires the option to not feed data to that platform (even if the data itself is benign, harmless, and non-sensitive).
The threat model of everyone who demands privacy includes mass surveillance. Threat models vary in countless ways from one person to another but mass surveillance should be the most common component in the threat models of most.