Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
A lot of people in this thread have never been ddosed and it shows. You don’t need to host a super popular thing to get ddosed.
When you host game servers there are gonna be salty 16 years old that go to a free stresser and hit you with 1gbps.
And you might think “well yeah but it’s not like cloudflare’s free plan protects that much”.
It does, believe me. I’ve done tests with people who have access to botnets and without cloudflare with 1gbps our connection was dead. With cloudflare it didn’t go down and reported more than 50gbps on the cloudflare dashboard.
Also another thing is that a lot of these people are 16 year old script kiddies, and not seeing your IP directly discourages them.
nginx can be configured to throttle connections and fail2ban to refuse them to mitigate this
Yes, you’re right that there’s a certain amount of trust you need to have in CF… but what are you trusting it to do? And if they fail, what are the consequences?
Honest question - even if you are sending your Vaultwarden traffic over CF, and they are watching or attacking, you have to trust that the e2e encryption of Vaultwarden is what’s keeping you safe, right? Not the SSL certs. Does the auth mechanism rely on the SSL certs not to be compromised? I would hope not.
For me, it’s about trade offs.
https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/
These two data sources kinda sum it up for me - “If you are concerned that cloudflare can read your data - don’t use cloudflare.”
But I do want to be sure that any e2e encrypted app doesn’t rely on SSL for its “end-to-end”.
The concern isn’t that CF is reading your data. It’s that 3-letter agencies can read your data at will, since they always make these deals with large companies to have open-hose access to all the data. There was a scandal that Facebook had a special access page for those people.
You might think you’re innocent, and you’re a good person, so nothing to worry about. This is the old “I have nothing to hide”, but this isn’t how the world works. People who want to get you can pull strings to get anything they want from government institutions. After all, government is just people. It’s not a benevolent being.
Now all this is unlikely, granted. But the task of a good security setup isn’t to make it impossible to hack you, but it’s to make it hard enough and costly. I’m quite sure there’s a zero-day somewhere that can hack my bare-bones Linux servers, but good luck breaking the 10 layers of security I have before even reaching these servers to find something remotely valuable about me. I don’t need to make concessions in that regard. You don’t have to trust anyone.
Thanks for the link, it’s an interesting read with more detail than I’ve ever heard (not having used cloudflare for this myself).
Thanks for the links
Do login credentials traverse cloudflare? I havent used cloudflare so I dont know much about it, but I wouldnt want my credentials for self hosted sites to pass through a MITM.
What is it you’re afraid cloudflare is doing? This is a company trusted by tons of corporations who have legit secrets to protect. Why would they care about intercepting your traffic? To what end?
Cyber attacks are goal-oriented and based on attack cost, basically how much effort for how much reward. Is your selfhost traffic super valuable? So valuable that someone would hack cloudflare to get it?
In reality, other than commodity malware that your security suite should easily pick up, there isn’t much threat in my opinion.
The question was a more general one, and not specific to my personal data needs.
The existence of such a ubiquitous centralised service that actually IS a MITM, whether they are malicious or not, seems curious to me.
As they say, if the product is free, then you are the product. If people accept, but recognise, a loss of privacy when using free services from Google and meta, for example, knowing that the data they provide is used for personalised ads, then how come CF’s free tier isn’t viewed with the same level of scrutiny?
Thats not what a MITM is
A MITM is a Man-in-the-Middle Attack, someone whom you dont trust or dont know has hijacked your network connection to either read, remove or modify data from your network packets and then proxy-send it to your initial intended target
Cloudflare is a proxy server, a person you TRUST and designated to passthrough first to scan and check for network security before it redirects and pass your packets through to your intended target, like a gatekeeper
What, you gonna call all your gatekeepers, your bouncers, your proxy servers a MITM?
Get some reading comprehension. He said MITM and not MITM Attack. He’s referring to Cloudflare as a middle man.
What OP is trying to say is why everyone is okay with using Cloudflare when it basically is a middle man where your traffic/requests go through and could potentially be sniffed at.
No, I read it properly, a MITM generally refers to MITM Attack and vice versa in cybersecurity, it is down to the individual to clarify if they meant otherwise and clearly, this case he is referencing to BEING A MITM for malicious purposes
To clarify, I did not mean MITM attack. It actually wouldn’t make sense to say that cloudflare is a man in the middle attack, since it is a company and not an action.
I didn’t include the word “attack” anywhere.
MITM is commonly used together with attack, so your misunderstanding is understandable. However the acronym just stands for Man In The Middle, which is why it is followed by “attack” in such situations.
If you want then to cache your content to reduce the load of your servers, they have to decrypt the traffic. This is how a reverse proxy works.
And, well, you have to trust them before contract their services. The same way people trust vpns to route their traffic. If I was from some 3 letter agency and want to spy on potential illegal content, I would tap into a vpn server.
If I was from some 3 letter agency and want to spy on potential illegal content, I would tap into a vpn server.
Or simply fund one and advertise it on youtube.
Yeah. I believe Cloudflare basically has its heart in the right place but it is is still a dangerous central choke point.
CF is not using „their own“! The certificates the client see must be provided and authorized by the provider of the service. Or put in other words: CF is acting as the hosting provider to the outside, to the clients.
The rest of journey is „inside“ the domain of the provider of the service. It is totally normal that traffic has some journey to go and often it never touches the premises of the provider or even a server owned by the provider.
The important thing that all the part which from a customer‘s view is „internal to the provider of the service“ (behind the CF address) is responsibility of the provider of the service, no matter what 3rd party services they use.
My take is: Any data worth your while shouldn’t just rely on HTTPs anyway. You should have more layers of encryption. That’s how majority of the companies do it.
And for people who do not even know this, are better off using CF as MITM.
Yes by default traffic is only encrypted between cloudflare and users, but you can set it to “full (strict)” and have it end to end encrypted
That’s not end to end encryption, it’s two seprate ssl connections both terminated at cloudflare. One from client to cloudflare, one from cloudflare to your server. Cloudflare is still a MITM inspecting your traffic in that scenario.
They do however let you disable their proxy(WAF) service, acting as pure DNS so clients connect directly to your IP instead of theirs. But they can at any point toggle that back on and intercept your traffic, nothing really stopping them except morals and T&Cs, but that’s not exactly bullet proof. T&Cs can be rewritten and corporations with Morals? Right…
It comes down to the same line of reasoning that most people are “OK” with using cloud, be it aws, google, oracle, microsoft etc … Out of laziness and lack of expertise, basically sysadmins are dead. Otherwise it’s always a bad idea to offload anything on a third-party specially without transparency (pinky promise)
Badger DAO lost 120M, to this pinky trust. https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack
Same issue however exists wirh domain name registerers, etc, hence even such a thing as ens.domains are much more trustworthy, and it’s much harder to exploit.
I mean, we trust Root Certification Authorities, which are basically self-proclamed-as-trusted entities. At least CF became widespread and is community-trusted :)
Good point. Who’s to say that LetsEncrypt doesn’t keep a copy of my private keys?
A certificate authority doesn’t have a copy of your private key, you send them a certificate signing request. The private key never leaves your system. That’s the whole point of public key encryption.
Then trusting root CAs is a non-issue?
It is, but for a different issue.
Every CA you trust can create certificates for every site. If you trust the e.g. NSA CA, they can create a certificate for gmail.com and put a MITM between you and gmail.
The EU is planning to force browsers to add their backdoor CA
How are they going to prevent an opensource browser like Firefox to do this? Scary stuff
The actual danger with CA trust is that the CA could issue a completely new certificate with basically any domain name and every browser in the world will think it’s legitimate.
You are trusting them not to do this.
A root-CA can still swap out your certificates, but they do not have access to the private keys. What they can do is issue valid certs for domains not under their control (or the control of their users). With a bit of DNS poisioning you can now serve traffic through a Proxy and no one would notice (think: someone obtains a valid cert for google.com, sets the local DNS to resolve google.com to the IP of a server hosting a proxy and et voila, you can read all their encrypted traffic to google.com).
Isn’t this also what many companies do to monitor web-traffic from their network?
Speaking from experience, companies that are trying to do this will typcially do it one of two ways: either through DNS lookups by having their on-network DNS server acting as a recursive server, thus being able to intercept/interpret DNS requests and apply filtering rules, OR through a forward proxy that all web traffic exiting the company network will go through. Forward proxies can absolutely be configured for SSL interception, and it’s typically handled by using a company-issued certificate signed by the company’s CA…and every company computer has the company’s CA certificate installed, so it’s explicitly trusted. This is why you shouldn’t do any kind of personal business (especially banking) on company-owned devices.
The biggest difference between companies using a forward proxy and an attacker using DNS poisoning to redirect the traffic is intent - the attacker is doing it for explicitly malicious purposes, while the company is ostensibly doing it to enforce company policy (especially AUPs)…having access to all the delicious unencrypted data is simply a side effect. You trust your employer, don’t you friend citizen?
You trust your employer, don’t you friend citizen?
You damn well do iff you wanna pay that mortgage, peasant! 🤑
You trust your employer, don’t you friend citizen?
This is exactly the original point I was trying to make regarding cloudflare.
The point that i take from this tongue-in-cheek sentence of yours is that no, we should absolutely not trust our employer with our unencrypted traffic.
But then on the other hand there are loads of people on here saying that, yes, of course we should trust cloudflare with having access to all of the data flowing through it.
Because that’s not how certificates work?
Your private key is never sent to the CA with you submit a Certificate Signing Request, only the public key and a bunch of metadata.
(The exception being code signing certs that are delivered on an HSM but the key never leaves the HSM)
Because it’s everyones MITM. I trust them with security because it’s the only thing they focus on, I focus on making my stuff stop randomly shutting down. If absolutely everyone is using it, I don’t care too much if an issue appears- nobody cares about my tiny little thing when Discord goes through Cloudflare
Because it’s “everyone’s MITM” it would make it a perfect spot for state actors to tap into in order to surveil pretty much everything without anyone being able to notice.
Hell, just the server logs (timestamps, IP addresses and exact URLs) would be unbelievably valuable.
I’d be really surprised if someone wasn’t taking advantage of that.
Which is to say if you selfhost because you want more control and privacy, you probably want to avoid services like that.
Hell, just the server logs (timestamps, IP addresses and exact URLs) would be unbelievably valuable.
People say that, but the actual data would be so vast and with so little actual usability, that the dilution of it still results in largely garbage data. Its only when you have a particular focus and have the ability to filter to that focus that the data becomes very valuable.
Even banks and card processors, who have direct, legal, and completely open access to data as critical as where every one of their customers spends money struggle to do more than harvest aggregated usage patterns. The idea that data volumes, at a couple more orders of magnitude and notably more generalized will be easily processed and harvested ends up being pretty silly.
Well yeah, it’s not easy. Which is why they limit what they do to the aggregated data or to targeted discovery.
But that’s only a small technical hurdle and the speed with which you can analyze the data grows much faster than the volume (especially if you are smart about what data you analyze and how you do it) so it won’t last forever.
But that’s only a small technical hurdle and the speed with which you can analyze the data grows much faster than the volume (especially if you are smart about what data you analyze and how you do it) so it won’t last forever.
In 10 years, we’ve made such slow progress on conquering that “small technical hurdle” that it’s hard to take the argument seriously.
Generative AI data ingestion techniques are the first round of technology that come close to being able to target the data volume/complexity we’d see in it, and those ingestion techniques are still:
- Very expensive
- Time consuming
- Produce datastores with largely unusable data for the general purpose
And the techniques that pull data from them don’t end up saying more than what you could have gotten from a directed observation. You need to know what you’re looking for to get it, or you’d need to code particular ingestion techniques to be able to extract the patterns you wanted to scan for.
So, the end result is still the same: Your concern is over a directed attempt to wiretap you, and if that is your concern, then there are a bunch of other places you need to be concerned with.
Also, if your primary concern is the number of people/agencies that might be trying to wiretap you, then I’d probably agree that Cloudflare is not for you. Maybe some sort of Tor connection via an array of cellular antennae?
Depends what you’re putting on there. If it’s some blog that’s out there for the world to see, and if you’d like to have more traffic checking it out, then privacy isn’t your goal. Now your personal data, yeah that’s different. I have that stuff segregated.
As I said in another comment, it’s more about your visitors than you.
Sure maybe if you have a completely generic blog about cooking or something it doesn’t matter much. But still as long as you can use that information (along with information from every other site that user visits through Cloudflare) to infer stuff about that person it becomes kinda scary.
ThePirateBay, the most notorious site in the world, uses Cloudflare. This isn’t China. Wiretapping is illegal in most circumstances, and that’s essentially what it would be doing.
Wiretapping is only illegal if it isn’t sanctioned in some way.
They can spy on anyone who isn’t an American citizen legally, so they could probably tap into any server that’s outside the US.
They can also spy on people if a secret court allows them to do so, and (by design) you would never even know about it.
Lastly they can simply have deals with agencies from other countries that have similar “restrictions” where they tap into the US data and then they just exchange the collected data, because then it’s technically not them who is doing it so it’s perfectly legal.
They certainly have no obligation (or desire) to keep anyone’s data private - especially from themselves.
ThePirateBay, the most notorious site in the world, uses Cloudflare.
It wouldn’t be far fetched to think that now that the battle against it was lost on all fronts it would work as a good honeypot. You never know what or who is behind it.
If your threat model includes the U.S. government you are in the very, very, very, very, very minority of the population of selfhosters.
Right, but it’s not necessary only about that; if you care about other people and/or you don’t want to give the US and their spy agencies more power - perhaps if they are opposed to what they do and the idea of mass surveillance in general (and that’s even if it doesn’t affect you directly, which is most likely the case) this is a pretty simple way to make sure that you aren’t contributing to it.
It’s like with, I dunno, consumerism. If you don’t like it, just don’t do it since it opposes your views anyway. And sure your impact will be pretty small but it’s still easy to do and it’s kind of a win-win situation?
State actors also have access to the actual remote servers any cloud software is hosted on directly (think Azure or AWS) along with all of the ISPs (and plenty of VPNs) and easy access to logs for client devices (especially android). Along with buying data from every single data broker and combining that with their legal access to simply request all sorts of data through mechanisms that are just rubber stamped means they’ll pretty much get what they want.
I have very strong opposition to all of that and everything else they have access to but 99% of people trying to maintain a threat-model that high for casual use are missing a mechanism for surveillance they haven’t thought of or that is completely undetectable and built into our hardware and software supply chains.
The privacy rabbit hole is not for the faint of heart and is honestly not feasible to expect most people to trade off the huge benefits services like cloudflare and every other company they utilize provide.
Because it’s “everyone’s MITM” it would make it a perfect spot for state actors to tap into in order to surveil pretty much everything without anyone being able to notice.
Yep, that’s my main point
The sites I expose to Cloudflare were already being publicly hosted for my friends. Anything actually private or sensitive I run via private DNS and Wireguard internally.
You need them if you really want to be secure from DDOS… well with knowledge of HTTP2 DOS is enought… :-)
Mostly they know how cf work but when asking simplicity cf do it
