Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?

  • Quique1222B
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    A lot of people in this thread have never been ddosed and it shows. You don’t need to host a super popular thing to get ddosed.

    When you host game servers there are gonna be salty 16 years old that go to a free stresser and hit you with 1gbps.

    And you might think “well yeah but it’s not like cloudflare’s free plan protects that much”.

    It does, believe me. I’ve done tests with people who have access to botnets and without cloudflare with 1gbps our connection was dead. With cloudflare it didn’t go down and reported more than 50gbps on the cloudflare dashboard.

    Also another thing is that a lot of these people are 16 year old script kiddies, and not seeing your IP directly discourages them.

    • spottyPottyOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      nginx can be configured to throttle connections and fail2ban to refuse them to mitigate this

  • teemB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    What is it you’re afraid cloudflare is doing? This is a company trusted by tons of corporations who have legit secrets to protect. Why would they care about intercepting your traffic? To what end?

    Cyber attacks are goal-oriented and based on attack cost, basically how much effort for how much reward. Is your selfhost traffic super valuable? So valuable that someone would hack cloudflare to get it?

    In reality, other than commodity malware that your security suite should easily pick up, there isn’t much threat in my opinion.

    • spottyPottyOPB
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      The question was a more general one, and not specific to my personal data needs.

      The existence of such a ubiquitous centralised service that actually IS a MITM, whether they are malicious or not, seems curious to me.

      As they say, if the product is free, then you are the product. If people accept, but recognise, a loss of privacy when using free services from Google and meta, for example, knowing that the data they provide is used for personalised ads, then how come CF’s free tier isn’t viewed with the same level of scrutiny?

  • s3r3ngB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Yeah. I believe Cloudflare basically has its heart in the right place but it is is still a dangerous central choke point.

  • GeekCornerRedditB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You realize your computer can have a backdoor put in place by the brand right? Pretty much same deal isn’t it?

    • spottyPottyOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Yes, agreed. However it’s not a centralised service through which a large percentage of traffic passes.

  • t1nk3rzB
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    It’s not entirely true what you said. I use cloudflare -> my Proxyserver -> my machines behind the Proxyserver

    My Proxyserver has my own certificates loaded and terminates the SSL/TLS connection from cloudflare

    Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver

    • spottyPottyOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      When I visit one of the sites I manage, that goes through CF (my personal ones don’t), I see that the certificate that the browser sees is one provided by CF and not the one that I create using LetsEncrypt.

    • schklomB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver

      This is false, connect to your website, check the certificate, it will be Cloudlfare’s. I assume either you have not checked, or are a Business customer paying quite some money yearly to Cloudflare.

      Cloudflare decrypts inbound traffic, then re-encrypts it before sending it to you, unless you pay a decent amount of money so that they serve your certificate.

  • I_EAT_THE_RICHB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Cloudflare is awesome and undervalued in my opinion. They provide dozens of services and charge extremely reasonable pricing.

  • Initial-Repeat9146B
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    OP, what you’re describing is not the “big scary MITM” attack vector. It’s how TLS/Reverse proxies work. Whether you are using Cloudflare or hosting your own reverse proxy somewhere with full control, it’s still terminating TLS at the endpoint and passing back traffic in the clear to the backend.

    Some people like Cloudflare for whatever reasons, and that’s okay. I host my own reverse proxy out on a VPS and it works just fine.

    You’ll find that not all of the seflhosted community is super-focused on privacy as say r/privacy is.

    • spottyPottyOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Maybe it’s my fault for posting this in selfhosted. My question was of a more generic nature about security and privacy in general. You’re right, r/privacy might be a better sub for this conversation.

      In my case my reverse proxy (nginx) runs on the same machine as my backend. In fact nginx also serves all static data with the backend only serving api requests.

      • Initial-Repeat9146B
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Maybe it’s my fault for posting this in selfhosted. My question was of a more generic nature about security and privacy in general. You’re right, r/privacy might be a better sub for this conversation.

        In my case my reverse proxy (nginx) runs on the same machine as my backend. In fact nginx also serves all static data with the backend only serving api requests.

        No worries, it’s just not a useful post for this group, most know the “risks” :-)