I don’t want to be an enabler of the drivel, so without posting the full URL to that article that’s reachable in the open free world, I will just say that medium.com links should never be publicly shared outside of Cloudflare’s walled garden. I realise aussie.zone is also in Cloudflare’s walled garden, but please be aware that it’s federated and reaches audiences who are excluded by Cloudflare.
The medium.com portion of the URL should be replaced by scribe.rip to make a medium article reachable to everyone. Though I must say this particular article doesn’t need any more reach than it has.
Anyone who just wants the answer: see @[email protected]’s comment in this thread.
A lot of people have issues with Cloudflare, some more justified (e.g. their shitty and aggressive “sales” tactics that skirt the line with extortion), and some not so much.
I checked their comments in another thread where they were discussing Cloudflare, and they linked to a site with some false information about CF, like claiming that Cloudflare blocks VPN traffic to sites hosted on or tunneled through them (they don’t, and I just tested this to verify I wasn’t crazy, because I’ve been hitting CF-tunneled sites through VPNs for years), or very misleading information (like seemingly trying to conflate CF blocking some CGNAT IPs, which could have blocked innocent users behind those addresses, into claiming that they block all CGNAT IPs… which they don’t).
There are also a lot of people who like to say that Cloudflare is a MITM (by ignoring the “unknown to the communicating parties” part of the definition of MITM), but honestly, as someone whose job is information security, this mostly strikes me as overfocusing on one part of a large chain that you have very little control over, to feel more in-control.
Once traffic leaves your home network, you are trusting a lot of different groups with your data, whether you like it or not. You’re trusting the DNS provider to send you to the right IP. You’re trusting the AS operators to properly and honestly maintain their BGP routes to take you to the legitimate owner of that IP. If a site is being served on a VPS, you’re trusting the VPS provider not to be reading or altering the traffic. If it’s SSL-encrypted, you’re trusting the CertificateAuthorities involved not to be issuing malicious certs, etc etc…
As usual, there is a grain of truth behind those claims:
Cloudflare offers their own DNS, with stated benefits like filtering out some sites, while resolving CF sites… but some VPNs also set their own DNS, which don’t fully match Cloudflare’s… resulting in some combinations of CF site and VPN, not working. I’d blame the VPN for that, but people’s experience is going to be “everything works, except some CF sites” 🤷
Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.
All non-encryped traffic is considered to be “insecure” for some time now. The whole point of initiatives like Let’s Encrypt, is to remove everyone on the client-server path from the list of entities you have to trust, so it ends up as: client software, client system, CertAuth, server owner, server software.
Ideally, we’d have homomorphic encryption on the servers, but it’s not there yet.
Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.
Yes, and this is also true for AWS ALBs and any other hosted reverse-proxies that do SSL offloading/ termination. Hell, it’s even worse for AWS in general, since they also have potential access to your databases and instances, nevermind SecretsManager info that you just directly give them. It’s just such a weird thing to specifically only harp on Cloudflare like that site is.
Besides, the only real threat actor I can see them being worried about with CF is the USFG, since they’re the only ones I could see being able to compel CF to break their customer contracts like this. And if the USFG is your presumed threat actor, and you’re in the US, you’re not going to “out-security” them by avoiding Cloudflare.
I don’t want to be an enabler of the drivel, so without posting the full URL to that article that’s reachable in the open free world, I will just say that medium.com links should never be publicly shared outside of Cloudflare’s walled garden. I realise aussie.zone is also in Cloudflare’s walled garden, but please be aware that it’s federated and reaches audiences who are excluded by Cloudflare.
The
medium.com
portion of the URL should be replaced byscribe.rip
to make a medium article reachable to everyone. Though I must say this particular article doesn’t need any more reach than it has.Anyone who just wants the answer: see @[email protected]’s comment in this thread.
Setting aside the content of the OP, what is the issue with Cloudflare?
A lot of people have issues with Cloudflare, some more justified (e.g. their shitty and aggressive “sales” tactics that skirt the line with extortion), and some not so much.
I checked their comments in another thread where they were discussing Cloudflare, and they linked to a site with some false information about CF, like claiming that Cloudflare blocks VPN traffic to sites hosted on or tunneled through them (they don’t, and I just tested this to verify I wasn’t crazy, because I’ve been hitting CF-tunneled sites through VPNs for years), or very misleading information (like seemingly trying to conflate CF blocking some CGNAT IPs, which could have blocked innocent users behind those addresses, into claiming that they block all CGNAT IPs… which they don’t).
There are also a lot of people who like to say that Cloudflare is a MITM (by ignoring the “unknown to the communicating parties” part of the definition of MITM), but honestly, as someone whose job is information security, this mostly strikes me as overfocusing on one part of a large chain that you have very little control over, to feel more in-control.
Once traffic leaves your home network, you are trusting a lot of different groups with your data, whether you like it or not. You’re trusting the DNS provider to send you to the right IP. You’re trusting the AS operators to properly and honestly maintain their BGP routes to take you to the legitimate owner of that IP. If a site is being served on a VPS, you’re trusting the VPS provider not to be reading or altering the traffic. If it’s SSL-encrypted, you’re trusting the CertificateAuthorities involved not to be issuing malicious certs, etc etc…
As usual, there is a grain of truth behind those claims:
Cloudflare offers their own DNS, with stated benefits like filtering out some sites, while resolving CF sites… but some VPNs also set their own DNS, which don’t fully match Cloudflare’s… resulting in some combinations of CF site and VPN, not working. I’d blame the VPN for that, but people’s experience is going to be “everything works, except some CF sites” 🤷
Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.
All non-encryped traffic is considered to be “insecure” for some time now. The whole point of initiatives like Let’s Encrypt, is to remove everyone on the client-server path from the list of entities you have to trust, so it ends up as: client software, client system, CertAuth, server owner, server software.
Ideally, we’d have homomorphic encryption on the servers, but it’s not there yet.
Yes, and this is also true for AWS ALBs and any other hosted reverse-proxies that do SSL offloading/ termination. Hell, it’s even worse for AWS in general, since they also have potential access to your databases and instances, nevermind SecretsManager info that you just directly give them. It’s just such a weird thing to specifically only harp on Cloudflare like that site is.
Besides, the only real threat actor I can see them being worried about with CF is the USFG, since they’re the only ones I could see being able to compel CF to break their customer contracts like this. And if the USFG is your presumed threat actor, and you’re in the US, you’re not going to “out-security” them by avoiding Cloudflare.