this post was submitted on 08 Jun 2024
244 points (89.1% liked)
Privacy
32109 readers
795 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Cloudflare is a MITM by design. Calling it an attack is disingenuous; you're signing up for the service of your own free will, not a victim.
If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren't doing that.
So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.
But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don't use it.
excuse me, what?? The Snowden documents came out showing all these companies literally giving over all their data to the NSA like it was water from a spring, and they are all still in business. AT&T, facebook, google, microsoft, dropbox, etc. Yet you claim somehow cloudflare would be destroyed?? This isnt even funny bro.
more recently, Hetzner was showed to have given backdoor access to the feds, yet people still buy VPSs from them, and in fact, 20% of TOR guard nodes are sitting on their infra RIGHT NOW!
Case in point: people using such companies either don't care or are really ignorant or stupid.
people love to forget. History is so important, even short term history
isn't the US law so that companies need to cooperate with the alphabet boys? there's no "safe" place
not in the US anyway
Can you give a source on the Hetzner claim? I'm curious and didn't find anything online
just search hetzner police backdoor. it's all over the place. unless you're using google and google censored it. idk, i dont use google.
What concerns me is that we really do not know what the three letter agencies are capable of. They operate outside of the demographic government. Many Americans are increasingly losing faith in the government and secret government programs do not help. It causes what is known as a chilling effect. People start self censoring which is very dangerous and harmful to democracy. Democracy needs transparency not secrecy.
I could imagine the NSA embedding an agent inside Cloudflare specifically to keep an eye out for any foreign agents also being embedded in Cloudflare, rather than to dig out its secrets for themselves.
They have the money to do it. And historically, the CIA has done similar things globally for decades
In the 90's telcos were exposed as providing a connection for feds to duplicate any and all comms.
I'm sure the TLAs work closely in conjunction with all companies responsible for internet infrastructure, yeah. That is their mandate.
Maybe I'm just jaded and cynical but it won't "destroy the company" even if it comes out like that. The laws don't apply to people at the top
Or do use E2E encryption. You can still have a layer of encryption within the SSL tunnel that cloudflare controls. Like you'd do for an E2EE filestore: the webserver (and cloudflare) see the website woosh by, and all that you do on it, but the files themselves are encrypted opaquely to both, and decrypted only by a browser at the other end.
They absolutely do have a mandate to operate on US soil, that is actually the main mandate and there is a separate military agency (CNMF) that operates on foreign soil. They are both headed by the same guy though so they might as well just be one agency.
I don’t believe that the NSA has a portal giving them direct access (probably naive).
They definitely have a secret agent 🕵️♀️ nerd on the inside providing intel on the structure. Maybe inject exploits or guide them when needed.
They definitely have a direct e-mail address to cloudflare legal to serve national security letters that cloud flare is obligated to comply with. Which is a portal with extra steps, but which cloud flare can raise a fuss if they notice the requests are turning into vacuum cleaners, and not union membership research.
Internet traffic gets mirrored to NSA data centers, that's old news from the Snowden leak.