this post was submitted on 08 Jun 2024
244 points (89.1% liked)

Privacy

32109 readers
795 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
244
The Cloudflare Poison (sh.itjust.works)
submitted 5 months ago* (last edited 5 months ago) by Scolding0513@sh.itjust.works to c/privacy@lemmy.ml
 

Daily reminder that sites "protected" by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.

And if you think Cloudflare aren't being tapped by the NSA, you're sadly sadly naive.

All the "privacy respecting" sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they've modified.

Edit: good info link below https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

you are viewing a single comment's thread
view the rest of the comments
[–] Harrison@infosec.pub 80 points 5 months ago (7 children)

Cloudflare is a MITM by design. Calling it an attack is disingenuous; you're signing up for the service of your own free will, not a victim.

If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren't doing that.

So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.

But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don't use it.

[–] Scolding0513@sh.itjust.works 38 points 5 months ago* (last edited 5 months ago) (3 children)

If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren't doing that.

excuse me, what?? The Snowden documents came out showing all these companies literally giving over all their data to the NSA like it was water from a spring, and they are all still in business. AT&T, facebook, google, microsoft, dropbox, etc. Yet you claim somehow cloudflare would be destroyed?? This isnt even funny bro.

more recently, Hetzner was showed to have given backdoor access to the feds, yet people still buy VPSs from them, and in fact, 20% of TOR guard nodes are sitting on their infra RIGHT NOW!

Case in point: people using such companies either don't care or are really ignorant or stupid.

[–] sip@programming.dev 5 points 5 months ago* (last edited 5 months ago) (1 children)

isn't the US law so that companies need to cooperate with the alphabet boys? there's no "safe" place

[–] Scolding0513@sh.itjust.works 2 points 5 months ago

not in the US anyway

[–] metacolon@lemmy.blahaj.zone 1 points 5 months ago (1 children)

Can you give a source on the Hetzner claim? I'm curious and didn't find anything online

[–] Scolding0513@sh.itjust.works 1 points 5 months ago

just search hetzner police backdoor. it's all over the place. unless you're using google and google censored it. idk, i dont use google.

[–] possiblylinux127@lemmy.zip 12 points 5 months ago

What concerns me is that we really do not know what the three letter agencies are capable of. They operate outside of the demographic government. Many Americans are increasingly losing faith in the government and secret government programs do not help. It causes what is known as a chilling effect. People start self censoring which is very dangerous and harmful to democracy. Democracy needs transparency not secrecy.

[–] FaceDeer@fedia.io 9 points 5 months ago (3 children)

I could imagine the NSA embedding an agent inside Cloudflare specifically to keep an eye out for any foreign agents also being embedded in Cloudflare, rather than to dig out its secrets for themselves.

[–] LazerDickMcCheese@sh.itjust.works 12 points 5 months ago

They have the money to do it. And historically, the CIA has done similar things globally for decades

[–] BearOfaTime@lemm.ee 5 points 5 months ago

In the 90's telcos were exposed as providing a connection for feds to duplicate any and all comms.

[–] Harrison@infosec.pub 2 points 5 months ago

I'm sure the TLAs work closely in conjunction with all companies responsible for internet infrastructure, yeah. That is their mandate.

[–] anarchist@lemmy.ml 6 points 5 months ago

Maybe I'm just jaded and cynical but it won't "destroy the company" even if it comes out like that. The laws don't apply to people at the top

[–] milicent_bystandr@lemm.ee 6 points 5 months ago* (last edited 5 months ago)

But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don't use it.

Or do use E2E encryption. You can still have a layer of encryption within the SSL tunnel that cloudflare controls. Like you'd do for an E2EE filestore: the webserver (and cloudflare) see the website woosh by, and all that you do on it, but the files themselves are encrypted opaquely to both, and decrypted only by a browser at the other end.

[–] waitmarks@lemmy.world 5 points 5 months ago

the NSA (which lacks a mandate to act on US soil, and CF is a US company)

They absolutely do have a mandate to operate on US soil, that is actually the main mandate and there is a separate military agency (CNMF) that operates on foreign soil. They are both headed by the same guy though so they might as well just be one agency.

[–] Coasting0942@reddthat.com 2 points 5 months ago (1 children)

I don’t believe that the NSA has a portal giving them direct access (probably naive).

They definitely have a secret agent 🕵️‍♀️ nerd on the inside providing intel on the structure. Maybe inject exploits or guide them when needed.

They definitely have a direct e-mail address to cloudflare legal to serve national security letters that cloud flare is obligated to comply with. Which is a portal with extra steps, but which cloud flare can raise a fuss if they notice the requests are turning into vacuum cleaners, and not union membership research.

[–] plz1@lemmy.world 5 points 5 months ago

Internet traffic gets mirrored to NSA data centers, that's old news from the Snowden leak.