this post was submitted on 08 Jun 2024
244 points (89.1% liked)

Privacy

32109 readers
737 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
244
The Cloudflare Poison (sh.itjust.works)
submitted 5 months ago* (last edited 5 months ago) by Scolding0513@sh.itjust.works to c/privacy@lemmy.ml
 

Daily reminder that sites "protected" by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.

And if you think Cloudflare aren't being tapped by the NSA, you're sadly sadly naive.

All the "privacy respecting" sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they've modified.

Edit: good info link below https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

top 50 comments
sorted by: hot top controversial new old
[–] Harrison@infosec.pub 80 points 5 months ago (8 children)

Cloudflare is a MITM by design. Calling it an attack is disingenuous; you're signing up for the service of your own free will, not a victim.

If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren't doing that.

So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.

But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don't use it.

[–] Scolding0513@sh.itjust.works 38 points 5 months ago* (last edited 5 months ago) (4 children)

If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren't doing that.

excuse me, what?? The Snowden documents came out showing all these companies literally giving over all their data to the NSA like it was water from a spring, and they are all still in business. AT&T, facebook, google, microsoft, dropbox, etc. Yet you claim somehow cloudflare would be destroyed?? This isnt even funny bro.

more recently, Hetzner was showed to have given backdoor access to the feds, yet people still buy VPSs from them, and in fact, 20% of TOR guard nodes are sitting on their infra RIGHT NOW!

Case in point: people using such companies either don't care or are really ignorant or stupid.

[–] sip@programming.dev 5 points 5 months ago* (last edited 5 months ago) (1 children)

isn't the US law so that companies need to cooperate with the alphabet boys? there's no "safe" place

load more comments (1 replies)
load more comments (2 replies)
[–] possiblylinux127@lemmy.zip 12 points 5 months ago

What concerns me is that we really do not know what the three letter agencies are capable of. They operate outside of the demographic government. Many Americans are increasingly losing faith in the government and secret government programs do not help. It causes what is known as a chilling effect. People start self censoring which is very dangerous and harmful to democracy. Democracy needs transparency not secrecy.

[–] FaceDeer@fedia.io 9 points 5 months ago (3 children)

I could imagine the NSA embedding an agent inside Cloudflare specifically to keep an eye out for any foreign agents also being embedded in Cloudflare, rather than to dig out its secrets for themselves.

[–] LazerDickMcCheese@sh.itjust.works 12 points 5 months ago

They have the money to do it. And historically, the CIA has done similar things globally for decades

[–] BearOfaTime@lemm.ee 5 points 5 months ago

In the 90's telcos were exposed as providing a connection for feds to duplicate any and all comms.

load more comments (1 replies)
[–] anarchist@lemmy.ml 6 points 5 months ago

Maybe I'm just jaded and cynical but it won't "destroy the company" even if it comes out like that. The laws don't apply to people at the top

[–] milicent_bystandr@lemm.ee 6 points 5 months ago* (last edited 5 months ago)

But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don't use it.

Or do use E2E encryption. You can still have a layer of encryption within the SSL tunnel that cloudflare controls. Like you'd do for an E2EE filestore: the webserver (and cloudflare) see the website woosh by, and all that you do on it, but the files themselves are encrypted opaquely to both, and decrypted only by a browser at the other end.

[–] waitmarks@lemmy.world 5 points 5 months ago

the NSA (which lacks a mandate to act on US soil, and CF is a US company)

They absolutely do have a mandate to operate on US soil, that is actually the main mandate and there is a separate military agency (CNMF) that operates on foreign soil. They are both headed by the same guy though so they might as well just be one agency.

load more comments (2 replies)
[–] cursed_technology@lemmy.world 62 points 5 months ago (4 children)

CloudFlare is a huge danger to a free and open internet, in my opinion. I cringe every time I hear privacy-conscious people recommend it.

[–] vox@sopuli.xyz 28 points 5 months ago (2 children)

there's no alternative tho, and by definition alternatives will have the same level of access...

load more comments (2 replies)
[–] Scolding0513@sh.itjust.works 7 points 5 months ago (1 children)

absolute fax

I cannot begin to tell how pissed this makes me.

Please for the love of all that is holy, do NOT call your site or yourself "privacy-respecting" or "privacy-oriented", and then meet me with a Cloudflare MITM to knowingly and willingly give over everything i input in your site to NSA Inc.

I'm sick to my stomach of all these orgs and companies and people talking about privacy, and then they constantly do all these kinds of things thst prove that they don't actually care about privacy or anonymity or anything in between. They are Vipers and Snakes trying to make a quick dollar on a buzzword. It's become sadly trite.

We must return to the dark ages of p2p. The age of self-hosting, blockchain (the truly good parts like monero), ipfs, bittorrent, tor onions, i2p, any other p2p or decentralized network - these kinds of things are all that stands between us and internet controlled by a handful of NSA-worshipping megacorps.

load more comments (1 replies)
load more comments (2 replies)
[–] TCB13@lemmy.world 46 points 5 months ago (1 children)

And then there's people using Cloudflare tunnels, Tailscale and others for self-hosting stuff... that also may have your keys or inject clients at some point...

But we're about to get downvoted to hell for pointing this out because our community is self-hosters that pride themselves on sovereignty can't deal with the cognitive dissonance of having their favorite corporate solutions unmasked for what they are - spyware on steroids.

[–] somethingsomethingidk@lemmy.world 25 points 5 months ago (2 children)

Tailscale keeps the private keys locally, . It just facillitates setting up wireguard. They could steal your private keys, as could any program you install with root access. But it would comepletely destroy their business, and it's open source. I really dont think they have anything to gain by tricking everyone

[–] TCB13@lemmy.world 11 points 5 months ago

They could steal your private keys, as could any program you install with root access

There you go.

and it’s open source.

Are you sure that what you download from https://tailscale.com/download is 100% open-source and the same thing that is published on their repos?

But it would comepletely destroy their business (...) I really dont think they have anything to gain by tricking everyone

Same goes for Cloudflare. Maybe Tailscale is secure and good people, or maybe they copy all keys to somewhere and covertly share them with govt agencies.

[–] MigratingtoLemmy@lemmy.world 9 points 5 months ago

Use headscale, I have no idea how people are OK with tailscale when they keep your keys and essentially have access to your network

[–] oleorun@real.lemmy.fan 25 points 5 months ago (2 children)

Would you mind posting a link where I can read more about this?

[–] Scolding0513@sh.itjust.works 35 points 5 months ago (1 children)
[–] oleorun@real.lemmy.fan 16 points 5 months ago (1 children)

Gonna do some research/reading about this and I'm being objective.

Thanks for sharing and replying so quickly.

load more comments (1 replies)
[–] nutbutter@discuss.tchncs.de 7 points 5 months ago (4 children)

I have created a blog post about how to bypass CGNAT for self-hosting. I have also written a little bit aboit how Cloudflare works.

https://blog.aiquiral.me/bypass-cgnat

load more comments (4 replies)
[–] TimLovesTech@badatbeing.social 23 points 5 months ago (2 children)

So does everyone here that fears Cloudflare as secretly out to get them not believe that the NSA doesn't have their hooks in all the major datacenters? The same datacenters used by all the major web hosts people are using to "self host" for privacy.

Personally I think you have to have faith at some point that everything from your node to the destination is on the up-and-up unless you have a concrete reason to assume otherwise. Otherwise you should be suspicious of your ISP's network and every switch/router/firewall/node your data traverses on the internet. And being that paranoid basically means anything you didn't review the code of and compile yourself should be out of bounds.

load more comments (2 replies)
[–] SquiffSquiff@lemmy.sdf.org 23 points 5 months ago (1 children)

It's not that you're wrong. It's more that I don't understand what you're proposing as an alternative. To add to the comments here pointing out that that's how CDNs work: for many designs of website, the CDN essentially is the website, being served from a cache by the provider. Even when this isn't the case, you would normally have a load balancer in front of whatever was serving your website so that if you need to swap out the server for maintenance upgrade, etc. you don't need to tell who your visitors to go to a different address. In that case, your certificate would be attached to load balancer rather than the server behind it.

If this was a 1990s and I were trying to run my own server on my own hardware in my bedroom, you might have a point, but please explain how you would implement an alternative in any meaningful way today.

[–] myliltoehurts@lemm.ee 7 points 5 months ago (1 children)

Honestly, even if you don't terminate SSL right until your very own app server, it's still based on the assumption that whoever holds the root cert for your certificate is trustworthy.

The thing that has actually scared me with CF is the way their rules work. I am not even sure what's the verification step to get to this, but if there is a configured page rule in a different CF account for your domain that points at cloudflare (I.e. the orange cloud), you essentially can't control your domain as long as it's pointing at CF (I think this sentence is a bit confusing so an alternative explanation: your domain is pointing DNS at your own CF account, in your CF account you have enabled proxying for your domain, some other CF account has a page rule for your domain, that rule is now in control). The rule in some other account will control it.

It has happened to us at work and I had to escalate with their support to get them to remove the rule from the other cloudflare account so we can get back control of our domain while using CF. Their standard response is for you to find and ask the other CF account to remove the rule for your domain.

This is a pretty common issue with gitbook, even the gitbook CEO was surprised CF does this.

load more comments (1 replies)
[–] Apollo2323@lemmy.dbzer0.com 17 points 5 months ago (1 children)

I mean most pirate sites have cloudfare in the front and even with legal request Cloudfare has denied giving the IP so many times.

[–] wildbus8979@sh.itjust.works 15 points 5 months ago

It's far more useful for them to maintain that image while essentially acting as a giant Room 101 for the entire internet. The three letter agencies, the fusion centers, and the Five Eyes of this world caneasily just parallel construction their way into what ever legal shenanigans they need.

[–] IphtashuFitz@lemmy.world 17 points 5 months ago (7 children)

I hope you realize that virtually every CDN provider does the exact same thing in similar ways. Sites that use Akamai, AWS, Google cloud, Fastly, etc. all give those companies access to unencrypted content. It’s just how CDNs work…

load more comments (7 replies)
[–] TechNerdWizard42@lemmy.world 14 points 5 months ago (3 children)

Very true. But nobody cares or believes it. When you start saying that US made hardware like network switches, cryptographic algorithms, telecom radios, etc all have backdoors to the 3 letter agencies in 5 eyes plus the internet distribution over cloudfare or "the cloud" in Google, Amazon, Microsoft, then people just think you're a tin foil hat conspiracist.

The people are too stupid and ignorant to care enough to demand change. Why did the US lobby so hard to get Huawei off market? Because of course there are backdoors into the Chinese intelligence agencies. JUST LIKE US DEVICES! But nobody seems to make that correlation. China bad, China hardware spying bad, is the only thing they can get in their heads.

Good to bring it up, but nothing will change. 99.9% of people don't know what DNS or proxiing or caching is let alone Cloudfare. It's just "the internet". Some are aware of some agencies the US and five eyes have, but most don't believe what they actually do and are capable of. The US is the best producer of propaganda in the world. Hollywood is amazing at it, as are US media sources. The FISA bill that just came up for reauthorization and passed had a whole PR campaign about catching terrorists and stopping Russia and China and Hamas. Nobody stopped to think how and why they even have any of that info in the first place and how it's collected.

Keep being the crazy uncle ranting about government spying because the world needs it.

[–] Scolding0513@sh.itjust.works 5 points 5 months ago* (last edited 5 months ago)

factual statements. many people do know and care, but yeah, most people have no freaking idea what's going on, let alone care. Even "privacy" people often don't care.

[–] Harrison@infosec.pub 5 points 5 months ago (9 children)

I'm all for healthy paranoia, keeping my attack surface small. That's just professional IT ops.

Incendiary statements like saying US intelligence compromised the supply chain with hidden backdoors, those really do need to be substantiated to not sound like a crazy uncle. Our adversaries have counterintelligence also, they aren't incompetent, and if Cisco or Juniper or whatever planted backdoors in hardware shipped to China, the Chinese would make a ton of noise about it. And so would we; Huawei was banned without any substantiated proof, out of fears that if used, their 5G infra could have hidden backdoors and the hardware would be so widely distributed that it would be onerous to replace.

[–] TechNerdWizard42@lemmy.world 7 points 5 months ago* (last edited 5 months ago) (5 children)

There is substantiated proof of Cisco and Juniper switches having US government backdoors through the management ports. They also have the capability of decrypting everything that passes through them and mirroring to an external host.

I cannot say any more other than you will find that the NSA continuously denied all the backdoors that global security researchers were finding and Cisco denied putting them in. You will also find in leaked Snowden documents absolute proof that the NSA was behind it and did implement the backdoors and they do exist and work.

I at the time being a lowly semiconductor designer with access to unreleased networking gear from the big guys, cannot say anything about what I know those spying piece of shit devices do. But I will say, go look up the Snowden documents. They speak louder than any random on the internet.

And China has made a stink. It's one reason their great fire wall is setup. It does somewhat prevent citizens from using western tools, but they know they do and really don't care much. What it really is, is a way to monitor everything in and out. All the edge is Chinese hardware, no backdoors for the five eyes. Those prevent the backdoors, that are known or theorized, to be used. So essentially they are backdoored equipment inside a security fence that disallows the backdoor to establish a connection. Bad actors from within could make this bad for China. Or very very tricky phone home algorithms, but you have to be careful how it's implemented in unfriendly territory.

Most of the other countries just don't give a crap. If the Ivory Coasts data is being spied on by the 5 eyes or China, they don't care. Nobody cares about them either. It's just the sad state of world power. Those that care, have a side.

load more comments (5 replies)
load more comments (8 replies)
load more comments (1 replies)
[–] user224@lemmy.sdf.org 14 points 5 months ago

Oh, I searched it up and indeed that seems what it does.

I thought it normally just forwarded all the traffic. I wouldn't think people would just let someone else see all traffic between their servers and their users.
I thought it was more like public SSH jump servers.
Right, how else would the CF interstitial page work.

I thought it was done just for the Quick Tunnels which don't even require an account. I've used those a few times, but only in cases where plain HTTP would be OK.

[–] xilona@lemmy.ml 12 points 5 months ago (1 children)

Well put!

I've been saying this since they made their services available...Nobody listened to me.

Usually when I said sth. like you mentioned, people look at me like they look today:

Ohhh...You are a conspiracy theorist...

No mate, I have a better understanding of the fucking computers and technology because I do this for a few decades...

Hoping they will listen to you!

load more comments (1 replies)
[–] jjlinux@lemmy.ml 9 points 5 months ago (2 children)

I'm basically running all my self-hosted services over CF tunnels. Does anyone have a suggestion for an alternative to this? I'd like to remove CF from my life, but not at the expense of poking port holes in my FW.

[–] Harrison@infosec.pub 11 points 5 months ago (3 children)

Yes there are a bunch of self-hosted options like frp, all of which require an endpoint on the internet somewhere, typically a cheap or even free VM. Here's a pretty comprehensive list:

https://github.com/anderspitman/awesome-tunneling

load more comments (3 replies)
load more comments (1 replies)
[–] starman@programming.dev 7 points 5 months ago* (last edited 5 months ago) (6 children)

BTW, can someone recommend me nice alternative for fast and free static website hosting?

I tried GitHub Pages, but I couldn't get it working with subdomains.

[–] Tinkerer@lemmy.ca 6 points 5 months ago* (last edited 5 months ago) (6 children)

So what provider does everyone recommend instead of cloudflare for proxy? I use cloudflare to protect all my websites but I've been trying to find some other place to proxy them from.

[–] TimLovesTech@badatbeing.social 5 points 5 months ago

This rant is about using Cloudflare as a proxy, nothing to do with who you buy your domain name from.

load more comments (5 replies)
[–] iarigby@lemmy.world 6 points 5 months ago (1 children)

It is very weird that tools that support “onion” ssl - some way that would allow one layer of encryption for your “allowed” mitm which would keep almost all the request encrypted with key for the server.

load more comments (1 replies)
[–] scytale@lemm.ee 6 points 5 months ago

Isn’t it a money thing? I kinda remember reading somewhere that big corporate clients basically can have their traffic pass through without decryption because they pay enough for the service. So as usual, it’s the small individual user who gets shafted.

load more comments
view more: next ›