I’m curious about the username/password exposure claim. Do you have resources about that you can share?
this post was submitted on 23 Sep 2023
5 points (58.1% liked)
Monero
1583 readers
35 users here now
This is the lemmy community of Monero (XMR), a secure, private, untraceable currency that is open-source and freely available to all.
Wallets
Android (Cake Wallet) / (Monero.com)
iOS (Cake Wallet) / (Monero.com)
Instance tags for discoverability:
Monero, XMR, crypto, cryptocurrency
founded 1 year ago
MODERATORS
This page covers a lot of Cloudflare issues:
https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md
The 2nd link on that page goes to:
http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/
which details the traffic exposure to #Cloudflare as a consequence of Cloudflare holding the keys & terminating the tunnel (thus performing the decryption). Indeed the padlock is misleading as most users believe the tunnel goes all the way to the source website.
edit: BTW, I see that you are on #lemmyWorld. You might be interested in knowing that that’s also a Cloudflare site. Cloudflare sees your login credentials, your IP address, and everything you do with your lemmy account. As far as gatekeeping goes, Lemmy World has been manually configured to be less exclusive than default-configured sites like stackexchange. E.g. I am blocked from stackexchange but not from lemmy world.
Thank you. That is a lot to digest.
What about buying domins from them and using them to manage DNS records? I do turn off the proxy feature so, I know they can't sniff any data, and my visitors are not connected to Cloudflare. Is this okay, or should I transfer my domains?
Some sites use CF DNS just to have the ability to spontaneously switch on the proxy at will. They tend to keep the proxy turned off but then when traffic peaks a bandwidth detection mechanism switches on CF proxying. The problem with that is users don’t know from one click to the next whether their traffic will be intercepted. It can happen at any moment. So the deCloudflare project treats CF DNS cases no different than always-proxying sites.
So if you have no intention of using CF’s proxy, using a non-CF service would make more sense so your domains don’t get treated as CF. CF is not a good company to support anyway.
Thanks for the detailed reply. If I may ask for your opinion, which domain seller should I switch to?
i’m not the best person to ask since I’m not maintaining and domains myself right now. I thought porkbun.com looked like a good choice at one point. They announced that they were going to move to cloudflare (just for the management portal), which was quite off-putting nonetheless, but it looks like they did not follow through with that.
EDIT-- I recently heard they are using CF for DNS and some people are avoiding #Porkbun for that reason.
Where could I find a list of services that use CF and it's dangers?
A list of Cloudflare-compromised domains is being tracked here. You can also use this query tool to lookup websites:
There is a browser plugin called BMCA which will detect when you click on a link to a Cloudflare service and redirect you to the archive.org mirror of that site so you don’t connect to CF. There’s another plugin that puts a strikethrough on CF URLs so you know before you click if something is CF’d. Those tools along with others are published here:
Search engines have become extremely polluted with Cloudflare sites in the results. There is a search service called Ombrelo that filters out CF sites from the results:
http://ombrelo.im5wixghmfmt7gf7wb4xrgdm6byx2gj26zn47da6nwo7xvybgxnqryid.onion/
W.r.t. a list of CF’s dangers, I don’t know of a paper that covers that as a thesis. A lot of the problems with Cloudflare are documented here and in other documents in that same repo.
Also, when something is behind CF, Tor users often (though not always) just can’t open/use it. Say, you have a seriously privacy-centered website. Then try not to accept donations via ko-fi (behind CF) or have links to a video platform behind CF. Which just wouldn’t make sense (especially if your website is recommending Tor, even providing onion), making you look a bit stupid tbh.
Fortunately (or unfortunately) this kind of stupid websites are not rare; Tor users are so get used to blocking, it’s unlikely they get upset. If necessary, they can easily circumvent the blocking in various ways (except they may lose interest or assume it’s perhaps worthless, and as soon as they see “Just a moment…” they may just close it).
PS: Recently (2023-09-20, noticed by Anti-Censorship team) some of snowflake users also got problems. If a Snowflake client gets a Cloudflare IP address, their connection will fail. The latest Tor Browser 12.5.5 is out (2023-09-26), with a workaround, where snowflake avoiding IP that might resolve to CF (Bug tor-browser#42120).
there is a libreddit/invidious/proxitok style stackoverflow proxy project:
https://github.com/httpjamesm/AnonymousOverflow
it's available in libredirect, which shows a useful list of instances and which ones use cloudflare
Great find! Glad to see there are some onion hosts as well.
Any idea how to adapt the monero.stackexchange link in the sidebar? The code.whatever.social page cannot handle that link apparently because it does not lead to a specific thread.
yeah i think that's just something that hasn't been implemented yet
i think it was mainly created for people visiting stackoverflow from search engine results