Daily reminder that sites "protected" by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.
And if you think Cloudflare aren't being tapped by the NSA, you're sadly sadly naive.
All the "privacy respecting" sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they've modified.
Cloudflare is a MITM by design. Calling it an attack is disingenuous; you're signing up for the service of your own free will, not a victim.
If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren't doing that.
So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.
But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don't use it.
And then there's people using Cloudflare tunnels, Tailscale and others for self-hosting stuff... that also may have your keys or inject clients at some point...
But we're about to get downvoted to hell for pointing this out because our community is self-hosters that pride themselves on sovereignty can't deal with the cognitive dissonance of having their favorite corporate solutions unmasked for what they are - spyware on steroids.
It's not that you're wrong. It's more that I don't understand what you're proposing as an alternative. To add to the comments here pointing out that that's how CDNs work: for many designs of website, the CDN essentially is the website, being served from a cache by the provider. Even when this isn't the case, you would normally have a load balancer in front of whatever was serving your website so that if you need to swap out the server for maintenance upgrade, etc. you don't need to tell who your visitors to go to a different address. In that case, your certificate would be attached to load balancer rather than the server behind it.
If this was a 1990s and I were trying to run my own server on my own hardware in my bedroom, you might have a point, but please explain how you would implement an alternative in any meaningful way today.
So does everyone here that fears Cloudflare as secretly out to get them not believe that the NSA doesn't have their hooks in all the major datacenters? The same datacenters used by all the major web hosts people are using to "self host" for privacy.
Personally I think you have to have faith at some point that everything from your node to the destination is on the up-and-up unless you have a concrete reason to assume otherwise. Otherwise you should be suspicious of your ISP's network and every switch/router/firewall/node your data traverses on the internet. And being that paranoid basically means anything you didn't review the code of and compile yourself should be out of bounds.
I hope you realize that virtually every CDN provider does the exact same thing in similar ways. Sites that use Akamai, AWS, Google cloud, Fastly, etc. all give those companies access to unencrypted content. It’s just how CDNs work…
Oh, I searched it up and indeed that seems what it does.
I thought it normally just forwarded all the traffic. I wouldn't think people would just let someone else see all traffic between their servers and their users.
I thought it was more like public SSH jump servers.
Right, how else would the CF interstitial page work.
I thought it was done just for the Quick Tunnels which don't even require an account. I've used those a few times, but only in cases where plain HTTP would be OK.
Very true. But nobody cares or believes it. When you start saying that US made hardware like network switches, cryptographic algorithms, telecom radios, etc all have backdoors to the 3 letter agencies in 5 eyes plus the internet distribution over cloudfare or "the cloud" in Google, Amazon, Microsoft, then people just think you're a tin foil hat conspiracist.
The people are too stupid and ignorant to care enough to demand change. Why did the US lobby so hard to get Huawei off market? Because of course there are backdoors into the Chinese intelligence agencies. JUST LIKE US DEVICES! But nobody seems to make that correlation. China bad, China hardware spying bad, is the only thing they can get in their heads.
Good to bring it up, but nothing will change. 99.9% of people don't know what DNS or proxiing or caching is let alone Cloudfare. It's just "the internet". Some are aware of some agencies the US and five eyes have, but most don't believe what they actually do and are capable of. The US is the best producer of propaganda in the world. Hollywood is amazing at it, as are US media sources. The FISA bill that just came up for reauthorization and passed had a whole PR campaign about catching terrorists and stopping Russia and China and Hamas. Nobody stopped to think how and why they even have any of that info in the first place and how it's collected.
Keep being the crazy uncle ranting about government spying because the world needs it.
I'm basically running all my self-hosted services over CF tunnels. Does anyone have a suggestion for an alternative to this? I'd like to remove CF from my life, but not at the expense of poking port holes in my FW.
It is very weird that tools that support “onion” ssl - some way that would allow one layer of encryption for your “allowed” mitm which would keep almost all the request encrypted with key for the server.
So what provider does everyone recommend instead of cloudflare for proxy? I use cloudflare to protect all my websites but I've been trying to find some other place to proxy them from.
Isn’t it a money thing? I kinda remember reading somewhere that big corporate clients basically can have their traffic pass through without decryption because they pay enough for the service. So as usual, it’s the small individual user who gets shafted.
Is this also true about the cloudflare DNS over HTTPS option that Firefox provides in the privacy settings?
If yes, then would it help if I changed the setting from 'Cloudflare' to 'NextDNS'?
My man thinks he has privacy lol. Any CDN that provides WAF capabilities will inject themselves in the middle to inspect the traffic. This does not mean they don't respect your privacy. If you think the three letter bureaus let you have your privacy with anything, you're wrong. Privacy is a long dead thing of the past. You can't even hide your data from companies that want to make a profit off your data, let alone the three letter government agencies. The government monitors and has access to every digital device known to regular consumers, beit in the US, CN or any other country.