this post was submitted on 27 May 2024
853 points (96.7% liked)

Programmer Humor

32581 readers
1180 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 29 points 6 months ago* (last edited 6 months ago) (6 children)

What's the problem with CloudFlare? They're trying to make a profit, and so in the long run are the same as anybody, but every interaction I've had with them recently has left me impressed.

Edit: The answer is that the way their thing works nullifies HTTPS.

[–] [email protected] 44 points 6 months ago (2 children)

Remember when google was beloved by everyone back then when they're still have "don't be evil" motto? Cloudflare right now is like google back then: super useful, provides a lot of free services that would be expensive on other providers. But unlike google, if cloudflare go full evil in the future, the impact will be much larger because they're an mitm proxy capable of seeing unencrypted traffics across all websites under their wing. Right now they're serving ~30% of top 10,000 websites and growing.

[–] [email protected] 9 points 6 months ago (3 children)

Oh, okay, so I'm not wrong that they're good right now.

I'm a little unclear on how it works. Do they strip off HTTPS somehow? Otherwise, there's not too much unencrypted traffic around anymore.

[–] [email protected] 15 points 6 months ago* (last edited 6 months ago) (1 children)

Do they strip off HTTPS somehow?

Well yes, how else they can provide their services such as page caching, image optimizing, email address obfuscation, js minifications, ddos mitigation, etc unless they can see all data flowing between your server and your visitors in the clear?

Cloudflare is basically an MITM proxy. This blog post might be helpful if you want to know how mitm proxy works in general: https://vinodpattanshetti49.medium.com/how-the-mitm-proxy-works-8a329cc53fb

[–] [email protected] 2 points 6 months ago

Jesus Christ, I didn't realise.

[–] markstos 13 points 6 months ago (2 children)

One of the services they provide is free SSL certificates. As part of that, they have the private key to decrypt the traffic. They aren’t trying to hide that— this is true of any service that hosts the SSL cert for your site.

[–] [email protected] 2 points 6 months ago (2 children)

Does that mean it wouldn't be an issue if you bring an SSL cert from say ZeroSSL but use Cloudflare for DNS, caching, DDoS protection etc?

[–] SirQuackTheDuck 4 points 6 months ago

For DNS and DDoS protection that wouldn't directly be an issue.

For caching it would be breaking. You cannot cache what you cannot read (encrypted traffic can only be cached by the decrypting party).

[–] markstos 3 points 6 months ago

It’s not who issues the cert that matters, it is who hosts it. Hosting it includes having the private key. You always have to trust your website host, full stop.

[–] [email protected] 1 points 6 months ago (1 children)

Man, I thought we were done with this shit when HTTPS became standard.

[–] markstos 3 points 6 months ago (1 children)

With what? HTTPS has to terminate the encryption somewhere and that place has to have the private key to do so.

CloudFlare is providing the same service here as all other hosts of HTTPS websites do.

[–] [email protected] 0 points 6 months ago* (last edited 6 months ago) (1 children)

Well, depends. If it's hosted on AWS and HTTPS terminates there like it's supposed to, Amazon could look inside, but a human being would have to personally hack your container and extract the data, so that's a bit better. If it's something more like Wix, though, sure. (Is Wix still a thing?)

[–] markstos 3 points 6 months ago (1 children)

If you use the AWS load balancer product or their certificates, they have access to the private key, regardless of whether you forward traffic from the LB to the container over HTTPS or not.

If you terminate the SSL with your own certificate yourself, Amazon still installs the SSM agent by default on Linux boxes. That runs as root and they control it.

If you disable the SSM agent and terminate SSL within Linux boxes you control at AWS, then I don’t think they can access inside your host as long as you are using encrypted EBS volumes encrypted with your key.

[–] [email protected] 1 points 6 months ago (1 children)

Obviously, I've never actually done this. Good to know.

I'm starting to worry that HTTPS is entirely fake - in the sense that it's purely decorative encryption that protects an insignificant part of the transaction. Like, maybe by design. The NSA's been doing something all these years.

[–] markstos 1 points 6 months ago (1 children)
[–] [email protected] 1 points 6 months ago

When used as intended, yes. What I mean is that in practice it may have been weakened, by promotion of services that use it in ways far from best security practices.

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago)

You have no proof that they're "good right now". The big five corporations were forwarding data to the NSA for years before the surveillance leaks exposed them.

Your privacy default should not be to trust an MITM, ever.

[–] [email protected] 5 points 6 months ago (1 children)

There's no proof they aren't doing anything nefarious with that data right now, other than company statements saying, "trust us".

People default to trusting giant corporations first it seems.

[–] Crashumbc 1 points 6 months ago (1 children)

Their a corporation, at best they're baby Hitler...

[–] [email protected] 1 points 6 months ago

I'm not sure if this is ironic bc I've been exposed to too many irony-poisoned comments lately, but cloudflare exists to profit off your data. They're not there to help you, your data and its trends are the product.

[–] [email protected] 13 points 6 months ago (2 children)
  1. They seem to hate my devices. Lots of captchas.
  2. They seem to hate when people bypass their country's censorship. Using sites behind cloudflare through tor is pain without end.
[–] [email protected] 10 points 6 months ago (1 children)

I get so many cloudflare captchas browsing on Firefox. They mostly go away when I change my user agent string to Chrome. Making the Internet more hostile for a particular group of users is pretty shitty behavior in my book.

[–] [email protected] 2 points 6 months ago

I use Firefox and can't remember the last time I got a cloudflare captcha

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago)

They've gotten a lot better over Tor - that's the main thing I'm thinking of, actually. I used to give up most of the time when captcha'd, but now with the JavaScript based verification I pretty much always can get in, even on mobile.

Most providers don't give a shit about Tor, or actively try to block it. They actually went out of their way to make it easier.

[–] [email protected] 13 points 6 months ago

They are the world's largest MITM as a service.

[–] HowManyNimons 13 points 6 months ago

RIP your inbox. Enjoy a whole lot of self-righteous lectures in business ethics.

[–] [email protected] 3 points 6 months ago (2 children)

What’s the problem with CloudFlare?

So far, not much other than being "too" content neutral for a lot of people. They have potential to be immensely horrible whenever they decide to engage in enshittification to maximize profits.

[–] [email protected] 3 points 6 months ago* (last edited 6 months ago)

they're called crimeflare for a reason. besides being a government goldmine having access to everyone's encrypted TLS traffic, they selectively enforce censorship in unethical ways.

why block kiwifarms when you still allow hosting monkey torture sites? or sites for sourcing bathtub HRT secretly sent to minors? they shouldn't be policing the internet in the first place. this is dangerously close to invalidating Section 230 protections as well.

there's so many more reasons it's not even funny.

[–] [email protected] 2 points 6 months ago (1 children)

Apparently they also strip encryption off and see everything, too.

[–] [email protected] 2 points 6 months ago (1 children)

They see everything because they have to for some of the services they offer which gives them a huge potential to do terrible things that they have not actually pursued yet to date, hence the "so far" in my comment.

[–] [email protected] 1 points 6 months ago (1 children)

No terrible visible things, at least. God knows how much data they've hoovered up.

[–] [email protected] 3 points 6 months ago

True. But that just falls back on the "not yet" part of things. They're likely sitting on a massively valuable pile of user data and when they get greedy enough it's going to be ugly.

[–] [email protected] 1 points 6 months ago (3 children)

They're a giant middleman getting everything you put into html forms unencrypted.

That includes all your usernames, passwords, and everything you submit via text boxes. Do not trust any site that uses cloudflare.

[–] [email protected] 7 points 6 months ago* (last edited 6 months ago) (2 children)

This is such a Lemmy take, good god.

"Cloudflare has been around for over a decade and doesn't do anything nefarious with my data and have never shown any intention of doing so... but, consider this for a moment... what if they DID?"

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago) (1 children)

Cloudflare has been around for over a decade and doesn't do anything nefarious with my data and have never shown any intention of doing so

Citation needed.

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago) (1 children)

Oops, I've got a citation for you.

https://blog.cloudflare.com/cloudflare-prism-secure-ciphers

I know the response will be what you already said in a previous comment about companies saying "trust us bro" so I'll take the L on this one.

[–] [email protected] 4 points 6 months ago

Appreciate the humility, thx.

[–] [email protected] 4 points 6 months ago (1 children)

This is such a Lemmy take

What makes it funnier is that he's one of the main Lemmy devs lol

[–] [email protected] 1 points 6 months ago (1 children)

Trusting US corporations by default rule

[–] [email protected] 2 points 6 months ago (1 children)

NGL I'm struggling to follow that image, do you have a higher res version or an explanation if you don't mind?

[–] [email protected] 3 points 6 months ago* (last edited 6 months ago) (1 children)

Oh hey, thanks for Lemmy!

Yeah, I'm a bit horrified to learn that Cloudflare is the crytographic endpoint for clients. I'm wondering how much stuff I've let them see while unaware now.

Y'know, because obviously nobody would voluntarily sign up for this kind of security bad practice. /s

[–] [email protected] 2 points 6 months ago

No probs! Yeah it's wild that a lot of people not only using cloudflare sites, but also running them, don't seem to mind that cloudflare is hoovering up everything.

[–] trolololol 1 points 6 months ago (1 children)

Oh yeah I'll do a full research next time I enter a web page to see who hosts it. If it's by Amazon or Microsoft I'll give green light.

[–] [email protected] 0 points 6 months ago

None of the above is easily possible, a lot of us do it.