I don't think it's possible to avoid companies like Cloudflare, AWS, Akamai, etc. Or not without a whole lot of effort that isn't really reasonable and would severely degrade user experience. They provide what's become fundamental infrastructure to the internet, and that doesn't seem likely to change.
this post was submitted on 26 Dec 2023
63 points (89.9% liked)
Privacy
96 readers
5 users here now
Privacy is the ability for an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.
Rules
- Don't do unto others what you don't want done unto you.
- No Porn, Gore, or NSFW content. Instant Ban.
- No Spamming, Trolling or Unsolicited Ads. Instant Ban.
- Stay on topic in a community. Please reach out to an admin to create a new community.
founded 2 years ago
MODERATORS
It is possible to avoid Cloudflare (the worst offender), proven by instances that are run by more competent experts. For example:
- fedia.io
- sopuli.xyz
- beehaw.org
- infosec.pub
- lemmy.dbzer0.com
- slrpnk.net
- links.hackliberty.org
- lemmy.ml ← used to be Cloudflare-proxied but they got wiser
- mander.xyz
^ Those are good instances where users’ traffic is not recklessly exposed to Cloudflare.
These instances below not only expose their users to Cloudflare, but they’re not even decent enough to inform their own users about it:
- lemmy.world ← Cloudflare
- sh.itjust.works ← Cloudflare
- zerobytes.monster ← Cloudflare
- lemmy.ca ← Cloudflare
- lemm.ee ← Cloudflare
- programming.dev ← Cloudflare
- lemmy.zip ← Cloudflare
If you probe admins of the above list, some will say in effect that they regret pawning all their users to CF but claim they have no choice - that they do not know how to defend from attack. Some admins have no regrets and simply do not give a shit. Many admins are actually ignorant to the extent of not even knowing Cloudflare sees the traffic (yes, many times admins were appalled to learn this from me; who to them is just some random pleb). Probably the most despicable aspect to this is that no Cloudflare admin is socially responsible enough to post a banner msg making sure users are informed about their exposure. If they are proud of their choice and feel they have no choice, then why neglect to disclose it (esp. on a non-profit activity)?
Regardless of their reasons/excuses, it really does not matter to the user. What matters to users is that there are privacy-disrespecting choices and relatively privacy-respecting choices. Obviously street-wise users select from the first list I posted and not the 2nd list.
Only CFd government sites are unavoidable
The only Cloudflare sites that are unavoidable AFAICT are government sites. You can always boycott the private sector, but there are 6 or so states in the US where voter registration goes through Cloudflare. Even if you register on paper, the data entry worker likely goes to the Cloudflare site. I became a non-voter for this reason.
ironically monero.town also uses Cloudflare.
What's so fundamental about their services?
Cloudflare provides anti ddos protection, aws provides cloud computing for online services
But does everything on the internet require anti ddos protection?
From corporate perspective, if the ddos protection is cheaper than potential ddos attack, yes.
load more comments
(1 replies)
From a user side, nothing.
From a host side: AWS/GCP/Azure, scaling is built in; maybe isn’t cheaper than self hosting, but it eliminates maintenance worries, uptime is their responsibility.
Cloud front, F5, imperva: protection from: sql injection, basic script attacks, ddos, and man in the middle.
To avoid them you’d have to stick to small time web sites that self host and handle attacks on their own. Funny enough when I ran small-time sites we never had a successful injection attack, and I handled a ddos attack by just blocking IPs one at a time till they gave up. It’s not hard, but when the company hits a certain size where they hire a cyber security specialist, all the sudden we need these additional protection tools.
Thank you. One of the best responses I've got so far.
A significant percentage of the internet relies on them. There's basically no avoiding these companies while using the internet as it now exists.
That's a circular argument.
"It's impossible to avoid this these companies because a lot of sites use them."
Ok. Why?
"Because they provide fundamental services."
Ok, what's so fundamental about them?
"A lot of sites use them."
...ok? WHY?
The service they provide to websites is "better user experience" by acting as a cdn close to the user they get better download speeds and responsiveness. It also is a benefit for the business because they don't have to worry nearly as much about deploying and maintaining multiple servers around the world.
That is why it's impossible to avoid these companies, every sane website engineer is going to want the services they offer.
And it's a service that is easiest to offer when you are an already established large cdn.
load more comments
(9 replies)
Not sure why people are being so weird about answering your questions, but e.g. CloudFlare does DDoS protection which now basically everything you put on the internet needs some type of , and is far too complicated to do yourself, when you need it.
Thus CloudFlare (or AWS's equivalent) is pretty essential. I'm sure there are other reasons too.
load more comments
(2 replies)
Sorry, I was assuming that people knew what they did or would look it up themselves. The short and non-technical answer is "the cloud" actually means "other people's computers" and these companies are the "other people". The why of it is complicated, there are both technical and economic reasons. I think it probably comes down to efficiency and economies of scale.
load more comments
(8 replies)
Cloudflare can be avoided so far but this may not hold up for long. There are browser extensions that put a strikethrough on all links to CF sites. There is also a search service (Ombrelo) which tags and down-ranks Cloudflare sites in the results. There is a bot you can follow on Mastodon that will DM you whenever you share a link to a CF website, so you can remove it (documented here).
What's your threat model? Adjust accordingly.
The situation is, what it is, but there's a wide range of actions one can take that fall between the two poles of do nothing and burn all internet enabled devices.
load more comments
(1 replies)
It isn't feasible to avoid using the top few CDNs in the world, of which cloudflare is one. Using a traffic anonymizing service simply kicks the can down the road, and now you need to trust the service you use to obfuscate your identity.
If you use Apple devices, which I'm guessing you don't, then be aware that cloudflare operates some of Apple's anonymization nodes. If you rely on TOR to obfuscate who you are, beware that several nations run a LOT of that infrastructure so they can correlate entry and exit information. If you use a paid VPN service, your payment details and account link you directly to the traffic you generate. Do you really trust those services to face government prosecution to protect you?
It's a hard spot to be in, especially with fewer and fewer companies controlling larger portions of the internet.
Cf only acts as a mitm for encrypted traffic if you choose it in the options. If you provide your own cert then they can’t decrypt anything.
load more comments
(6 replies)
Stop using the Internet.
If you're so concerned about being tracked at those levels you might need to get off for your own mental well being anyways. If you don't want the benefits of the service (ddos attack protections for major sites, consistent website up time) leave it behind.
If you’re so concerned about being tracked at those levels
What do you mean by “at those levels”? You seem to imply Cloudflare’s abuse is not vastly harmful.
CF ruins Tor, VPNs, discriminates against poor people behind CGNAT, and people who look like bots because they don’t load images. You don’t even get basic protection from IP disclosure. CF sees all traffic on most of their sites, including usernames and unhashed passwords. The OP’s demand is reasonable. The demand that everyone partake in such reckless disclosure to a single gatekeeper running a private walled-garden is not reasonable. Cloudflare has removed the minimum baseline of security that everyone used to have and failed to achieve even a low level of privacy.
Has avoiding Cloudflare become Impossible?
Mostly, yes. But let’s break this down. Cloudflare only breaks web services and so far Cloudflare’s privacy abuses and gate-keeping is mostly confined to the web. Avoiding Cloudflare is impossible in some circumstances.
CFd government sites are unavoidable (voting rights lost in the US)
The only Cloudflare sites that are strictly unavoidable AFAICT are government sites. You can always boycott the private sector, but the public sector is shoved down our throats. There are 6 or so states in the US where voter registration goes through Cloudflare. Even if you register on paper there is still no escape because the data entry worker likely uses the Cloudflare site. I am a non-voter for this reason. Although it’s still possible to move to one of the 44 other states and register there.
CFd medical websites
See How lack of digital rights, Cloudflare, and Google worsened a medical emergency situation and undermined human rights. When you need medical info in a hurry, boycotting is tough.
search is liberated -- but only by 1 single search service to date
There is only one general purpose search service that helps avoid Cloudflare: Ombrelo, which tags and down-ranks Cloudflare websites in the results.
VPN. Tor. Those are basic tools for relative anonymity.
Stupid Question:
How do I find out if a website I use is hosted over cloudflare? The noscipt javascript blocker extension shows in some cases I blocked some cloudflare javascript. For example on the lemmy.world instance it shows a script labeled "cloudflareinsights.com" that I block. That apparently provides visitor analytics
According to them on insights:
Our edge sees all requests made to a website, regardless of whether it’s cached or uncached, the user has adblock, or they turned off JavaScript. This enables us to [....]
On other sites it shows a "confirm you are human" check-box labeled with the cloudflare brand (if I activate javascript for that site) -- according to cloudflare wikipedia that service is known as Cloudflare Turnstile. This is how I currently see if cloudflare is involved.
Another interesting thing I noticed on stackoverflow is email protected which confirms to me stackexchange also uses cloudflare somehow.
I guess you could detect a Reverse Proxy by cloudflare based on its IP-Adress ~ but I do not really know how to look that up perhaps the following stack overflow answer might help using the tools nslookup and whois... Any other hints on this?
nslookup www.monero.town
whois -h whois.arin.net n <IP-Adress from prev command> | egrep 'Organization'
view more: next ›