Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?

  • Quique1222@alien.topB
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    A lot of people in this thread have never been ddosed and it shows. You don’t need to host a super popular thing to get ddosed.

    When you host game servers there are gonna be salty 16 years old that go to a free stresser and hit you with 1gbps.

    And you might think “well yeah but it’s not like cloudflare’s free plan protects that much”.

    It does, believe me. I’ve done tests with people who have access to botnets and without cloudflare with 1gbps our connection was dead. With cloudflare it didn’t go down and reported more than 50gbps on the cloudflare dashboard.

    Also another thing is that a lot of these people are 16 year old script kiddies, and not seeing your IP directly discourages them.

    • spottyPotty@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      nginx can be configured to throttle connections and fail2ban to refuse them to mitigate this

  • rollinghunger@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Yes, you’re right that there’s a certain amount of trust you need to have in CF… but what are you trusting it to do? And if they fail, what are the consequences?

    Honest question - even if you are sending your Vaultwarden traffic over CF, and they are watching or attacking, you have to trust that the e2e encryption of Vaultwarden is what’s keeping you safe, right? Not the SSL certs. Does the auth mechanism rely on the SSL certs not to be compromised? I would hope not.

    For me, it’s about trade offs.

    https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/

    https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

    These two data sources kinda sum it up for me - “If you are concerned that cloudflare can read your data - don’t use cloudflare.”

    But I do want to be sure that any e2e encrypted app doesn’t rely on SSL for its “end-to-end”.

    • TheQuantumPhysicist@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      The concern isn’t that CF is reading your data. It’s that 3-letter agencies can read your data at will, since they always make these deals with large companies to have open-hose access to all the data. There was a scandal that Facebook had a special access page for those people.

      You might think you’re innocent, and you’re a good person, so nothing to worry about. This is the old “I have nothing to hide”, but this isn’t how the world works. People who want to get you can pull strings to get anything they want from government institutions. After all, government is just people. It’s not a benevolent being.

      Now all this is unlikely, granted. But the task of a good security setup isn’t to make it impossible to hack you, but it’s to make it hard enough and costly. I’m quite sure there’s a zero-day somewhere that can hack my bare-bones Linux servers, but good luck breaking the 10 layers of security I have before even reaching these servers to find something remotely valuable about me. I don’t need to make concessions in that regard. You don’t have to trust anyone.

    • Psychological_Try559@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thanks for the link, it’s an interesting read with more detail than I’ve ever heard (not having used cloudflare for this myself).

  • fellipec@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    If you want then to cache your content to reduce the load of your servers, they have to decrypt the traffic. This is how a reverse proxy works.

    And, well, you have to trust them before contract their services. The same way people trust vpns to route their traffic. If I was from some 3 letter agency and want to spy on potential illegal content, I would tap into a vpn server.

  • teem@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    What is it you’re afraid cloudflare is doing? This is a company trusted by tons of corporations who have legit secrets to protect. Why would they care about intercepting your traffic? To what end?

    Cyber attacks are goal-oriented and based on attack cost, basically how much effort for how much reward. Is your selfhost traffic super valuable? So valuable that someone would hack cloudflare to get it?

    In reality, other than commodity malware that your security suite should easily pick up, there isn’t much threat in my opinion.

    • spottyPotty@alien.topOPB
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      The question was a more general one, and not specific to my personal data needs.

      The existence of such a ubiquitous centralised service that actually IS a MITM, whether they are malicious or not, seems curious to me.

      As they say, if the product is free, then you are the product. If people accept, but recognise, a loss of privacy when using free services from Google and meta, for example, knowing that the data they provide is used for personalised ads, then how come CF’s free tier isn’t viewed with the same level of scrutiny?

  • Cybasura@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Thats not what a MITM is

    A MITM is a Man-in-the-Middle Attack, someone whom you dont trust or dont know has hijacked your network connection to either read, remove or modify data from your network packets and then proxy-send it to your initial intended target

    Cloudflare is a proxy server, a person you TRUST and designated to passthrough first to scan and check for network security before it redirects and pass your packets through to your intended target, like a gatekeeper

    What, you gonna call all your gatekeepers, your bouncers, your proxy servers a MITM?

    • WisdomSky@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      Get some reading comprehension. He said MITM and not MITM Attack. He’s referring to Cloudflare as a middle man.

      What OP is trying to say is why everyone is okay with using Cloudflare when it basically is a middle man where your traffic/requests go through and could potentially be sniffed at.

      • Cybasura@alien.topB
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        No, I read it properly, a MITM generally refers to MITM Attack and vice versa in cybersecurity, it is down to the individual to clarify if they meant otherwise and clearly, this case he is referencing to BEING A MITM for malicious purposes

        • spottyPotty@alien.topOPB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          To clarify, I did not mean MITM attack. It actually wouldn’t make sense to say that cloudflare is a man in the middle attack, since it is a company and not an action.

          I didn’t include the word “attack” anywhere.

          MITM is commonly used together with attack, so your misunderstanding is understandable. However the acronym just stands for Man In The Middle, which is why it is followed by “attack” in such situations.

  • SadMaverick@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    My take is: Any data worth your while shouldn’t just rely on HTTPs anyway. You should have more layers of encryption. That’s how majority of the companies do it.

    And for people who do not even know this, are better off using CF as MITM.

  • s3r3ng@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Yeah. I believe Cloudflare basically has its heart in the right place but it is is still a dangerous central choke point.

  • tschloss@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    CF is not using „their own“! The certificates the client see must be provided and authorized by the provider of the service. Or put in other words: CF is acting as the hosting provider to the outside, to the clients.

    The rest of journey is „inside“ the domain of the provider of the service. It is totally normal that traffic has some journey to go and often it never touches the premises of the provider or even a server owned by the provider.

    The important thing that all the part which from a customer‘s view is „internal to the provider of the service“ (behind the CF address) is responsibility of the provider of the service, no matter what 3rd party services they use.

  • Emiroda@alien.top
    cake
    B
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    In regard to enterprises, they don’t give a rats ass about any potential intellectual property theft. That risk has been written off. What matters is compliance and security.

    Not having DDOS protection in place can potentially have legal consequences and can be very costly. DDOS protection is either investing millions of dollars in equipment or offloading that responsibility to a company like Cloudflare.

    • lilolalu@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      security

      i think you are completely wrong here. big corporations do cost assessments of security vs costs of security breaches. if security is more expensive than data breach, they will accept the breach.

    • mkosmo@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      they don’t give a rats ass about any potential intellectual property theft. That risk has been written off

      That’s not true. It’s a mitigated risk through contract.

      • Emiroda@alien.top
        cake
        B
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        That’s true, I didn’t specify the circumstances.

        In the case of overt IP theft, the contract is the mitigating factor.

        However in the case of convert IP theft through systematic, transparent surveillance of traffic (what OP is alluding to), it’s something that you cannot really mitigate apart from just not being digitally present. Cloudflare is a player there, but so is any ISP and nation state who is curious enough. To be on the internet, you have to accept the risk that systematic surveillance can impact your intellectual property.

        In some cases, your mitigating factor is the law. But it’s really difficult to prove that Cloudflare might be sniffing your data and using the IP unlawfully and it’s downright impossible to prove that the NSA or foreign intelligence is using your IP.

        • mkosmo@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Let’s remember that Cloudflare is engaged in business with USG, so if they were doing that kind of nefarious stuff, it’d result in a bad time for a whole lot of folks.

  • vikarti_anatra@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    They think it’s not a problem for them. Because they think that:

    • they have nothing to hide
    • they don’t think CF (or TLAs who have access) will use it against them. (Possible examples: Ukrainian sites, Russian sites who disagree with goverment on at least some things)
    • they think alternatives are worse - it’s…rather difficult to make CF censor you.
    • they only use CF’s DNS services and not other things
    • It’s just easier this way

    This reminds me of current situation with “AI”: There is OpenAI/Anthropic with their APIs (requests are sent via HTTPS but OpenAI/Anthropic are not only need to have access to do their work - they also censor it). There are paid-for alternatives who either host proxies for OpenAI/Anthropic/others (like OpenRouter.ai) or host local models for others (hosting require significant resources which will be unusused if you don’t query often). There are means to host locally at home if you can. Some people prefer not to use local hosting even when they can do so.

  • t1nk3rz@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    It’s not entirely true what you said. I use cloudflare -> my Proxyserver -> my machines behind the Proxyserver

    My Proxyserver has my own certificates loaded and terminates the SSL/TLS connection from cloudflare

    Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver

    • schklom@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver

      This is false, connect to your website, check the certificate, it will be Cloudlfare’s. I assume either you have not checked, or are a Business customer paying quite some money yearly to Cloudflare.

      Cloudflare decrypts inbound traffic, then re-encrypts it before sending it to you, unless you pay a decent amount of money so that they serve your certificate.

    • spottyPotty@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      When I visit one of the sites I manage, that goes through CF (my personal ones don’t), I see that the certificate that the browser sees is one provided by CF and not the one that I create using LetsEncrypt.

      • sjsathanas@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        CF provides different encryption modes. So if it’s “Full” you’ll need a valid SSL cert on your server, which CF will use end-to-end. If it’s “Flexible” (IIRC), then you don’t need a cert on your server, in which case CF will use their own cert for encryption.

  • agrajag9@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Outsourcing of (some) risk

    If Cloudflare loses the data and it negatively impacts our brand, we can sue the shit out of them.

  • psychowood@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    I mean, we trust Root Certification Authorities, which are basically self-proclamed-as-trusted entities. At least CF became widespread and is community-trusted :)

      • capecodcarl@alien.topB
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        A certificate authority doesn’t have a copy of your private key, you send them a certificate signing request. The private key never leaves your system. That’s the whole point of public key encryption.

          • silversurger@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            A root-CA can still swap out your certificates, but they do not have access to the private keys. What they can do is issue valid certs for domains not under their control (or the control of their users). With a bit of DNS poisioning you can now serve traffic through a Proxy and no one would notice (think: someone obtains a valid cert for google.com, sets the local DNS to resolve google.com to the IP of a server hosting a proxy and et voila, you can read all their encrypted traffic to google.com).

              • Cypher_Dragon@alien.topB
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Speaking from experience, companies that are trying to do this will typcially do it one of two ways: either through DNS lookups by having their on-network DNS server acting as a recursive server, thus being able to intercept/interpret DNS requests and apply filtering rules, OR through a forward proxy that all web traffic exiting the company network will go through. Forward proxies can absolutely be configured for SSL interception, and it’s typically handled by using a company-issued certificate signed by the company’s CA…and every company computer has the company’s CA certificate installed, so it’s explicitly trusted. This is why you shouldn’t do any kind of personal business (especially banking) on company-owned devices.

                The biggest difference between companies using a forward proxy and an attacker using DNS poisoning to redirect the traffic is intent - the attacker is doing it for explicitly malicious purposes, while the company is ostensibly doing it to enforce company policy (especially AUPs)…having access to all the delicious unencrypted data is simply a side effect. You trust your employer, don’t you friend citizen?

                • spottyPotty@alien.topOPB
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  You trust your employer, don’t you friend citizen?

                  This is exactly the original point I was trying to make regarding cloudflare.

                  The point that i take from this tongue-in-cheek sentence of yours is that no, we should absolutely not trust our employer with our unencrypted traffic.

                  But then on the other hand there are loads of people on here saying that, yes, of course we should trust cloudflare with having access to all of the data flowing through it.

      • patmorgan235@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Because that’s not how certificates work?

        Your private key is never sent to the CA with you submit a Certificate Signing Request, only the public key and a bunch of metadata.

        (The exception being code signing certs that are delivered on an HSM but the key never leaves the HSM)

  • Initial-Repeat9146@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    OP, what you’re describing is not the “big scary MITM” attack vector. It’s how TLS/Reverse proxies work. Whether you are using Cloudflare or hosting your own reverse proxy somewhere with full control, it’s still terminating TLS at the endpoint and passing back traffic in the clear to the backend.

    Some people like Cloudflare for whatever reasons, and that’s okay. I host my own reverse proxy out on a VPS and it works just fine.

    You’ll find that not all of the seflhosted community is super-focused on privacy as say r/privacy is.

    • spottyPotty@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Maybe it’s my fault for posting this in selfhosted. My question was of a more generic nature about security and privacy in general. You’re right, r/privacy might be a better sub for this conversation.

      In my case my reverse proxy (nginx) runs on the same machine as my backend. In fact nginx also serves all static data with the backend only serving api requests.

  • Patient-Tech@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Don’t forget, for selfhosters, the value proposition of free is always pretty strong. I have tiers of data and not everything needs to be super private at all times.