Daily reminder that sites “protected” by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.
And if you think Cloudflare aren’t being tapped by the NSA, you’re sadly sadly naive.
All the “privacy respecting” sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they’ve modified.
Edit: good info link below https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection
So does everyone here that fears Cloudflare as secretly out to get them not believe that the NSA doesn’t have their hooks in all the major datacenters? The same datacenters used by all the major web hosts people are using to “self host” for privacy.
Personally I think you have to have faith at some point that everything from your node to the destination is on the up-and-up unless you have a concrete reason to assume otherwise. Otherwise you should be suspicious of your ISP’s network and every switch/router/firewall/node your data traverses on the internet. And being that paranoid basically means anything you didn’t review the code of and compile yourself should be out of bounds.
Not if you have everything “on premises” under your control and doing the hard work of keeping that infrastructure up and running. Yeah, that is a lot of effort, but still doable!
Someone asked me: Does it worth it? I let you answer that question yourself 🙂
Agreed, it can work for those wanting to be an admin (and know enough to be “dangerous”). I think the bigger issue comes when you want to open services to the internet, because unless you are an admin you probably don’t want to do that without a proxy (and possibly firewall) of some kind in front of your home network. Which is kinda what I was thinking with this anti-Cloudflare post. If you are interacting with the Internet you have to trust a network and hardware outside of your own. And I think it’s naive to fear the 3-letter orgs being inside Cloudflare, and then thinking that putting your data in a datacenter you don’t control is any “safer”.
I think ultimately if the 3 letter groups want your data that bad because you’re on some list, I think the internet as a whole is something you should probably be avoiding anyways. And for randoms, if they are sweeping up data like that you can be sure they would do it at more than just Cloudflare.