zlacker

I'm convinced Cloudflare is a giant anti-privacy man-in-the-middle attack on the entire web experience.

It would be a conspiracy theory to say they were created by a three letter government agency, but if I was running one of those three letter agencies, this is exactly the kind of company I'd setup and control. People just give them their TLS keys lol

If you use a VPN or just like browsing in privacy mode, it will make your life as difficult as possible by having you fill out multiple captchas. And even then, it will sometimes not let you through.

If you're running a website, please stop using Cloudflare.

>>lordof+(OP)
How are you "convinced" by something when you have zero evidence for the claim? It sounds like you wish it were true.

>>lordof+(OP)
While I tend to agree with all of your post, I also have to admit that as a service provider it's nice to be protected from malefactors. If I had to point to the moral problem here its not Cloudflare's existence, but rather the lack of awareness that service providers have about the trade-offs they are making - very similar to the problem we have with "free" services like Google Analytics, or CDN hosting. In each case the programmer is trading away end-user privacy on an ongoing basis for transient developer convenience and a slightly cheaper-to-operate runtime with more failure modes. It's usually a bad trade, I think.

>>lordof+(OP)
I hate Cloudflare with burning passion. Not only is it a US company that centralizes internet infrastructure around itself, it also terminates TLS for way too many websites and sees their cleartext traffic. It then actively meddles with said traffic and punishes you for something you have no control over (your IP address). It's a dystopian nightmare only second to online ads. But ads at least can be blocked — you have zero agency in case of Cloudflare.

Whenever I see the "one more step" crap, I just close that tab.

Cloudflare needs to stop existing, and it needs to do so yesterday.

>>lordof+(OP)
While Cloudflare is a big player, pretty much every service today has some form of third party MITM machine - things like Fastly, Akamai, Google Cloud Load Balancer and CloudFront all provide reverse proxy capabilities on the same level as Cloudflare.

Even if you run your own proxy and caching, you can’t trust your cloud provider not to DMA your keys unless you’re using trusted computing[0] (which ironically requires remote attestation if a company wants to verify it’s active on their CPU), and then chances are a dedicated three-letter-agency has exploits at the ready if they really need to extract information.

If a company isn’t running their own bare metal, nothing is safe.

0: https://aws.amazon.com/blogs/security/confidential-computing...

>>lordof+(OP)
>If you use a VPN or just like browsing in privacy mode, it will make your life as difficult as possible by having you fill out multiple captchas. And even then, it will sometimes not let you through.

I use VPN and private browsing and the worst I've been subjected to is getting IP/ASN blocked, which to be fair can be implemented without cloudflare. I've had to fill out captchas but that's something that happens a few times a month at most, and it's never a captcha loop that you mentioned.

>>lordof+(OP)
Cloudflare does have the ability to front your website without providing your private key to them, it's called keyless SSL: https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-tec...

>>lordof+(OP)
We don’t use cloudfront but we use a competitor. Before we used it there would be millions of malicious attempted requests on our api. It doesn’t block everything and it makes things a pain for 1% of users but not using it would put tons of users data at risk.

>>judge2+Q6
> While Cloudflare is a big player, pretty much every service today has some form of third party MITM machine - things like Fastly, Akamai, Google Cloud Load Balancer and CloudFront all provide reverse proxy capabilities on the same level as Cloudflare.

the normal way to do this is to run your static content through CDN's and allow your dynamic content to hit origin.

you're not saved from DDoS of course, but you'd be surprised at how much cookies for static content can cost you in CDN costs; usually people use a separate domain.

>>grishk+m5
> It's a dystopian nightmare only second to online ads. But ads at least can be blocked — you have zero agency in case of Cloudflare.

About that, I imagine the millisecond that you can validate using remote attestation that a client has no adblockers, Cloudflare will add a remote attestation "gateway" (like the one they have now with the captcha) that will, overnight, give every Cloudflare customer (so half of the internet) the ability to block users that may have adblockers.

It's simply too juicy of a service for these people.

>>alex77+c51
The scary thing though is that if Cloudflare decides to pivot into targeted ads... You get the idea. No single company should ever be allowed to have this much control over the internet.

>>RedShi+la
They are still terminating the encrypted connection and get to see all data in cleartext so this is irrelevant to the concerns stated in gp. The only thing this scheme buys you as the website owner is that you can prevent CF from accepting new SSL connections without revoking the certificate entirely.