Comment by mike_d

2 years ago

Great callout:

> Don't use Cloudflare or similar services. See my article here for an explanation on why. If you use a service like this, you're basically already MitMing yourself.

I wish more people would realize that when arguing on the internet about CAA, DNSSEC, NSA, etc. that none of it really matters. We willingly allow a government aligned entity to unwrap 20% of all TLS connections on the internet and peak inside.

20 comments

mike_d

worldofmatthew 2 years ago

Cloudflare is horrible for privacy. It is also a bit of a sovereignty issue for European countries to have all their citizens web habits to be MITM by a forging power (no matter how friendly they seam).

Edit: not even going in to the sovereignty issue of having an American private company effectively decide your internet regulations.

schleck8 2 years ago
Cloudflare exists out of necessity for the most part. The alternatives to shield from large scale DDoS are all US American too.
- mike_d 2 years ago
  
  Which lets be honest isn't a problem that 99% of the sites using Cloudflare need to solve. Nobody is going to waste energy and time to attack your blog with your vacation photos.
  The huge wave of DDoS extortion attacks that happened 3-4 years ago was mostly enabled by "booter" services that themselves hid from law enforcement behind Cloudflare.
  Here is an example: https://therecord.media/feds-seize-ddos-booter-sites-in-late...
  Feel free to punch any of the sites they mention into dns.coffee and look at the historical nameservers. All Cloudflare.
  
  1 reply →
- hlandau 2 years ago
  
  DDoS protection is standard among hosting providers now, including budget ones like OVH.
  The fact that Cloudflare is allowed to continue hosting websites which are obviously illegal, some notorious, is deeply strange. As I wrote in my article on the subject, it makes no sense when you consider the way the US responds even just to copyright infringement; see how they nuked Megaupload's business without trial because they saw them as knowingly enabling piracy. However, it's a known fact that US authorities will keep illegal or disreputable services up if they see them as a source of more intelligence. I can't really see any other explanation for how Cloudflare is allowed to host some of the sites it does without pressure from the US unless it's basically funnelling all of the data to the NSA.
  
  1 reply →
- KronisLV 2 years ago
  
  > Cloudflare exists out of necessity for the most part.
  I agree with this, there don't seem to be that much self-hosted software that someone could (easily) setup for the use cases that Cloudflare serves.
  > The alternatives to shield from large scale DDoS are all US American too.
  Not only that, but the WAF functionality is also pretty useful. To be honest, the same applies to something like wanting to have CAPTCHAs on your own site - not that many options out there.
  As far as I can tell as a hobbyist, if you wanted to host everything yourself:
  - dealing with load: at best you can probably just run multiple nodes with round robin DNS and something like HAProxy, or even just live with Nginx/Apache/Caddy, though all of those would crumble under attack; probably with some resource limits in place so the software getting overloaded just crashes it (with automatic restarts) and doesn't grind the entire server down to a halt - WAF: you could get a basic WAF running with something like Apache2 and mod_security, or if you can compile it for Nginx and get it working (a bit annoying to do, also apparently slower than Apache2 version), or something like Coraza (still new), but even then you need sets of rules, OWASP has some, but they're not updated as often as whatever Cloudflare uses, so the effectiveness of it all is debatable; there's also something like fail2ban, but some people really don't like it for some reason - there's also additional stuff you can use, like LibreCaptcha for CAPTCHAs, something like Keycloak or Authentik for SSO and managing your users on prem (especially with mod_auth_openidc), stuff like Matomo Analytics instead of GA, Uptime Kuma for uptime monitoring, even your own self-hosted mail servers if you feel brave; but all of those take effort and need maintenance
  And even then, certain things are not an option - you won't be shrugging off huge DDoS attacks and you probably won't be running your own CDN (easily), unless you have bunches of money to spend and the know-how. So of course people would rely on external orgs for whatever they can.
  
  4 replies →
- immibis 2 years ago
  
  Most sites don't get DDoSed. https://immibis.com/ has been running without DDoS protection for a long time now. It's as simple as nobody caring to do so. Why would they? What's in it for them?
  And if someone does knock it offline, I still don't care. I can wait until they get bored. The site isn't important to me, either.
  And if I really do care, Cloudflare encourages people to sign up whilw they are actively under attack. Of course, it costs money, because you aren't paying with your access logs all the times you aren't under attack.
ronsor 2 years ago
The EU regularly de-facto tries to decide regulations for other countries. All is fair in a globally connected world.
- Sporktacular 2 years ago
  
  Yeah, but it generally goes in the direction of more privacy, environmental and labor standards. Less so from other countries.
- rini17 2 years ago
  
  That is how American tech monopolies like to paint what the EU does. Lol
  
  2 replies →

computerfriend 2 years ago

There are lots of reasons to not use Cloudflare, but many of those given in the article don't hold up. For example, Cloudflare does not set a cookie for all connections, discrimination against Tor users, CAPTCHAs and WAFs are all configurable.

immibis 2 years ago

Cloudflare encourages all these bad things by making them simple checkboxes and insinuating that if you care about security you'll check the checkbox.