← Back to context

Comment by ndiddy

12 hours ago

Someone asked the archive.is owner why he does this in the past. It's because of similar situations to this one where someone who wants to get archive.is taken down uploads illegal content, requests archive.is to save it, and immediately reports archive.is to their country's legal authorities. His solution to this is using the EDNS information to serve requests from the closest IP abroad, so any takedown procedure requires international cooperation and therefore enough bureaucratic overhead that he gets notified and has time to take the content down. https://news.ycombinator.com/item?id=36971650

I also find the "we don't want to leak a requester's IP" explanation for blocking EDNS to be suspect. The way DNS works is that you ask for the IP address for a domain name, you get the IP, and then you connect to it. With Cloudflare's DNS, the server doesn't know your IP when you do the DNS lookup, but that doesn't matter because you're connecting to the server anyway so they'll still get your IP. Even if you're worried about other people sniffing network traffic, the hostname you're visiting still gets revealed in plaintext during the SNI handshake. What Cloudflare blocking EDNS does do is make it much harder for competing CDNs to efficiently serve content using DNS based routing. They have to use Anycast instead, which has a higher barrier to entry.

3 comments

ndiddy

Reply
chrneu  9 hours ago

Cloudflare tends to default to "It's for the security of our users" when it often times isn't.

NoahZuniga  7 hours ago

> Even if you're worried about other people sniffing network traffic, the hostname you're visiting still gets revealed in plaintext during the SNI handshake

Many sites now support Encypted Client Hello. This makes it possible to send the hostname after the connection has been encrypted. This is enabled by default on cloudflare hosted domains (when cloudflare also manages DNS).

  • pabs3  3 hours ago

    There was a report some years ago that found the IP address being connected to is often enough to identify the website being visited, even when using a CDN. I think you have to go to VPNs at a minimum, or Tor preferably. Tor doesn't help with correlation attacks from global passive/active adversaries though, or even folks with access to a lot of netflow data.