•  jarfil   ( @jarfil@beehaw.org ) 
    link
    fedilink
    English
    37 months ago

    As usual, there is a grain of truth behind those claims:

    Cloudflare offers their own DNS, with stated benefits like filtering out some sites, while resolving CF sites… but some VPNs also set their own DNS, which don’t fully match Cloudflare’s… resulting in some combinations of CF site and VPN, not working. I’d blame the VPN for that, but people’s experience is going to be “everything works, except some CF sites” 🤷

    Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.

    All non-encryped traffic is considered to be “insecure” for some time now. The whole point of initiatives like Let’s Encrypt, is to remove everyone on the client-server path from the list of entities you have to trust, so it ends up as: client software, client system, CertAuth, server owner, server software.

    Ideally, we’d have homomorphic encryption on the servers, but it’s not there yet.

    •  t3rmit3   ( @t3rmit3@beehaw.org ) 
      link
      fedilink
      English
      27 months ago

      Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.

      Yes, and this is also true for AWS ALBs and any other hosted reverse-proxies that do SSL offloading/ termination. Hell, it’s even worse for AWS in general, since they also have potential access to your databases and instances, nevermind SecretsManager info that you just directly give them. It’s just such a weird thing to specifically only harp on Cloudflare like that site is.

      Besides, the only real threat actor I can see them being worried about with CF is the USFG, since they’re the only ones I could see being able to compel CF to break their customer contracts like this. And if the USFG is your presumed threat actor, and you’re in the US, you’re not going to “out-security” them by avoiding Cloudflare.