Nearly every website today seems to be hosted behind Cloudflare which is really concerning for the future of privacy on the internet.

Cloudflare no doubt logs, stores, and correlates network telemetry that can be used for a wide array of deanonymization attacks. Not only that, but Cloudflare acts as a man-in-the-middle for all encrypted traffic which means that not even TLS will prevent Cloudflare from snooping on you. Their position across the internet also lends them the ability to conduct netflow and traffic correlation attacks.

Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare…

So what options do we even have? What privacy concerns did I miss, and are there any workaround solutions?

  • ultranaut@lemmy.world
    link
    fedilink
    arrow-up
    30
    arrow-down
    2
    ·
    10 months ago

    I don’t think it’s possible to avoid companies like Cloudflare, AWS, Akamai, etc. Or not without a whole lot of effort that isn’t really reasonable and would severely degrade user experience. They provide what’s become fundamental infrastructure to the internet, and that doesn’t seem likely to change.

    • freedomPusher@sopuli.xyz
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      10 months ago

      It is possible to avoid Cloudflare (the worst offender), proven by instances that are run by more competent experts. For example:

      ^ Those are good instances where users’ traffic is not recklessly exposed to Cloudflare.

      These instances below not only expose their users to Cloudflare, but they’re not even decent enough to inform their own users about it:

      • lemmy.world ← Cloudflare
      • sh.itjust.works ← Cloudflare
      • zerobytes.monster ← Cloudflare
      • lemmy.ca ← Cloudflare
      • lemm.ee ← Cloudflare
      • programming.dev ← Cloudflare
      • lemmy.zip ← Cloudflare

      If you probe admins of the above list, some will say in effect that they regret pawning all their users to CF but claim they have no choice - that they do not know how to defend from attack. Some admins have no regrets and simply do not give a shit. Many admins are actually ignorant to the extent of not even knowing Cloudflare sees the traffic (yes, many times admins were appalled to learn this from me; who to them is just some random pleb). Probably the most despicable aspect to this is that no Cloudflare admin is socially responsible enough to post a banner msg making sure users are informed about their exposure. If they are proud of their choice and feel they have no choice, then why neglect to disclose it (esp. on a non-profit activity)?

      Regardless of their reasons/excuses, it really does not matter to the user. What matters to users is that there are privacy-disrespecting choices and relatively privacy-respecting choices. Obviously street-wise users select from the first list I posted and not the 2nd list.

      Only CFd government sites are unavoidable

      The only Cloudflare sites that are unavoidable AFAICT are government sites. You can always boycott the private sector, but there are 6 or so states in the US where voter registration goes through Cloudflare. Even if you register on paper, the data entry worker likely goes to the Cloudflare site. I became a non-voter for this reason.

          • hemko@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            From corporate perspective, if the ddos protection is cheaper than potential ddos attack, yes.

            • freedomPusher@sopuli.xyz
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              10 months ago

              Of course it’s important to note that business case relies on users being uninformed. If a billion or more users suddenly became informed about this along with the fact that the business does not disclose it (not even in the fine print of the privacy policy), your business case would need to account for a PR backlash variable.

      • ultranaut@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        2
        ·
        10 months ago

        A significant percentage of the internet relies on them. There’s basically no avoiding these companies while using the internet as it now exists.

        • El Barto@lemmy.world
          link
          fedilink
          arrow-up
          7
          arrow-down
          4
          ·
          edit-2
          10 months ago

          That’s a circular argument.

          “It’s impossible to avoid this these companies because a lot of sites use them.”

          Ok. Why?

          “Because they provide fundamental services.”

          Ok, what’s so fundamental about them?

          “A lot of sites use them.”

          …ok? WHY?

          • Strykker@programming.dev
            link
            fedilink
            arrow-up
            12
            arrow-down
            1
            ·
            10 months ago

            The service they provide to websites is “better user experience” by acting as a cdn close to the user they get better download speeds and responsiveness. It also is a benefit for the business because they don’t have to worry nearly as much about deploying and maintaining multiple servers around the world.

            That is why it’s impossible to avoid these companies, every sane website engineer is going to want the services they offer.

            And it’s a service that is easiest to offer when you are an already established large cdn.

                • El Barto@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  4
                  ·
                  10 months ago

                  User experience?

                  Wait, I thought we were talking about more than just user experience.

              • Strykker@programming.dev
                link
                fedilink
                arrow-up
                3
                ·
                10 months ago

                Sure 100% you can build a website without them.

                But anyone expecting to serve millions of users is going to use and need them or the user experience will suffer

                • El Barto@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  10 months ago

                  That’s my point. So it’s not fundamental. Just fundamental for big sites.

                  And not anyone. Cloudfare and AWS are not the only cloud/CDN services in the world.

                  But I understand now.

              • freedomPusher@sopuli.xyz
                link
                fedilink
                arrow-up
                2
                ·
                10 months ago

                You say “fundamental” when I think (from context) you mean to say “essential”. But to be clear, Cloudflare is not essential to business or the internet. Consider banking in the US. Big banks are competent enough to not need CF. But credit unions are small and on shoestring budgets. So CUs are increasingly exposing all their customers to Cloudflare to save money. If you are a client of a CU that starts using Cloudflare, I suggest switching to paper statements and quit using the website. Switch to a CU that does not expose you to Cloudflare. So far that’s not difficult but that could change.

          • kelvie@lemmy.ca
            link
            fedilink
            arrow-up
            5
            ·
            10 months ago

            Not sure why people are being so weird about answering your questions, but e.g. CloudFlare does DDoS protection which now basically everything you put on the internet needs some type of , and is far too complicated to do yourself, when you need it.

            Thus CloudFlare (or AWS’s equivalent) is pretty essential. I’m sure there are other reasons too.

            • El Barto@lemmy.world
              link
              fedilink
              arrow-up
              2
              arrow-down
              5
              ·
              10 months ago

              Thanks. Though I knew all that, I appreciate your response.

              I guess DDoS protection is essential, but the fundamental part is dependant on the seevice provider’s goal. If I just want to host a game over the internet for my friends, Cloudflare is not really fundamental for that. For businesses, though, yeah.

              • freedomPusher@sopuli.xyz
                link
                fedilink
                arrow-up
                2
                ·
                10 months ago

                Admins tend to have an exaggerated degree of self-importance. They think their own service is somehow so important that downtime is just not an option, even at the cost of pawning all their own users/supporters traffic to a tech giant in a country without privacy safeguards. And they do that even when offering a non-profit service like a fedi instance. It’s a total disregard for privacy even when no money is on the line. Part of the problem is not only are they not hiring experts but they can’t be bothered to develop the competency themselves. They don’t factor in or realize the fact that web security is part of the task they are signing up for. Like someone saying they want to sell fries but they don’t want to be bothered with finding a potato supplier. If they want to reject a fundamental component of the activity, perhaps that activity is not for them.

          • ultranaut@lemmy.world
            link
            fedilink
            arrow-up
            4
            arrow-down
            1
            ·
            10 months ago

            Sorry, I was assuming that people knew what they did or would look it up themselves. The short and non-technical answer is “the cloud” actually means “other people’s computers” and these companies are the “other people”. The why of it is complicated, there are both technical and economic reasons. I think it probably comes down to efficiency and economies of scale.

            • El Barto@lemmy.world
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              10 months ago

              Care to elaborate?

              So far it seems like it pertains to big sites. So if these cloudfare et al are “impossible to avoid” for any other scanario, I’ll be happy to be schooled.

              • some_guy@lemmy.sdf.org
                link
                fedilink
                arrow-up
                1
                ·
                10 months ago

                A quick web search suggests that AWS (Amazon Web Services, I think) hosts 32% of websites. I don’t have more nuance to provide other than to agree that these companies provide architecture to a huge portion of the modern internet. Most of everything is held by a small number of companies, just like wealth is concentrated in a small percentage of the population with huge companies owning most of the market.

        • freedomPusher@sopuli.xyz
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          10 months ago

          Cloudflare can be avoided so far but this may not hold up for long. There are browser extensions that put a strikethrough on all links to CF sites. There is also a search service (Ombrelo) which tags and down-ranks Cloudflare sites in the results. There is a bot you can follow on Mastodon that will DM you whenever you share a link to a CF website, so you can remove it (documented here).

  • yiggy@links.hackliberty.org
    link
    fedilink
    arrow-up
    18
    arrow-down
    1
    ·
    edit-2
    10 months ago

    What’s your threat model? Adjust accordingly.

    The situation is, what it is, but there’s a wide range of actions one can take that fall between the two poles of do nothing and burn all internet enabled devices.

    • Mr_Sh@links.hackliberty.org
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      10 months ago

      Forget about threat model. It’s becoming increasingly an irrelevant concept, as we reach total globalization and centralisation of all of these global companies.

      It’s frustrating, but it could be addressed by the EU members just like how they always have blew up Google so many times on so many occasions by suing them millions of dollars.

  • Dr. Dabbles@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    10 months ago

    It isn’t feasible to avoid using the top few CDNs in the world, of which cloudflare is one. Using a traffic anonymizing service simply kicks the can down the road, and now you need to trust the service you use to obfuscate your identity.

    If you use Apple devices, which I’m guessing you don’t, then be aware that cloudflare operates some of Apple’s anonymization nodes. If you rely on TOR to obfuscate who you are, beware that several nations run a LOT of that infrastructure so they can correlate entry and exit information. If you use a paid VPN service, your payment details and account link you directly to the traffic you generate. Do you really trust those services to face government prosecution to protect you?

    It’s a hard spot to be in, especially with fewer and fewer companies controlling larger portions of the internet.

  • snowe@programming.dev
    link
    fedilink
    arrow-up
    10
    arrow-down
    2
    ·
    10 months ago

    Cf only acts as a mitm for encrypted traffic if you choose it in the options. If you provide your own cert then they can’t decrypt anything.

    • freedomPusher@sopuli.xyz
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      Cf only acts as a mitm for encrypted traffic if you choose it in the options. If you provide your own cert then they can’t decrypt anything.

      That’s really misleading. Most admins use Cloudflare’s gratis service and they use CF to handle the traffic load. This is only possible if CF has the private key and sees the traffic. If CF cannot see the traffic, it must pass it all through to the source webserver which defeats the purpose of using CF.

      Most importantly, users have no way of knowing whether a web service opts to use their own key or CFs key. It’s impossible. So wise users have no choice but to assume the worst case (which is also the strong majority of cases): that CF sees the traffic.

    • Shadow@lemmy.ca
      link
      fedilink
      arrow-up
      1
      arrow-down
      10
      ·
      edit-2
      10 months ago

      That’s not true at all…

      If you provide your own cert, you have to provide the key. Otherwise it’s useless.

      If you’re talking about mtls to the origin, that’s a separate ssl connection.

      CF always ssl terminates at their endpoints.

      If you think I’m wrong, please provide a doc that says otherwise?

        • Shadow@lemmy.ca
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          10 months ago

          As a cloudflare site admin:

          You set your name servers to cloudflare. You then enter your DNS through their control panel.

          You then optionally enable proxying. If you do not enable, the DNS resolves directly to your server and they don’t see anything.

          Typically any site that uses cloudflare is going to use their proxy though, it’s the majority of the reason to use CF at all. Mitigating an attack won’t work if you don’t have proxy enabled, and enabling it after an attack makes your life difficult since you now need to rotate your origin ip.

          This is exactly what your link explains, so I’m not sure why all the downvotes. The vast majority of sites that use CF, have proxying enabled.

          None of this has anything to do with certs as the op mentioned. Providing your own cert doesn’t do anything in this context.

          • mark3748@sh.itjust.works
            link
            fedilink
            arrow-up
            4
            ·
            10 months ago

            I mean, yeah, we’re in agreement. I am also a cloudflare user.

            Im not sure what your disagreement with snowe was, then though. They stated they only handle the encryption if the site owner chooses it, which is what I said, and then you did as well. No clue on the downvotes.

            Also I’m not certain why there seems to be paranoia over CF. They just offer the tools and haven’t shown me any reason to distrust them in any way, and if you’re blacklisting a major CDN you might as well just stay off of the internet entirely.

            My opinion doesn’t actually matter though, I’m just a networking dude that had his curiosity piqued by a random post. I choose privacy by default but I don’t go out of my way to handicap myself in the name of privacy so I’m sure there are far more knowledgeable people here that can advise on much stricter threat models than mine.

            • freedomPusher@sopuli.xyz
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              10 months ago

              They stated they only handle the encryption if the site owner chooses it,

              I missed the post you replied to, but your comment is misleading. That’s probably around ~99% of the cases that you seem to imply are a rare case. If CF cannot see the traffic, it cannot respond to requests and the source webserver must handle the full workload (thus defeating the purpose of using CF). Most users are only using the free service, which requires CF to have the private keys.

              Also I’m not certain why there seems to be paranoia over CF.

              Start here→ https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md

              It’s normal for a normie see infosec-aware people as “paranoid” due to lack of widespread understanding of infosec principles. The rule of least privilege is a sound principle. The abstract idea is that you do not extend more privilege than necessary. It’s reckless to needlessly share confidential information. Of course “need” is the keyword there. You are using a CFd instance. Maybe sh.itjust.works determined that they need CF because they lack the infosec knowledge to protect their service and their budget is too small for them to hire a credible infosec admin. Whatever their reason is, the mistake is on your part (the user). You as a user do not need to expose all your traffic to CF because you can just as well have created an account on mander.xyz. So in a sense, you violated the rule of least privilege by needlessly oversharing. But note that’s a simplified scenario… maybe you trust both sh.itjust.works admins and US tech giants more than you trust mander.xyz admins.

              They just offer the tools and haven’t shown me any reason to distrust them in any way,

              This is a way of thinking that separates normies from street wise folks. Normies trust by default and look for reasons to distrust. This leaves them extending trust when in fact they need not trust at all. Infosec experts think this way: first, can we avoid the need to trust? If yes, then that’s a no brainer.

              Trust by default is not the only problem with your comment. Cloudflare has given copious reasons to distrust them. They are caught in countless lies. This is covered in ¶11 of the above-linked page.

              and if you’re blacklisting a major CDN you might as well just stay off of the internet entirely.

              Why must it be all or nothing? Avoiding CF kills off around 25% of the web for me. And probably another 10% is killed off due to tor-hostile actors other than Cloudflare. But ~65% of the web is still reachable to me, and part of the 35% is reachable through mirrors. CF has only ruined the web for the most part. Non-web connections are mostly still viable.

              I choose privacy by default

              You need to rethink that. The only thing I know about you is your choice to use sh.itjust.works and unless you have some obscure corner-case well-justified reason for that, you have not chosen privacy by default.

              but I don’t go out of my way to handicap myself in the name of privacy

              Privacy is about control. When you give up privacy you are opting to handicap yourself in terms of control. Indeed needless disclosure ultimately cripples your agency to be free from the consequences of that disclosure. So you are trading one handicap for another. That might be overly abstract for many so I’ll give a concrete scenario:

              Suppose you live in the US and your credit union starts using Cloudflare and uses the default tor-hostile configuration. You are then forced to step outside of Tor and access your bank account. Since Trump gave ISPs permission to collect customer data and share it without getting the customer’s permission, your ISP records the fact that Mark banks at XYZ CU. Cloudflare might do the same (but let’s say it’s not relevant in this case). Your ISP sells that info to creditors. Then a debt collector learns they can do a money grab on Mark’s account at XYZ CU. You ultimately lost control of your money due to a simple disclosure of a website you visit regularly.

              One important control that I care about is the ability to boycott bad companies. I boycott Microsoft. So what happens when I send email to [email protected]? MS gets a piece of data that they profit from. Boycotting is no longer simply a matter of not spending money in a certain way now that data is as good as cash. So control over my ability to boycott a harmful force in the world requires the option to not feed data to that platform (even if the data itself is benign, harmless, and non-sensitive).

              so I’m sure there are far more knowledgeable people here that can advise on much stricter threat models than mine.

              The threat model of everyone who demands privacy includes mass surveillance. Threat models vary in countless ways from one person to another but mass surveillance should be the most common component in the threat models of most.

  • Donjuanme@lemmy.world
    link
    fedilink
    arrow-up
    15
    arrow-down
    10
    ·
    10 months ago

    Stop using the Internet.

    If you’re so concerned about being tracked at those levels you might need to get off for your own mental well being anyways. If you don’t want the benefits of the service (ddos attack protections for major sites, consistent website up time) leave it behind.

    • freedomPusher@sopuli.xyz
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      10 months ago

      If you’re so concerned about being tracked at those levels

      What do you mean by “at those levels”? You seem to imply Cloudflare’s abuse is not vastly harmful.

      CF ruins Tor, VPNs, discriminates against poor people behind CGNAT, and people who look like bots because they don’t load images. You don’t even get basic protection from IP disclosure. CF sees all traffic on most of their sites, including usernames and unhashed passwords. The OP’s demand is reasonable. The demand that everyone partake in such reckless disclosure to a single gatekeeper running a private walled-garden is not reasonable. Cloudflare has removed the minimum baseline of security that everyone used to have and failed to achieve even a low level of privacy.

  • freedomPusher@sopuli.xyz
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    10 months ago

    Has avoiding Cloudflare become Impossible?

    Mostly, yes. But let’s break this down. Cloudflare only breaks web services and so far Cloudflare’s privacy abuses and gate-keeping is mostly confined to the web. Avoiding Cloudflare is impossible in some circumstances.

    CFd government sites are unavoidable (voting rights lost in the US)

    The only Cloudflare sites that are strictly unavoidable AFAICT are government sites. You can always boycott the private sector, but the public sector is shoved down our throats. There are 6 or so states in the US where voter registration goes through Cloudflare. Even if you register on paper there is still no escape because the data entry worker likely uses the Cloudflare site. I am a non-voter for this reason. Although it’s still possible to move to one of the 44 other states and register there.

    CFd medical websites

    See How lack of digital rights, Cloudflare, and Google worsened a medical emergency situation and undermined human rights. When you need medical info in a hurry, boycotting is tough.

    search is liberated – but only by 1 single search service to date

    There is only one general purpose search service that helps avoid Cloudflare: Ombrelo, which tags and down-ranks Cloudflare websites in the results.

    • freedomPusher@sopuli.xyz
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      10 months ago

      The long answer is here.

      The short answer: Cloudflare holds the TLS keys and terminates the tunnel. The padlock misleads people because they think that means the tunnel goes all the way to the server hosting the source website.

      Note as well that you are using lemmy.zip, a Cloudflared instance. CF sees your IP address, username, password (unhashed) and everything you do. (edit: See this comment for alternatives).

      • driveway@lemmy.zip
        link
        fedilink
        arrow-up
        2
        ·
        10 months ago

        Well, I’m surprised I didn’t know this. Or that this isn’t talked more about.

        • freedomPusher@sopuli.xyz
          link
          fedilink
          arrow-up
          2
          ·
          10 months ago

          Or that this isn’t talked more about.

          Indeed. It’s disturbing how not even EFF (the org most reputable for educating people about privacy among other digital rights) keeps Cloudflare’s attack on the privacy of 20%+ web traffic out of the spotlight that it should have.

      • driveway@lemmy.zip
        link
        fedilink
        arrow-up
        3
        ·
        10 months ago

        By you, you mean the user or the site owner? Do I, as the user have a choice in the matter? And, as far as I know, CDNs are for delivering frontend bundles. How does TLS come into play here?

        • IphtashuFitz@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          No. As an end user you have no choice. My employer uses Akamai for CDN, WAF, and other services. All customer facing connections use certs for which Akamai has the private keys.

          The CDN needs to know the content in order handle it properly. When a request is served by a website it includes a bunch of headers that tell the browser and CDN if it should be cached and for how long. It might tell you to cache a static image for 30 days, but a dynamic image like one from a webcam for only 10 minutes. And there’s some content, like pages from banking sites, that should never be cached.

          Services like Akamai also offer other services to optimize the speed of sites. Their Image Manager will analyze and optimize JPG, PNG, etc. images if you want. They can also “minify” JavaScript, and compress some content via gzip or brotli compression to speed things up as well. All these sorts of optimizations require access to the unencrypted content.

          Then there are WAFs (web application firewalls) that site owners use to protect themselves from malicious traffic. Cloudflare, Akamai, AWS, etc. all have WAFs that analyze inbound requests and will block any that they deem malicious. Again, it needs access to the unencrypted request to do this.

          • freedomPusher@sopuli.xyz
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            10 months ago

            The CDN needs to know the content in order handle it properly. … All these sorts of optimizations require access to the unencrypted content.

            Bingo. This. That’s so obvious it’s bizarre how many people continue to believe that CF does not see their traffic, as if CF can process requests it cannot see. I can’t get my head around why so many have trouble grasping this. If CF cannot decrypt the payload, it obviously can only pass it through to the source webserver. And obviously if everything is passed through, then the owner’s webserver must be able to handle the load, which defeats the purpose website owners use CF for.

    • IphtashuFitz@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      10 months ago

      Virtually every CDN provider does this. Akamai does, AWS does, etc. it’s just a part of how these sorts of things work.

  • overflowingmemory@links.hackliberty.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Stupid Question:

    How do I find out if a website I use is hosted over cloudflare? The noscipt javascript blocker extension shows in some cases I blocked some cloudflare javascript. For example on the lemmy.world instance it shows a script labeled cloudflareinsights.com that I block. That apparently provides visitor analytics

    According to them on insights:

    Our edge sees all requests made to a website, regardless of whether it’s cached or uncached, the user has adblock, or they turned off JavaScript. This enables us to […]

    On other sites it shows a “confirm you are human” check-box labeled with the cloudflare brand (if I activate javascript for that site) – according to cloudflare wikipedia that service is known as Cloudflare Turnstile. This is how I currently see if cloudflare is involved.

    Another interesting thing I noticed on stackoverflow is email protected which confirms to me stackexchange also uses cloudflare somehow.

    I guess you could detect a Reverse Proxy by cloudflare based on its IP-Adress ~ but I do not really know how to look that up perhaps the following stack overflow answer might help using the tools nslookup and whois… Any other hints on this?

    nslookup www.monero.town whois -h whois.arin.net n <IP-Adress from prev command> | egrep 'Organization'

  • freedomPusher@sopuli.xyz
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    10 months ago

    Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare…

    Yikes! Can you give more detail? I’ve used archive.org quite heavily for years (it’s the only practical universal escape from Cloudflare). The IP address is not in Cloudflare’s range. But recently Cloudflare as started hiding its own presence by outsourcing to 3rd parties. It’s a vast minority of cases but this could obviously worsen. Is archive.org using CF through one of the undisclosed 3rd parties? A couple years ago archive.org announced a disturbing partnership with CF but did not disclose the details.