search

EticaAI / forum

Etica.AI is concerned about long-term social & ethical implications of artificial intelligence on Africa/Latin America. Do it via grassroots acts in short-term
https://etica.ai
The Unlicense
9 stars 2 forks source link

Security Level of Cloudflare for sites served from GitHub Pages from *.etica.ai #64

Closed fititnt closed 3 years ago

fititnt commented 5 years ago

Related: #9 #15

TL;DR; even if it means "just" show some captcha for humans to "prove" their are not automated (and doing something cloudflare could consider suspicious), this is both not a requirement for all content served under *.etica.ai and also (since it depends on CloudFlare assumptions) be aligned with what we value, so it's better to allow anyone, even "bad bots" (who untill now cannot really cause damange) have access.

Since we also use cloudflare as DNS manager and (in some cases) as HTTPS provider, untill the start of the etica.ai usage of domains, all the websites that where hosted as GitHub static pages where also running with some of the default configurations of cloudflare (some examples on Image 1).

The description of what it could means are on image 2. For who is using screen readers, the important part is "Medium: Challenges both moderate threat visitors and the most threatening visitors".

At image 3 Shows the options Cloudflare allows. For free account, is not possible to fully disable. The only option near to disable firewall is "Essentially off: Challenges only the most grievous offenders".

This issue is for make a comment about what was on past, and that, for now, we will at least reduce to the minimum possible the Security Level of Cloudflare on free account, in this case, "Essentially off:".

We did not received any report of people complaining that they cannot access (or had to solve captchas) on *.etica.ai but since even or larger sites people hardly complain and some of people I know on Africa already report that some services can make IP restrictions on sites like wikipedia, I will also reduce the firewall used on some of our sites.

Image 1: captura de tela de 2019-01-31 00-13-07

Image 2:

captura de tela de 2019-01-31 00-14-07

Image 3: captura de tela de 2019-01-31 00-15-21

fititnt commented 3 years ago

I Just noticed that Cloudflare changed from "Essentially off" to medium without warning. This is infuriating.

Captura de tela de 2021-05-02 02-44-19

This was defined to "Essentially off" again. Other "security" features where all disabled to the minimum (like browser integrity checks and "Privacy Pass", whatever this means).

Also, the Cloudflare advertised that "blocked a few attacks" (with, by the way, is likely to be just Cloudflare annoying users using TOR with captchas)

Ping #9. While not a urgent need, we may eventually migrate from Cloudflare (but this woud need a more robust global DNS server setup, including proxyfing HTTPS, that github pages does not allow for custom domain). Anyway, definitely we will not use etica.dev domain #88 on Cloudflare, even if it keeps unused for longer time.