Either ask for donations or sell traffic to cloudflare.

[alithechemist]

Right now the website is trying to set two cookies from third parties:

• static.cloudflareinsights.com
• cdnjs.cloudflare.com

This looks like purely user tracking.

Please use a self hosted analytics solution like Matomo, in order to protect the privacy of your users. Also I see a monero wallet address for donations in the bottom of the page.. So is this a commercial product or not? Do you have a privacy policy?

Thanks in advance.

[xavier-hernandez]

cdnjs.cloudflare.com, appears to be for the ribbon displayed in the right-hand corner

I assume the monero wallet address is for donations since it's free, and they probably lose money due to hosting it

I have a variation of this code https://miip.io and use analytics as well. I don't have a donation button on mine because of all the sites I've created for open source I've never gotten a dime so I just quit asking.

[georgyo]

Hello @alithechemist, thanks for your inquiry.

Being commercial would mean that somehow I am using this is a commercial fashion. I can definitive tell you that this project is purely an interest of mine. It has no method of making any money. It currently gets about 1.5 Billion hits a day, and I serve that on a $40 VM. That is possible because it is basically a simple echo server and each request (except for a few) do no actual work besides returning what is received in the request.

---

The site keeps has no logs, as keeping them would require disk space I don't want to pay for. The cost of setting up Matomo would be astronomical as it is not that efficient of a product. If there was a source of funding for this site then maybe.

Also, I object that Matomo would be better for user privacy. Why? Because static.cloudflareinsights.com is trivial to block once and then all sites that use that bit of tracking code will also block it. Meanwhile, something link insights.ifconfig.io would first need to be discovered and blocked separately. If you did not want share that information with then by the time it becomes blocked you have already shared the information it would have provided me.

In any case removed cloudflareinsights, since I never look at those analytics.

Counter to what you said, cdnjs.cloudflare.com does not attempt to set a cookie. The entire site is behind cloudflare, and I could not run the service for as cheaply as I do without cloudflare. The fact that they create long lived connections to the backend prevent over 90% of the CPU load associated with such short requests.

---

The monero address was become one of my friends pressured me to add it. In 5 years it has received a total of $12. It is a very quite donation link. Would you prefer a louder donation link?

---

There is no privacy policy. What information are you giving that you would consider "private", it's a single page site with no ability to enter any information.

[alithechemist]

Thank you for removing cloudflareinsight.com, that's a great start!

Unfortunately cloudflare is a MITM proxy by definition and you trust them with your SSL private key and if they want they can prevent some people from accessing contents, or they can change the contents, inject js etc. Now cloudflare has control to eavesdrop and log any user interactions with your website or silently tamper content if they please.

Why would you trust them? i mean ... really why?

By removing cloudflareinsight.com, you only removed your own access to the analytics I'm afraid. They keep collecting users data thanks to the cdn (and the website itself).

I mean if those few lines of css were to be part of the html, would it be so bad for you?

On top of that, if as you say, this is not making you any money, then you should not be afraid of a DDOS. I'm not sure of your past experiences, but I think giving them the SSL certificate and the NS management for convenience is just wrong IMHO.

Anyway I really appreciate that you removed analytics, at same time to be honest i know that this doesn't change anything on crimeflare side in terms of data colleciton, as you use them as reverse proxy.

I'll check back on this and if everything checks out I will start using your service again.

Thank you very much for taking time and reply.

[georgyo]

Using cloudflare saves me several hundred dollars a month in CPU load. Again the fact that they keep long lived connections to the origin saves about 90% of the CPU load on these short requests. My $40/month bill would be closer to $400/month. I am not willing to pay that for a fun hobby project.

On top of that, if as you say, this is not making you any money, then you should not be afraid of a DDOS.

Because I am not making money I shouldn't care if my service is down? What kind of logic is that? If my service is always down because I cannot handle the load why do I even run the service?

I'll check back on this and if everything checks out I will start using your service again.

It is not likely to come out from behind cloudflare, I have tried and it crushed my soul. The good news you can run your own copy! The code is mighty simple.

[alithechemist]

Because I am not making money I shouldn't care if my service is down? What kind of logic is that?

THE LOGIC OF A CHALLENGE.

So: a website is experiencing difficulties related to high traffic and voila' cloudflare comes and solves the problem, at the price that from now on they can even change the contents for certain clients.

Convenience is not all, i hope : https://decloudflare.crimeflare.eu.org/#deCloudflare=readme/en.md

The code is mighty simple

well yes, it was more about the easy-to-remember ifconfig.io...

$_SERVER['REMOTE_ADDR']

This should do.

[xavier-hernandez]

DDOS is not a challenge. It can happen to anyone for any reason. I just had a server under a DDOS attack without even a website on it. You'd have to find a provider that can stop and circumvent the DDOS attack and not charge an arm and a leg for it. If you want to do it yourself, you'd need load balancers and multiple servers which costs money. Cloudflare provides those services for free. If other providers offered that service for free, Cloudflare wouldn't be as big has it is now.

On another note, there isn't a form on his website where you can insert private information, so I'm not sure what the issue is from an SSL perspective.

Since this is an open-source product. As said previously, you can host it on your own server and avoid these "security" risks.