Atavic
commented
6 years ago A big company that works with millions of sites, potentially tracking all their users.
Closed ghost closed 5 years ago
Atavic
commented
6 years ago A big company that works with millions of sites, potentially tracking all their users.
davidtabernerom
commented
6 years ago Didn't it had a security breach a few weeks ago? I remember that, of course, they didn't say a word.
Hillside502
commented
6 years ago 
ghost
commented
6 years ago Fun fact: www.privacytools.io is using Cloudflare.
Hillside502
commented
6 years ago ghost
commented
6 years ago ghost
commented
6 years ago Now the company websites are forced to write GDPR compatible privacy policy, what makes me laugh is they - who use Cloudflare to serve websites - are forgetting about Cloudflare MITM thing.
ghost
commented
6 years ago @CHEF-KOCH
"places now a cookie"? Really? I didn't noticed it... Oh ok, I always browse website without cookies anyway. (deny all)
ghost
commented
5 years ago I have a few issues with CloudFlare:
CloudFlare is a vigilante extremist organization who takes the decentralized web and centralizes it under one corporate power that controls the worlds largest walled-garden. A very large portion of the web (10%+) that was once freely open to all is now controlled and monitored by one central authority who decides for everyone who can see what web content. This does serious damage to net neutrality, privacy, and has immediate serious consequences:
torsocks lynx 'https://www.simplyrecipes.com/recipes/buffalo_wings/'. CloudFlare effectively dictates that all Tor users must use a GUI browser and in many cases it must also be javascript capable.Looks like another malicious player has emerged with reckless false-positives in their anti-bot agenda. Web hosting service siteground is hitting human visitors of their sites with CAPTCHAs (e.g. https://thewimpyvegetarian.com/.well-known/captcha/). Siteground also has the misconception that all bots are malicious. Siteground can run along with CloudFlare to really compound the denial of service to legitimate Tor users. We need to get this problem on the radar as well before this bad player spreads.
Mikaela
commented
5 years ago Isn't Cloudflare access through Tor supposed to be better since their onion service? I don't have anything to say on the other points.
Atavic
commented
5 years ago I won't touch that cloudflare onion site even with a ten foot pole.
ghost
commented
5 years ago @Mikaela
Isn't Cloudflare access through Tor supposed to be better since their onion service?
Perhaps, if by "better" you mean fewer CAPTCHAs. I've actually come to appreciate the CloudFlare CAPTCHAs because they quickly indicate a site I should avoid. The non-CAPTCHA related privacy abuses still remain for everyone and the CAPTCHA abuses still persist for Tor users who are not using CF's chosen browser. I shit you not, CF is dictating to Tor users which browser they may use -- so cURL, lynx, w3m users are still outright denied service. Controlling which tools users may use is unnecessary. If you visit privacyinternational.org using Tor, you are automatically diverted to a .onion site. CloudFlare could have used that technique which would have been tool-agnostic but they decided to dictate tools to the user.
This is laughable, and actually gives cause to distrust CF:
(from the CF link)
Why should I trust Cloudflare? You don’t need to.
First of all, you do have to trust CloudFlare because they still see all the traffic (they are still a MitM). That's true of their surface web pages and remains the same with the onion service they describe. They see all passwords in an unhashed form, for example.
(from the CF link)
The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers,
It's ridiculous that they use the SSL cert because it's totally unnecessary for an onion site.
(from the CF link)
Addresses used by the Cloudflare Onion Service
cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion
I get: "This site can’t be reached"
Atavic
commented
5 years ago ReCAPTCHA is a google service. Tor users are abused by this thing, Cloudflare offers - out of thin air - a ReCAPTCHA bypassing option for Tor users. Surely they track those who use their sevice.
ghost
commented
5 years ago @libBletchley
Be advised, GitHub Staff said talking about Cloudflare on Github is off-topic and can be considered spam.
Welcome to Microsoft Github, where Microsoft is a friend of Cloudflare.
This type of repetitive behavior is disruptive to other users and can be considered spam.
coagmano
commented
5 years ago @unnaturalname the spam is when you search all public repos for the word CloudFlare and then indiscriminately post the same message. Especially when you bump old issues sending notifications to maintainers and users You're being flagged for the methods, not the content
ghost
commented
5 years ago @coagmano
the spam is when you search all public repos for the word CloudFlare and then indiscriminately post the same message.
When there is this unusual case of a wide spread bug impacting potentially thousands of projects, it seems quite reasonable that a contributor would use the search tool to id those projects and report or elaborate on the bug.
When you say "indiscriminately post the same message" then it indeed sounds like something that needs to be controlled. But when I look at the list of references ~3-6 days ago to the bug report herein, that's not indiscriminate. The few posts that I sampled out of the 15 rightly discriminate manifestations of the same bug.
It's not the same message verbatim either. I can see that the author took the time to understand the CF role and write each post custom. That's not spam. Spam would generally have the same text verbatim, but then possibly add some gibberish to go undetected. But in this case each message was manually composed by a human. It's actually a bit ironically perverse that someone exposing CF would be called a spammer, when they represent humans advocating for privacy in the fight against the CloudFlare machine which inappropriately treats humans as robots as a consequence of using Tor. @unnaturalname is a human who was just treated like a robot, as CloudFlare does. But worse, it was a human who assessed and treated that contributor as a bot.
The abuse seems to be on the part of whoever controlled @unnaturalname. I say "seems" because I don't really know how he was controlled, but I now see a ghost which implies his account was deleted.
Especially when you bump old issues sending notifications to maintainers and users
If the bug persists then I don't see the problem with necroposting. Old bugs still need activity until they are ultimately resolved. It actually makes a project look dead or understaffed when old inactive bugs sit idly.
You're being flagged for the methods, not the content
From where I sit, it looks like someone didn't like @unnaturalname bringing public awareness to a problem. I see someone who was doing a public service and got censored -- the act of which is a public disservice. It seems to reinforce @naturalname's warning, which consequently suggests that github may not be a good venue for privacy-focused projects like privacytools.io.
Mikaela
commented
5 years ago I have read this thread again and I see there are a lot of concerns about Cloudflare, but there is nothing to say what to do instead.
To quote @BurungHantu1605 (https://github.com/privacytoolsIO/privacytools.io/issues/96#issuecomment-267805190) on Privacytools.io using Cloudflare:
The reason i decided to use CloudFlare was the fact that it's easy to setup, and nice to have a free ssl certificate.
Personally I am currently using Cloudflare for DNS hosting as I don't ever know when I might wish I had DDoS protection and I have past experience with both, the domain being unreachable during registrar transfer (and I think it's recommended to have registrar and DNS at separate places) and had a VPS terminated due to getting DDoSed. Later they have also introduced easy DNSSEC (https://github.com/privacytoolsIO/privacytools.io/issues/731).
Currently I am using GitHub pages directly with their LetsEncrypt certificate, but I am loading files from https://cloudflare-ipfs.com/ as that gives them global CDN and I don't know who else than I have the files pinned. I am using https://pinata.cloud/ but they are located in the USA (Five Eyes) and as I am European I think most of my visitors would also be European so I don't think it would make sense to use https://gateway.pinata.cloud/ .
TL;DR: What do you recommend me and everyone getting linked here to use instead?
Additions:
Mikaela
commented
5 years ago I received response by email linking to https://notabug.org/themusicgod1/cloudflare-tor and https://ieji.de/@crimeflare/101785817888174114 (thank you!).
TL;DR: What do you recommend me and everyone getting linked here to use instead? https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-474987504
[1/2]
Personally I am currently using Cloudflare for DNS hosting
There are MANY alternatives. https://dyn.com/dns/ https://dns.he.net/ https://freedns.afraid.org/
- Your hosting service/register's DNS service.
Wasn't Dyn.com evil or comparable to Cloudflare earlier? https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
On the other two alternatives you linked, I will need to investigate more.
Currently I am using GitHub pages directly
- Why don't you start building your server or buy VPS?
- Or https://www.reddit.com/r/webdev/comments/5m8tr4/how_do_i_host_the_website_i_just_built/dc1qpk7/ (Surge have free SSL service)
Server building wouldn't help me due to being always behind CGN and flaky IPv6 (I have a Huawei 4G router and I think all of those seem to have a problem where they need to be rebooted often to not lose IPv6 connectivity) and it would cost money like a VPS and being unemployed I don't have money to put into it.
[2/2]
with their LetsEncrypt certificate,
Use Let's Encrypt or buy certificate.
I am loading files from https://cloudflare-ipfs.com/
It's censored. See https://ieji.de/@crimeflare/101779952797884218
The "Cloudflare IPFS experiment" by Joe (at cloudflare-tor's PEOPLE.md) seems to be a broken link as I am unable to access it with my local IPFS Go or IPFS.io gateway. Maybe Joe didn't have a device online enough often or no one has it pinned anymore?
I have IPFS gateway as a variable anyway so I can change it with one line, but I think it's preferable for people to install IPFS Companion to redirect traffic to their local gateway or wherever they prefer (by default https://ipfs.io/ipfs)
PS. Can I also invite you to https://github.com/privacytoolsIO/privacytools.io/issues/785 on Mozilla's DNS over Cloud(flare) and what kind of advice should be given on it? Enforce something not-Cloudflare or disable it explicitly to miss out on encrypted SNI?
ghost
commented
5 years ago I have read this thread again and I see there are a lot of concerns about Cloudflare, but there is nothing to say what to do instead.
I've not tried to dig up dirt on Netlify, but that's one possible answer. Netlify is gratis, will handle traffic to a github page, and comes with SSL. I don't know the extent of their DDoS protection.
I received response by email linking to https://notabug.org/themusicgod1/cloudflare-tor and https://ieji.de/@crimeflare/101785817888174114 (thank you!).
I'm very pleased to see that project is still going. When it disappeared from github I was concerned that the project died. Makes sense to move to notabug.org.
It's very pleasing as well to see that a searx instance finally makes use of that project:
https://searxes.danwin1210.me/
Seems to work well. CloudFlare sites are folded. So that's my new default search engine.
(edit) works well when it's running, but it's very unstable.
Wasn't Dyn.com evil or comparable to Cloudflare earlier? https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
I've not heard that. Your link just shows that Dyn.com was a victim. It's also unclear from that article why those pissed at Equador for cutting Assange's internet connection would have a bone to pick with Dyn.com. But I do see about 10 or so notoriously evil companies among Dyn.com's clientel. Perhaps that's worth consideration.
it would cost money like a VPS and being unemployed I don't have money to put into it.
CloudFlare is technically only gratis if you're not getting attacked. When CloudFlare users get attacked, bandwidth goes up and CF considers that out of the scope of the gratis package and forces an upgrade to premium service. So if your site is likely or expected to get attacked then CF is not really a gratis option anyway. So if you need premium service, PerimeterX and Impurva Incapsula tend to be competitors of CF. I don't know much about them, but no CDN exceeds the evil of CloudFlare. So if CF is what you have you can do no worse AFAIK. Netlify is worth a look first though. They've been good for me but OTOH I've not been DDoSd.
ghost
commented
5 years ago @puzzle0solver
@libBletchley do you know this and this?
Thanks for the tips. The add-on didn't work for my version but this one does: https://addons.mozilla.org/en-US/firefox/addon/bcma/. I didn't realize that searx instance was special and since it had no cache links I ignored it. It wasn't until @Mikaela pointed me to the new project site for https://notabug.org/themusicgod1/cloudflare-tor that I realized they've done something great with that searx instance. So I'll be using it from now on.
Mikaela
commented
5 years ago Since my previous comment, I have migrated from Cloudflare to Gandi LiveDNS (my registrar). It's not entirely painless process, but here are the general steps:
In case of IPFS, I changed my IPFS gateway variables from cloudflare-ipfs.com to ipns.co (GitHub repo).
jonaharagon
commented
5 years ago We should be moving privacytools.io off CloudFlare... soon. If all goes well. Not to Netlify though, I'm not sure if moving everything to a Cloudfront CDN (which is what Netlify does) is any better than CloudFlare.
ThatLurker
commented
5 years ago @JonahAragon that has been discussed in #96
ghost
commented
5 years ago Looks like #96 gives a bit of history, but things change and it's also clear that the 2016 decision was not fully informed (the abuses above were known at that time but no one brought them up).
It was most recently discussed in #711. The discussion should really continue until PTIO is off both GH and CF -- perhaps using netlify and notabug.
jonaharagon
commented
5 years ago I wasn't making a suggestion, rather stating a fact :)
ghost
commented
5 years ago @JonahAragon
Not to Netlify though
what's wrong with netlify?
jonaharagon
commented
5 years ago Because I don't see why we would move to a platform built on Amazon? Their CDN for static assets is literally just AWS Cloudfront.
You can go to https://www.opennic.org/ (which is hosted on netlify) and see for yourself, all images are hosted on Cloudfront, which is something Netlify does automatically, not a decision the OpenNIC team made. Too many third party requests for this project I think.
ghost
commented
5 years ago Because I don't see why we would move to a platform built on Amazon
ah, I didn't know Netlify fed Amazon. Amazon is definitely a problem.
jonaharagon
commented
5 years ago We are off CloudFlare. Hopefully we don't take too much of a performance hit. Try it out! https://www.privacytools.io/
ghost
commented
5 years ago Subjecting visitors to CF is worse than subjecting them to bad performance. So it was a good move.
One more anti-CloudFlare change needed: the searx endorsement suggests the searx.me instance. That instance returns CloudFlare results. It should be replaced with searxes.danwin1210.me. The Danwin link randomly picks a decent instance, and then filters the CloudFlare results from that.
I also have some performance optimization suggestions:
BTW, I'm impressed with how viewable (and speedy) the page is in lynx. Hopefully that never changes. You could advertise that somewhere on the page to encourage that kind of lean usage.
jonaharagon
commented
5 years ago Image dimensions is something I’ll work on today, I think we’re mostly good on that but there are definitely a few that need those specified.
I don’t really think we should use third parties to host our images. We actually get a performance improvement from hosting them all ourselves with HTTP2, since there’s fewer external requests. Plus, for privacy related reasons I don’t think we should make all our visitors request third party resources where their servers may log traffic. With the current solution we can guarantee that there’s no access logging for web visitors.
When I say we took a performance hit, it wasn’t that bad. Of course there was going to be a difference between a single server in Germany vs a network of hundreds of servers internationally serving our content, but we do have a high performance server and like you said, I think the trade-off was worth it to move off CloudFlare.
I’m pretty happy with the results so far :)
We have our own Searx instance now, I’ll probably just link to that or a list of public instances once we get ours listed in more places.
Regarding everything else, probably best if you open a separate issue for them, like PayPal. Not much I can do about that currently personally.
jonaharagon
commented
5 years ago Any images that can't be linked to external sites could be isolated to a separate PTIO host. If that host gets bogged down it doesn't matter because the important stuff is served by the server used for the landing page. Although it's likely the bandwidth not the host that will have effect first. You could resolve that by prioritizing traffic from the server that doesn't send images.
I didn't read this before but this is probably a good idea. We do have good bandwidth and a great server though so I'm not sure if this will end up being an issue. Something to investigate...
ghost
commented
5 years ago We have our own Searx instance now, I’ll probably just link to that or a list of public instances once we get ours listed in more places.
There are a couple issues with that:
I would say if the PTIO instance is configured to filter out CF sites then self-endorsement is well-earned and easily justifiable. If not, then I think the best move is to list the Danwin searx instance which randomly selects a quality instance and then does the CF filtering on the results. When the PTIO instance seems stable enough, the Danwin operator could be asked to ensure that ptio is among the selection.
There's nothing wrong with mentioning the PTIO searx instance, but it's a disservice to PTIO visitors to not make searxes.danwin1210.me the top recommendation and disclose the CloudFlare anti-feature of the PTIO instance.
(edit)
This could be discussed as a separate issue, but to me the searx endorsement is part of the CloudFlare avoidance remedial action.
Danwin just got complicated. CloudFlare filtering is now off by default for those who use the clearnet site, and it looks non-trivial for users to switch that back. They caved to foolish clearnet users complaining about CloudFlare filtering. But the Danwin onion site still does the right thing.
So the best recommendation for Tor users is to use the Danwin onion, and the best option for clearnet users is probably the PTIO instance.
jonaharagon
commented
5 years ago You're welcome to open an issue at https://github.com/privacytoolsIO/search/issues to continue this discussion in a more relevant repo, but at this moment I don't think the benefits of removing all CloudFlare-using websites from the results (if I understand you correctly) outweighs our main goal of being a feasible search engine for general use. So many sites use CloudFlare that if we filtered them by default our results wouldn't be nearly as generally useful.
I would have to discuss it with @BurungHantu1605, but as far as I'm currently aware our main goal with the search project is to be a privacy-focused (anti advertising, anti logging) Google alternative, not a search engine for returning only privacy friendly results.
Mikaela
commented
5 years ago What do you think about the possibility of sending all network traffic from your phone to Cloudflare? :laughing:
EDIT: Maybe that is a wrong emoji, I just hope no one gets a heart attack or something on reading the news.
jonaharagon
commented
5 years ago One silver lining is that if you browse the unencrypted Internet through Warp, when it’s safe to do so, Cloudflare’s network can cache and compress content to improve performance and potentially decrease your data usage and mobile carrier bill.
CloudFlare MITM: Now on sites that didn't agree to it.
Edit: well if you're a webmaster and you're so bad at it that you still use http then you get what's coming to you. At least CloudFlare openly admits this is happening with their VPN lol
This is a xreference from prism-break, the similar website endorsing privacy-focused software.
https://github.com/mozilla-mobile/focus-android/issues/1743
I think your website need to mention Cloudflare under "Recommended Privacy Resources" - "Information".