CloudFlare and "visitor" privacy issues

Has anyone ever actually bothered to read CloudFlare's privacy policy?
cloudflare.com/security-policy/

Important parts:

Note how they specify the difference between "users" and "visitors," most all the privacy protections they provide only apply to users and not visitors (you).

This allows them to log all of the data that a visitor sends through their service. Considering they strip the SSL off packets for inspection they can collect everything.

This allows them to track you if you are using the same browser to access different websites through different Tor circuits in the same session and combine that data. Only starting an entirely new session will delete cookies and keep CloudFlare from linking your usage of different websites.

This allows them to sell the data of visitors to 3rd parties, so long as it's aggregate (which doesn't mean much, as some companies sell their "aggregated" data in 8 user or less bundles for easy segregation by the party the information is being sold to).

Other urls found in this thread:

gigaom.com/2011/08/08/akamai-dns-issue/
cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/
openbsd.org/ftp.html
addons.mozilla.org/en-US/firefox/addon/decentraleyes/
cloudflare.com/transparency/
youtube.com/watch?v=vakWMNA1oWc
twitter.com/NSFWRedditVideo

As far as ddos protection goes, isn't it pretty much cloudflare or nothing?

This site isn't using cloudflare for DDoS protection against anyone serious, because their netblocks are public information and no attempt has been made to hide Holla Forums from the outside world.
What it is used for is to save money on their bandwidth bills, like any CDN.

And what would someone serious do? Just attack the known server IPs and log in remotely?
How does it do that?

Or more specifically how would someone "serious" DDOSing the site by flooding it with packets be different than someone holding down f5 in their browser?

CDN are used to speed up sites since loading content from local servers is much faster, it's why pretty much every major website uses CDNs.

The other big ones are Akamai and Amazon (which are the CDNs Twitter use I believe). People use Cloudflare because it's big on free speech and all that.

There's a lot of other CDNs but Cloudflare is probably the best.

Again, low bandwidth rates across the board = money saved (most of the time, as with everything it depends.)
They're using MITMflare it to save money and obviously "speed up the website," but mostly to save money.

you realize that Cloudflare isn't the only CDN and most websites run off CDNs right?

If big sites like Facebook/Jewtube/Twitter didn't use CDNs they'd be slow and a pain to use, only things like blogs or small sites used by a handful of people can really get away with not using CDNs, most people won't tolerate slow sites.

"big sites" (read:serious) don't run traffic through a third party reverse-proxy MITM.
They have their own networks and agreements or, in the lesser tier, only serve from CDN for static content.

yeah they have agreements with CDNs like Akamai which is why when Akamai goes down they do too.

gigaom.com/2011/08/08/akamai-dns-issue/

Cloudflare's business proposition: we'll protect you for free in exchange for leaving your users unprotected against us.
And since website owners don't give a shit about you, it works.

Again: in the case of dynamic content, this is not routed through the POP. For static content, yes. You don't seem to understand what I'm saying, so I'll leave it at that.

This blog says more than I ever could about the problem with Cloudflare in particular:
cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

Cloudflare probably don't make any thing from their free service, they'd make it from the paid plans and Enterprise. They might even be running CDN stuff for big sites like Facebook or Twitter without announcing it.


Facebook, Twitter, Youtube and Google aren't running their sites just from the goodness of their Jewish hearts.

As far as boogeymen go I think Cloudflare makes a pretty weak one.

It's not a boogeyman, it's making the web demonstrably less safe as a whole.

I don't see what the argument is, I'm saying that CDNs are a good thing and a necessity for modern sites.


I'm more concerned about giving my mobile number to Twitter.

If Holla Forums was designing a website how would they implement DDoS mitigation?

cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

The article makes it seem that Cloudflare is the only CDN, if Cloudflare went out of business tomorrow then all those other popular CDNs would take over. That's why it's a weak boogeyman. There is only one Facebook, one Twitter, one Youtube and they have a near monopoly in their areas.

Here's the argument: cloudflare is MITM-as-a-service. No, CDNs are not traditionally a reverse proxy MITM.
CDNs are traditionally serving static content from the POP, and picking the fastest route for dynamic content, but with no actual reverse proxying going on requiring SSL termination.

The problem with cloudflare is that it's making the web less safe as a whole, mostly through the free plans.
And if you actually pay for Pro, you're probably better off using a traditional CDN if you know what you're doing.

Twitter and all of those guys, they're not being reverse-proxied through the POPs.

Again, read cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

It's the only CDN to offer free reverse-proxying through their POPs, advertising services that don't actually work and making people believe that their infrastructure is actually safer as a result.

Why should I be more afraid of Cloudflare than Twitter or Facebook?

At worst Cloudflare is just another one of them.

Because twitter and facebook aren't a reverse proxy promising clueless admins that they'll secure their infrastructure (doesn't actually work) against L7 DoS/DDoS, and they aren't a huge termination point for a large percentage of the web which prevents users from accessing your site until you also go through another MITM monolith (google) for them to determine whether you're human or not.

In the scheme of things that's all pretty minor.

These days people don't make their own websites they make a Facebook page or a Twitter account. That's the direction the Internet is going.

The layer of attack would be different

Holla Forums doesn't code, silly.

...

...

Nice paywall, faggot.

Not impossible.

Yes, the people who ruined half the internet for tor users care about free speech. go back to HN faggot

...

Explain how this is ddosing/how it works. Can I ddos the site just by holding down F5?

No, that poster is a retard.
You can perform a (D)DoS in some circumstances on the application layer if the application is vulnerable, though, through repeated actions and scripting.

We know.
It's not like you can opt-out of it though. The webmaster decides whether or not they want you to be spied on, and if they're hosting anything worthwhile, and choose to have you not spied on, well look, a convenient DDOS hits them for which only CloudFlare offers a suitably priced service to protect them from :^)

but how did cloudflare become so popular? people just suddenly started using it everywhere

I don't mind Cloudflare anymore now that I can complete the captcha with JS disabled although it would be better if I didn't have to enabled Google's iFrame. It does become a problem when I'm using wget or something though.

Holding down F5 to spam GET requests is DDoSing. If alot of people did it at the same time it could crash a site.

There are other options, like Incapsula. I tried yet another service, but they demanded me to install something on my server, I obviously declined that offer.

Would just move to Usenet or other NNTP-derived thing instead, for decentralized BBS/forum type stuff.
If file store is needed, a set of mirrored FTP, Gopher, and WWW sites would do the trick. Think about how *nix distros and such have massive bandwidth needs, and yet are often met via simple mirroring across the globe. I mean to entirely individual sites, not CDN. For example, OpenBSD mirrors:
openbsd.org/ftp.html
Even using torrent is a possibility.

addons.mozilla.org/en-US/firefox/addon/decentraleyes/
recommended by privacytools.io

kek

KEK

KEK!

Try to estimate the rent of server farms and fat pipes around the world. That's how much behavioral data costs.

In case you haven't noticed, the business model of modern web has been providing free services in exchange for data gathered by provider since the first third-party counters. Cloudflare has a very tasty piece because it found the right excuses for solving the encryption problem (that your ISP has when it collects your web browsing stats to sell) and the ad blockers problem (it can't be disabled on user side), and correlates user data from many websites. It also can freely implement TCP fingerprinting and other advanced spying techniques on their own hardware (Google and other big players already have that, that's why they never cared about having ad blockers that directly cause money loss in app/extension stores).

Tor was totally right when they pointed a finger at Cloudflare. The problem is not the complexity of the captcha or amount of bots using Tor, it's “you have to provide your identity before just visiting a website” motto they try to push.

Also, if you don't understand that all the data Cloudflare collects is seen by government agencies, you have a severe learning disability.

Website owners who use shit like that (i.e. everyone) sell their users, plain and simple.

Network layer DoS attacks can be dealt with by a competent IT specialist who understands how Internet works and has prepared the backup infrastructure on standby. It will cost more if you do everything yourself, but it is doable. Negotiate the ability to have multiple connections to multiple ISPs and IX points, put the linux proxies on their ends, check that your DNS service provider is big and secure against attacks, make a subdomain that points to proxies. When DoS hits, ask upstream providers to blackhole your address/subnet, use a secret one for communication between proxies and main server, make a redirect from your main domain to proxy subdomain, announce that everyone can use that subdomain directly on media, filter smaller streams of junk on your primitive CDN nodes, make deals with their ISPs to clean the traffic, etc. You just need to be able to calculate bandwidth, proxy hardware performance, manipulate BGP records to dispense the traffic, and so on. Of course, there's a lot of companies who have all of that ready, so you just have to wait for DNS caches to expire after you sign a contract with them.

Application layer DoS, especially in systems where no valid request can be lost, and no interruptions can happen (like financial ones), is where lots of money is spent, lots of hardware heat up the atmosphere, and lots of analysis happens.

c.: Qyakjs, nice name to sell to some hipsters.

Couldn't you just clear your cookies or use an addon like Self-Destructing Cookies?

|
|>
|3
|
|

yes but Cloudflare doesn't just have a free service, they charge for Enterprise plans and other premium services.

The other business model on the Internet is to offer a free service you lose money on but use that to advertise/gateway a non free service you make money on.

cloudflare.com/transparency/


This puts them ahead of most everyone else.

Seems legit.

You really think a big company would just lie like that? On the internet?

so you personally audit the source code of every piece of software you use?

...

I hope you posted that from your "no logs" VPN.

I actually turned on logs a few weeks back and forgot to turn them off, thanks for reminding me.

Terry Davis is right about banning third-party developers. That shit was a mistake.
youtube.com/watch?v=vakWMNA1oWc

...

Please spoiler NSFW files.

I don't think you understand what's going on in that image