Cloudflare and HTTP Headers

Archive.is and its domain variants are actively blocking many VPN services and have been for some time. I'm assuming it's because they're under a never ending DDoS, which would also explain the need for Cloudflare. I would love it if people supplied screenshots of things alongside archive links as well. Sadly 8ch also uses Cloudflare. Several issues regarding Cloudflare:

* Wouldn't two sites using Cloudflare make it possible to track a session ID across otherwise unrelated sites regardless of whether a link was clicked?

* Wouldn't Cloudflare be able to seamlessly serve you modified or filtered content without you even noticing? You do have to set the DNS entries on your domain to Cloudflare's servers so they can cache for you.

* If they're caching content, doesn't that mean that humans are telling them what content is worth looking at? I can imagine a system where they prioritize cached content for OCR and datamining based upon how many UUIDs request it, as well as some other factors. Who needs spiders when you've got humans?

* Would this not render most link breaking somewhat futile? While yes, the place you're going to won't directly know you're sending them traffic, couldn't they still obtain that information from Cloudflare or whatever organizations they're selling it to?


However let's assume that both the sender and receiver don't have Cloudflare in their butt and the user is taking steps to prevent Google, Facebook, etc. from arbitrarily stalking them. Is there any way to reinvent the wheel with regards to tags so that you can more or less link someone to another site without that site getting the HTTP Referrer and Origin? Say by abusing other tags, or maybe with Javascript?

It dawned on me earlier that Google's abuse of links inherently discourages the use of a search engine's primary competitor, indexes. The reason being that being listed in certain indexes, or too many indexes, can negatively impact your search rankings. Nobody wants "bad juice." Therefore people are disincentivized from listing with them. Even breaking the HTTP Referrer and Origin wouldn't necessarily stop Jewgle from attributing "juice" via spidering though, right? If the site encoded the URLs in a custom encoding format, would this would be sufficient to avoid detection by most spiders? I suspect that any alternate encoding which gained too widespread a use would likely result in search engines catching wind of the shenanigans and adapting accordingly.

Those specifications were dead on arrival. It's as idiotic as the "do not track me" option that most browsers have these days. Who the hell thinks of these things?

The same reason that doesn't work for sophisticated email harvesters.

Because I have empathy and also because this is very relevant to the deep web. I'm uncertain whether or not local or deep web content that links to the clearnet would necessarily send the information in question as part of the header given that it would be sourced from localhost, considering the obvious security breach that would pose. Then again, I wouldn't put it past popular browser vendors to be that retarded and/or intentionally malicious.

Remember when it was common for small website owners to share traffic with websites they actually liked instead of just websites that offered referral link shekels?

Other urls found in this thread:

html.spec.whatwg.org/multipage/semantics.html#meta-referrer
archive.is/Bnb8C
archive.is/2017.04.16-181638/http://8ch.net/tech/res/736066.html
github.com/pirate/sites-using-cloudflare
support.cloudflare.com/hc/en-us/articles/203306930-Does-Cloudflare-block-Tor-
labs.riseup.net/code/issues/11629
twitter.com/NSFWRedditImage

Yes, Cloudflare is effectively MITM as a service. Referrer header isn't really a big deal, Firefox has a config option to disable it. Chrome has a flag to send only the domain instead of full URL

First, I'd like to note that Cloudflare is an obvious TLA job and must be destroyed. Now that this is out of the way:

I'm not sure how Cloudflare sets session IDs because I avoid CF sites like the plague, but if you block cookies+JS and use different IPs for different sites, not even Cloudflare should be able to tell.

That depends on whether you use SSL and how you handle it wrt Cloudflare. CF unironically sells MITM as a service, but I think you don't have to use it. However, CF can get a forged cert rather, so you'd have to be extra careful. It's cheaper to just assume that the sites are MITM'd.

They certainly could do that, who knows.

Link breaking is pretty silly in general. It's better to configure your browser to not send referrers across different domains (you should keep intra-domain referrers because (a) the site can tell anyway and (b) many sites use them to fuck with spambots and hotlinking). I doubt that Cloudflare sells this information to low-level orgs though, it would have leaked. The likes of Google, sure, but not some shitty online newspaper.

>Is there any way to reinvent the wheel with regards to tags so that you can more or less link someone to another site without that site getting the HTTP Referrer and Origin? Say by abusing other tags, or maybe with Javascript?
I believe DuckDuckGo and archive.is do something like this when you click on links. Try disabling redirects in your browser and look at the source of the redirect page when you click a link on an archive.is'd page.

You suspect right, you are basically playing a bizarre game of antivirus here.

See above, disable cross-domain referrers.

Disable Javascript, too, obviously.

RefControl is a pretty nice Firefox addon for referrer mangling by the way. Firefox' normal configure options are a little coarse. If you want more fine-grained control over your headers, you might also like HTTP Header Mangler.

>Is there any way to reinvent the wheel with regards to tags so that you can more or less link someone to another site without that site getting the HTTP Referrer and Origin? Say by abusing other tags, or maybe with Javascript?
html.spec.whatwg.org/multipage/semantics.html#meta-referrer
Holla Forums could enable this, and in fact has been asked to. It doesn't.

Yeah, and when you shut it off, you make a lot of sites unusable, including this one.

spoofing referrer is better

The biggest problem with cloudflare is that it decrypts your shit, but doesn't tell you about it. Browsers need to be modified so that for any cloudflare website, a big warning sign is displayed saying "SSL removed!" or something like that.

every CDN or ad-network is MITM as a service.

Test

Archive.is doesn't choose to block your VPN. Cuckflare blocks every IP address which "bad traffic" (what is "bad" is a Trade Secret and they will not disclose it) comes from, forever, and across all their clients. This block list includes the entire tor network, VPNs, cafes, and workplaces. This has nothing to do with anti DDOS - it's part of cuckflair's bullshit WAF and anti-scraping features which are enabled by default (and why would any customer go in and manually disable a Value Add and get less than what they paid for :^)).

Aside from possibly blocking a host for a small period of time such as minutes or hours, blocking tor and VPNs is not part of a serious anti DDOS strategy.

Ironically, cuckflare's stupid little WAF scripts and filters are what led to their CloudBleed vulnerability, which affected all customers. If some private data was transmitted over HTTPS between customer A on domain X which uses cuckflare, domain Y owned by another completely unrelated cuckflare customer would retransmit that private data to some completely unrelated client B. You cannot be more self-pwned than this. Cuckflare has already proven to the world their incompetence. The only problem now is the rest of the retards that wont move from their service.

Cuckflare got most of their western customers by writing a few novice technical articles and posting them to news sites like HN and reddit to have their dick sucked by wannabe hackers, so most cuckflare sites are just useless hipster bullshit, and hence I usually just close the page once I see

If you press the share button on the archive.is page, it will give you a link that includes the original link. People are morons for not using this format. Archive.is should do it like that by default. But it's 2015 so all links need to be shortlinks (TM).
see
archive.is/Bnb8C
vs
archive.is/2017.04.16-181638/http://8ch.net/tech/res/736066.html

8ch doesn't give a fuck about nuffin. It also blocks tor users from posting images, and trying to moderate a board over tor just goes in an infinite redirect loop.

cuckflare in a nutshell

Also, trying to post here from Links with "send real referer only to the same server" doesn't work:

every
fucking
time

that is true for every single site that uses google analytics and other 3rd party scripts

You can easily block the analytics: don't use JS, and block their domains in DNS.
But cuckflare and related cloud shit is much harder to solve, since you can't do anything on your end, exept to entirely avoid sites that use it.

caching is fully automatic. choosing what gets cached and what doesn't get cached is based on request statistics or other methods. Human-curated caches are very unusual, computers can do a better job than humans 99% of the time when it comes to picking what to cache.
This is general information about caching, i have no idea what CF uses but this is how caching is usually done.

Is there a place where they keep a list of domain names of these companies?

oof, right in the feels.
They do have some decent ideas though( e.g keyless SSL) so forgive me for being taken in. Still better than competitors like Akamai.

...

Is there a way to absolutely positively block any websites using CloudFlare? Or at least to somehow check if a website uses it?

If I remember correctly I've seen Tor devs themselves say that Akamai is better than CloudFlare. Besides, CloudFlare is everywhere which in itself is bad in principle, more websites need to use their competitors (if they absolutely must use mitm services for some bullshit reason).

Akamai may by default handle Tor connections better but other than that I don't see how it changes the fact that you are showing them everything.
It's basically unavoidable if you want to be actually protected against DDoS, otherwise deal with the downtime/expense.

Yeah of course it's shit as well. It's just lesser shit. I don't see how CloudFlare which is shittier is better is all I'm saying.

Cloudflare team pays lipservice to the fact that they are a mitm service and (at least pretends to) work toward excluding themselves from the privileged spot between client and server while still protecting against DoS.
I don't discount the idea that they are working against users but they sure as hell do a better job at pretending they aren't. Akamai is just raking in the shekels.

That only means CloudFlare is worse for us because it hides its bullshit better. What kind of strategy is it to prefer enemies with better propaganda techniques?

that they are bullshitting is debatable.
Would you enter into a contract with Schlomo Goldsteinberg or John Johnson (whose nose is perhaps a little big)?

Using that metaphor I would obviously prefer Schlomo because he's a dirty jew which is obvious to everybody and so is an easier enemy, whereas Johnson acts like a total jew but doesn't look like one so everybody believes his bullshit about how we only need to get rid of obvious jews like Schlomo and everything will be juuust fine when they're both absolute fucking shit that need to be hanged.

ok, seeing as you've adopted my metaphor so precisely I concede. I feel like we would get along well.

bump for nominal anti cuckflare thread

Participating against cuckflare.
Since I use only the tor network now I have nearly identified 2/5 websites use that shit.
I have also discovered something very strange.
In some cases when you use the tor browser cloudflare doesn't manifest itself and doesn't ask you to captcha through google.
But if you use the tor network in a browser (lets say icecat) then you will trigger the cloudflare security constantly.

github.com/pirate/sites-using-cloudflare

What does * mean?
Why not just number them? 1. or a) or A) or Firstly,...

The zip file is 22 MB. The uncompressed sorted_unique_cf.txt file inside is 70 MB. It has 4,287,566 entries.
Is there any part of the web left that's not constantly being MITM by cia niggers?

Effectively Tor users are being censored from the internet.

What's a good alternative DDoS-protection service that's not CIA-nigger-tier?

That's even so if you do use Tor Browser. I was asking that a while ago: how can you know that a website is using CloudFlare, except for explicit blocking etc? Because there's a lot of websites out there that generally work flawlessly then on certain days you get a CloudFlare block or message.

maybe imperva incapsula

You can use dig. If the nameserver doesn't resolve to a hostname, use whois. You can't use dig though tor to find nameservers.

Is there a chan that doesn't use cloudflare? Maybe we can move there. Because I don't really want to use any cloudflare website anymore, if I can help it.

I'm sorry dubs, but the web was a CIA operation from the very start, and old habits die hard.

That's just another CDN, with a better reputation mind you, but still only a CDN
plus, they work with Chinese bitcoin traders. Shifty squints.

How else can you implement ddos protection?
I mean, if you want to stay protected, I think no direct connection to your server can be allowed, the server's address itself should be secret.
If it's not, then anyone can easily fuck you up with one of the following:
- fake dmca takedown requests sent to your server service provider etc
- fake abuse reports like cp etc
- simply ddos-ing your server (often if you're on a cheap plan, you'll get completely null routed or have your service terminated because of it being an ddos-magnet)

I think most people can not afford expensive servers with big redundancy and load balancing and stuff, hence the appeal of free cdn's like cloudflare and there's not much that can be done.

It does create a single point of failure though. Just like all those IoT devices who relied on Amazon servers then went ballistic when those servers became unavailable.

Level 3 and Verizon specifically offer DDOS protection. GTT & Hurricane Electric possibly as well.
But it's really expensive usually, plus all of these are US companies. DE-CIX seems trustworthy, but they're just an exchange as far as i know.

...

especially shitty if you use something like redshift where gamma levels are already lowered

part of why this board is near unreadable.

every fucking site on the internet uses a CDN in the year 2017, Cloudflare is not the only CDN that exists you only rant and rave about this particular CDN because you are a fucking idiot.

if you want the Internet to de-evolve into the 90's where there are no CDNs and everything is slow as shit just stay on whatever cp onion sites you can find and never enter the clearweb.

It's an ASCII bullet point.

No, it's because they by default block Tor. So any site that uses CloudFlare is blocking Tor, unless the administrator modifies their configuration which rarely happens. Tor Project tried to come to some kind of compromise with them but they were not interested.
That's the main reason I personally hate them. There are other legitimate ones as well that other anons can explain better.

they don't.

support.cloudflare.com/hc/en-us/articles/203306930-Does-Cloudflare-block-Tor-

No, the web was designed by CERN and so experimental that nobody knew where or how far it would go. In fact, even several years later it wasn't clear if it or gopher would become the predominant protocol. Even in 1995, when I first go access to Internet, the web made up only a small part of the entire traffic, and tons of sites were hosted on gopher or even ftp. Anyway dialup shell accounts were the norm (I'm talking average users who pay out of their own pocket for ISP), which means you had text-only interface and browsed the web with Lynx.
BTW you should read old issues of zines like Phrack and other hacking/phreaking related stuff. Then you'll understand just how clueless the feds were in the 80's and early 90's. It's only later on that they managed to subvert the Internet. Before I got on Internet, I used to jump on local .X25 pad and fuck around on whatever systems I could get into. Nobody noticed, nobody cared.

Use a decentralized system like nntpchan. Even better: don't even use the web at all. It is complete shit now, the protocol, the browsers, the frameworks, everything.

well since the cat's out of the bag: links over tor never triggers ONE MORE STEP. but palememe and firefug do every time. then there are some (few) sites that only trigger sometimes (they must have the Security (TM) level toned down)


lierally anything that isnt cuckflare (or its knockoffs). there are now CDNs that block tor because "that's what based cuckflare does"


the A record will go to a cuckflare IP, which are on a cuckflare AS number


endchan but one of their access methods is through cucflare for some reason


uhh it's not like cuckflare is the last bastion of free speech or privacy. they are cucks and as such will crumble to law requests when they start looking threatening. even back when i ran a warez site my small hoster would put up with this shit and ddos as much as reasonable. The fact that cuckflare already blocks tor even though no real threat was ever posed by it is proof that they are cucks and cannot be trusted period for privacy. As for hiding server IP address from the general public, this is largely useless since you can already administer a server without having it publicly linked to you.
As for ddos mitigation, cuckflare is not a solution. cuckflare is a security theater product which so happens to mitigate ddos because traffic has to flow their their service to provide their "security solutions". They can mitigate lots of ddos merely because lots of idiots pay them money for their snake oil product.


cuckflare is a particularly bad CDN because it's not a CDN - it's a "security solutions" package. This means they put your traffic through their "security" service and every time it breaks, your site will be broken with it. Case in point: cloudbleed, second case in point: 5 or so years of tor blocking even for read only static sites. Also no, you don't need a CDN to make your site fast, nor do you need one to mitigate ddos.


kill yourself faggot. if we want to argue semantics here, cuckflare blocks anything that sends malicious traffic (as classified by their markoff chains or regex or whatever bullshit they use) for long periods of time (days? months?). this means any IP address used by lots of people will get blocked. this includes tor. it is not possible to implement such a system without knowing that you're obviously going to block tor as a side effect. the "solution" for this is for every human being to have his own personal IP address. next minute we'll have people buying multiple IP address packages from ISPs so they can properly browse the internet

bump

I would like sauce on that one please.

It's obvious the NSA DDOSs websites to force them to go behind cuckflare.

The problem is that everyone lets them get away with it.

Basically 1 guy bullying his neighbors into submission and then asking for protection money.

It's obvious but there's no real evidence of it.
If there's no paper about it no journalist or twatter sperg isn't going to relay the info.
Even tho we have been right for the past 30 years about the shit going on in computing but hell we are just paranoid in the eyes of the normie.

(checked)


(checked)
labs.riseup.net/code/issues/11629

this issue should be elevated to Tor Browser and Firefox, it's a very good point actually

PLEASE POST IN THE CUCKFLARE THREAD TO GAIN ACCESS TO THE WEB PROPERTY

bump for cuckflare hate

It's been less than a week since I got the "bad gateway" error from cuckflare for several hours. So much for "high availability", unless they're talking about the crackpipe kind. Usenet in the 90's had better uptime than this.

==WAHHH THEY'RE STEALING DATA== ==NOBODY GIVES A FUCK ABOUT== thread

There is nothing wrong with cloudfare you autists, if you hate the modern net stop using it or shut the fuck up.

...

Nice redtext, fagit.

Cloudflare is ABC project to get around SSL. They serve tons of traffic for free. If your site is not valuable to them, they might kick you to the business plan.

The state of internet today is that you need DDOS protection if your site is not shit. Cloudflare is practically paying you to give them your data. Almost every DDOS or caching service costs money.

*is an

uhh even if you ignore the shit Holla Forums fags keep posting about, cuckflare is still garbage and a cancer to the web.

incapsula is a jewish/israeli company lol

plz contemplate the following.

Also a lot of adblockers will let you block analytics, and uMatrix or RequestPolicy let you manually filter cross-domain requests if you prefer.


You need upstream filtering with your webhost. It doesn't come cheap. The absurd bandwidth requirements of cloudflare don't come cheap either, leading some to suspect that they have an additional revenue stream in the form of the NSA. DoSing is frequently an issue of raw bandwidth, so there's not a lot of ways to get clever and cost-saving on that issue..

spoofing breaks this site

you were born too late and therefore don't know that this statement is horse shit