Jan Kaiser
The Hacker‘s ChoiceCF is amassing a lot of power. With 30% of all Internet Traffic going through CF and them decrypting all HTTPS traffic at the Edge...and able to change any or all of it transparently. This extract from CF's blog reads like a Government/Thread Actor's dream come true....
mafe en españa@thc Is there an HTML obfuscating solution against this?
LisPi@mafe @thc Yeah it's called #encryption.
It also completely defeats the point of a CDN/caching-proxy like Cloudflare.
There are a few issues at play here, but mostly the redundancy limiting ability for DDoS could be handled by #p2p content-addressed mirrors, the problem is that on the #clearnet that has major #privacy issues.
So instead of doing the smart thing and deprecating the clearnet for application-level traffic, people just went "fuck it" and took the shit (but easy/simple) option.
Not a Spring Onion
John Gordon@thc I remember ISPs doing this kind of MITM attack. I did not realize that was possible given https.
Mostly I’m puzzled that it hasn’t gotten more attention.
Riley S. Faelan@jgordon @thc #Privacy conscious circles have been ringing the alarm for a while, but everyone keeps ignoring them or deriding them as paranoid for just seeing the writing on the walls and what is /right now/ being done with some modicum of subtlety (which somehow enables it to just fly under the radar? why?).
JavierIt surprises people that CF can see (and modify) the plain HTML even under https, but if you think about it, any CDN has to do that to be able to cache content.
Same as with a VPN, using a CDN requires some amount of trust. Unfortunately, it only requires trust from one side (the backend service) and not the other (the end user), which doesn't have any say in the outcome.
Do you mean to serve the HTML and any response from the front-end directly to the user and only let the CDN cache images, CSS and scripts? Yes, you can do that, even in the current offering of CDNs.
It does reduce the ability of the CDN to spy you, at the cost of a more complex setup.
Still the choice of the backend service provider, not the end user.
PeoriaBummer@thc @tychotithonus But I thought they said they didn’t want power.
@lispi314 @thc @tychotithonus I don’t think they’d do something like that. That doesn’t sound very much like them at all.
OliverUv@PeoriaBummer @lispi314 @thc @tychotithonus they still gotta answer subpoenas and their employees aren't immune to the three letter agencies.
Same goes for every us based company, but most don't serve that much of web traffic.
Dave Mc@thc if they modify the continent and re-sign the HTTPS, will the certificate signature be for them rather than the source site?
Matt Palmer
Mike Myers@womble you need to use one of their edge certs for them to intercept though. Unless I’m missing something? If you don’t use one you give up proxying and direct server requests but I think that’s pretty much it.
tאmáš@guigsy Yes, and a huge number of sites use CF for SSL termination like that
🐧DaveNull🐧 ☣️pResident Evil☣@guigsy When people use CDNs, they ususally don't encrypt their shit and trust a third party, the CDN itself, to do TLS encryption. Even if servers handle TLS, it's a separate connection anyway
Users never directly sent requests to the actual servers they want content from. They send requests to CDN servers, which request the content from, which then requests it from the "end" servers. CDNs are MITM-by-design.
Client <=Encrypted or plaintext=> CDN <=Separate connection=> Service servers
Kevin Karhan 
@thc I'm gonna say it again: #CloudFlare / @cloudflare is a #RogueISP and it's whole business model should not only not exist but be as illegal as #Racketeering is in the #MeatSpace!
Seirdy@thc The image in the parent post is a screenshot of the first paragraph of the “Parsing and modifying HTML on the fly” section of this Cloudflare blog post.
I don’t like seeing people take my side for reasons I disagree with, so:
On-the-fly HTML rewrites are standard features for any website hosting provider, esp. classic PHP-enabled web hosts. The “HTTPS-compromising intermediary” argument” doesn’t hold water if you treat a CDN as a hosting provider.
There are much better reasons to oppose CloudFlare: their “hate credits”, scope creep, and undermining of browser diversity (by sending uncommon TLS fingerprints through CAPTCHA hell) are better reasons, especially given their market share.
Incident report on memory leak caused by Cloudflare parser bug
Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
MortSinyxAgreed, @Seirdy, although as @thc mentioned, 30% of the interwebs traffic (BTW 
, commonly cited figure last year was 20%) being visible gives clownflare a lot of power to abuse. The line between a backup key for a friend and a master key that can unlock every door in the neighborhood is not so fine IMHO.
, commonly cited figure last year was 20%) being visible gives clownflare a lot of power to abuse. The line between a backup key for a friend and a master key that can unlock every door in the neighborhood is not so fine IMHO.
Gabriel Adrian Samfira@thc MITMaaS. Nice.
Krnch@thc they're also blocking VPNs in many cases
😐
😐
joshhunt@thc source on "30% of all Internet Traffic going through CF"? I'm always curious how they stack up against others like Akamai.
ENG. Tretron 🐲@thc using cloudflare means that your data will be scraped by the NSA since its an american company. so while it has a lot of nice things to offer it is a bit of a deal with the devil..but then again thats using any american internet infrastructure
mmu_man> safely rewrite http:// to https://
What for? Properly manitained websites should use https:// by default, all the time one handle it on the webs servers instead of trusting some third party… It's not Jed to do HTTPS
Al the rest is bad and instrusive (injecting google spyware, amp bullshit¹ which another google's spayware, modifying HTML…). Only idiots with 0 respect for their users (e.g marketing people) would want such intrusive crap
1. Useless extra JS won't make pages "load faster"
BenAveling@thc not true from a technical pov and very misleading. CF isn’t decrypting https in order to do this. They’re handling the initial http to https encryption so of course they have access to the http.
Excessive power, maybe, but not implemented the manner implied here
Excessive power, maybe, but not implemented the manner implied here
@BenAveling CF decrypts all HTTPS at the edge and then forwards it via http to the origin server. That’s the most common setup. This is still true if only HTTPS is used (even with HSTS is policy enforcement).
@thc well yes. But that’s not a bug, it’s a feature. So to speak