this post was submitted on 26 Dec 2023
0 points (NaN% liked)

Privacy

799 readers
12 users here now

Privacy is the ability for an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
c0mmando@links.hackliberty.org
0
Has avoiding Cloudflare become Impossible? (links.hackliberty.org)
submitted 8 months ago* (last edited 8 months ago) by c0mmando@links.hackliberty.org to c/privacy@links.hackliberty.org
4 comments fedilink hide all child comments
 

Nearly every website today seems to be hosted behind Cloudflare which is really concerning for the future of privacy on the internet.

Cloudflare no doubt logs, stores, and correlates network telemetry that can be used for a wide array of deanonymization attacks. Not only that, but Cloudflare acts as a man-in-the-middle for all encrypted traffic which means that not even TLS will prevent Cloudflare from snooping on you. Their position across the internet also lends them the ability to conduct netflow and traffic correlation attacks.

~~Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare...~~ edit: i was wrong

So what options do we even have? What privacy concerns did I miss, and are there any workaround solutions?

top 4 comments
sorted by: hot top controversial new old
[–] overflowingmemory@links.hackliberty.org 1 points 2 weeks ago

Stupid Question:

How do I find out if a website I use is hosted over cloudflare? The noscipt javascript blocker extension shows in some cases I blocked some cloudflare javascript. For example on the lemmy.world instance it shows a script labeled "cloudflareinsights.com" that I block. That apparently provides visitor analytics

According to them on insights:

Our edge sees all requests made to a website, regardless of whether it’s cached or uncached, the user has adblock, or they turned off JavaScript. This enables us to [....]

On other sites it shows a "confirm you are human" check-box labeled with the cloudflare brand (if I activate javascript for that site) -- according to cloudflare wikipedia that service is known as Cloudflare Turnstile. This is how I currently see if cloudflare is involved.

Another interesting thing I noticed on stackoverflow is email protected which confirms to me stackexchange also uses cloudflare somehow.

I guess you could detect a Reverse Proxy by cloudflare based on its IP-Adress ~ but I do not really know how to look that up perhaps the following stack overflow answer might help using the tools nslookup and whois... Any other hints on this?

nslookup www.monero.town whois -h whois.arin.net n <IP-Adress from prev command> | egrep 'Organization'

[–] ultranaut@lemmy.world 0 points 8 months ago (1 children)

I don't think it's possible to avoid companies like Cloudflare, AWS, Akamai, etc. Or not without a whole lot of effort that isn't really reasonable and would severely degrade user experience. They provide what's become fundamental infrastructure to the internet, and that doesn't seem likely to change.

[–] freedomPusher@sopuli.xyz 0 points 8 months ago* (last edited 8 months ago) (1 children)

It is possible to avoid Cloudflare (the worst offender), proven by instances that are run by more competent experts. For example:

  • fedia.io
  • sopuli.xyz
  • beehaw.org
  • infosec.pub
  • lemmy.dbzer0.com
  • slrpnk.net
  • links.hackliberty.org
  • lemmy.ml ← used to be Cloudflare-proxied but they got wiser
  • mander.xyz

^ Those are good instances where users’ traffic is not recklessly exposed to Cloudflare.

These instances below not only expose their users to Cloudflare, but they’re not even decent enough to inform their own users about it:

  • lemmy.world ← Cloudflare
  • sh.itjust.works ← Cloudflare
  • zerobytes.monster ← Cloudflare
  • lemmy.ca ← Cloudflare
  • lemm.ee ← Cloudflare
  • programming.dev ← Cloudflare
  • lemmy.zip ← Cloudflare

If you probe admins of the above list, some will say in effect that they regret pawning all their users to CF but claim they have no choice - that they do not know how to defend from attack. Some admins have no regrets and simply do not give a shit. Many admins are actually ignorant to the extent of not even knowing Cloudflare sees the traffic (yes, many times admins were appalled to learn this from me; who to them is just some random pleb). Probably the most despicable aspect to this is that no Cloudflare admin is socially responsible enough to post a banner msg making sure users are informed about their exposure. If they are proud of their choice and feel they have no choice, then why neglect to disclose it (esp. on a non-profit activity)?

Regardless of their reasons/excuses, it really does not matter to the user. What matters to users is that there are privacy-disrespecting choices and relatively privacy-respecting choices. Obviously street-wise users select from the first list I posted and not the 2nd list.

Only CFd government sites are unavoidable

The only Cloudflare sites that are unavoidable AFAICT are government sites. You can always boycott the private sector, but there are 6 or so states in the US where voter registration goes through Cloudflare. Even if you register on paper, the data entry worker likely goes to the Cloudflare site. I became a non-voter for this reason.

[–] overflowingmemory@links.hackliberty.org 1 points 3 weeks ago

ironically monero.town also uses Cloudflare.