Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
A lot of people in this thread have never been ddosed and it shows. You don’t need to host a super popular thing to get ddosed.
When you host game servers there are gonna be salty 16 years old that go to a free stresser and hit you with 1gbps.
And you might think “well yeah but it’s not like cloudflare’s free plan protects that much”.
It does, believe me. I’ve done tests with people who have access to botnets and without cloudflare with 1gbps our connection was dead. With cloudflare it didn’t go down and reported more than 50gbps on the cloudflare dashboard.
Also another thing is that a lot of these people are 16 year old script kiddies, and not seeing your IP directly discourages them.
Yes, you’re right that there’s a certain amount of trust you need to have in CF… but what are you trusting it to do? And if they fail, what are the consequences?
Honest question - even if you are sending your Vaultwarden traffic over CF, and they are watching or attacking, you have to trust that the e2e encryption of Vaultwarden is what’s keeping you safe, right? Not the SSL certs. Does the auth mechanism rely on the SSL certs not to be compromised? I would hope not.
For me, it’s about trade offs.
https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/
These two data sources kinda sum it up for me - “If you are concerned that cloudflare can read your data - don’t use cloudflare.”
But I do want to be sure that any e2e encrypted app doesn’t rely on SSL for its “end-to-end”.
The concern isn’t that CF is reading your data. It’s that 3-letter agencies can read your data at will, since they always make these deals with large companies to have open-hose access to all the data. There was a scandal that Facebook had a special access page for those people.
You might think you’re innocent, and you’re a good person, so nothing to worry about. This is the old “I have nothing to hide”, but this isn’t how the world works. People who want to get you can pull strings to get anything they want from government institutions. After all, government is just people. It’s not a benevolent being.
Now all this is unlikely, granted. But the task of a good security setup isn’t to make it impossible to hack you, but it’s to make it hard enough and costly. I’m quite sure there’s a zero-day somewhere that can hack my bare-bones Linux servers, but good luck breaking the 10 layers of security I have before even reaching these servers to find something remotely valuable about me. I don’t need to make concessions in that regard. You don’t have to trust anyone.
What is it you’re afraid cloudflare is doing? This is a company trusted by tons of corporations who have legit secrets to protect. Why would they care about intercepting your traffic? To what end?
Cyber attacks are goal-oriented and based on attack cost, basically how much effort for how much reward. Is your selfhost traffic super valuable? So valuable that someone would hack cloudflare to get it?
In reality, other than commodity malware that your security suite should easily pick up, there isn’t much threat in my opinion.
The question was a more general one, and not specific to my personal data needs.
The existence of such a ubiquitous centralised service that actually IS a MITM, whether they are malicious or not, seems curious to me.
As they say, if the product is free, then you are the product. If people accept, but recognise, a loss of privacy when using free services from Google and meta, for example, knowing that the data they provide is used for personalised ads, then how come CF’s free tier isn’t viewed with the same level of scrutiny?
If you want then to cache your content to reduce the load of your servers, they have to decrypt the traffic. This is how a reverse proxy works.
And, well, you have to trust them before contract their services. The same way people trust vpns to route their traffic. If I was from some 3 letter agency and want to spy on potential illegal content, I would tap into a vpn server.
Thats not what a MITM is
A MITM is a Man-in-the-Middle Attack, someone whom you dont trust or dont know has hijacked your network connection to either read, remove or modify data from your network packets and then proxy-send it to your initial intended target
Cloudflare is a proxy server, a person you TRUST and designated to passthrough first to scan and check for network security before it redirects and pass your packets through to your intended target, like a gatekeeper
What, you gonna call all your gatekeepers, your bouncers, your proxy servers a MITM?
Get some reading comprehension. He said MITM and not MITM Attack. He’s referring to Cloudflare as a middle man.
What OP is trying to say is why everyone is okay with using Cloudflare when it basically is a middle man where your traffic/requests go through and could potentially be sniffed at.
No, I read it properly, a MITM generally refers to MITM Attack and vice versa in cybersecurity, it is down to the individual to clarify if they meant otherwise and clearly, this case he is referencing to BEING A MITM for malicious purposes
To clarify, I did not mean MITM attack. It actually wouldn’t make sense to say that cloudflare is a man in the middle attack, since it is a company and not an action.
I didn’t include the word “attack” anywhere.
MITM is commonly used together with attack, so your misunderstanding is understandable. However the acronym just stands for Man In The Middle, which is why it is followed by “attack” in such situations.