45
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Nov 2023
45 points (100.0% liked)
Free and Open Source Software
17550 readers
73 users here now
If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
It seems like a lot of your points hinges on this being true, but it simply isn't. There is a massive benefit to preventing DDoS attacks, and that does not require keys. There is no indication that banks are handing over client ctedentials to CF.
“AFAICT” expands to “as far as I know”, which means the text that follows not an assertion. It’s an intuitive expectation that is open to be proved or disproved. The pins are all set up for you to simply knock down.
This is unexplained. I’ve explained how CF uses its own keys to offer DDoS protection (they directly treat the traffic because they can see the request). I’ve also explained why CFs other (payload-blind) techniques are not useful. You’ve simply asserted the contrary with no explanation. HOW does CF prevent DDoS in the absence of treatment of the traffic? Obviously it’s not merely CFs crude IP reputation config because any website can trivially configure their own firewall in the same way without CF. So I’m just waiting for you to support your own point.
This is trivially verifiable. E.g. if you get the SSL cert for eagleone.ns3web.org, what do you see? I see CF keys. That means they’re not using the premium option to use their own keys. Thus CF sees the payloads. I’m open to being disproven so feel free to elaborate on your claim.
How many websites can handle the amount of traffic that CF can handle? It's not just about configuring your firewall, it's about having the bandwidth. Otherwise it's not much of a DDoS protection.
As I don't have an account there I can't see which requests containing credentials use which cert.
And also, just because the cert is verified by cloudflare does not mean they have the private key.
That’s what I’ve been saying throughout this thread. The only significant DDoS protection offered by Cloudflare requires CF seeing the traffic (and holding the keys) so it can treat the high-volume traffic. If CF cannot see the payloads, it cannot process it other than to pass it all through to the original host (thus defeating the DDoS protection purpose).
Why would you need an account? Why wouldn’t bogus creds take the same path?
If it’s true that this is unverifiable, that’s good cause to avoid Cloudflared banks. It’s a bad idea for customers to rely on blind trust. Customers need to know who the creds are shared with /before/ they make use of them -- ideally even before they make the effort of opening an account.
This uncertainty is indeed good cause to avoid using a Cloudflared bank.
UPDATE: I’ve spoken to some others on this who assert that it is impossible for a bank customer to know for certain if a bank uses their own key to prevent disclosure to CF.