45
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Nov 2023
45 points (100.0% liked)
Free and Open Source Software
17550 readers
73 users here now
If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
How many websites can handle the amount of traffic that CF can handle? It's not just about configuring your firewall, it's about having the bandwidth. Otherwise it's not much of a DDoS protection.
As I don't have an account there I can't see which requests containing credentials use which cert.
And also, just because the cert is verified by cloudflare does not mean they have the private key.
That’s what I’ve been saying throughout this thread. The only significant DDoS protection offered by Cloudflare requires CF seeing the traffic (and holding the keys) so it can treat the high-volume traffic. If CF cannot see the payloads, it cannot process it other than to pass it all through to the original host (thus defeating the DDoS protection purpose).
Why would you need an account? Why wouldn’t bogus creds take the same path?
If it’s true that this is unverifiable, that’s good cause to avoid Cloudflared banks. It’s a bad idea for customers to rely on blind trust. Customers need to know who the creds are shared with /before/ they make use of them -- ideally even before they make the effort of opening an account.
This uncertainty is indeed good cause to avoid using a Cloudflared bank.
UPDATE: I’ve spoken to some others on this who assert that it is impossible for a bank customer to know for certain if a bank uses their own key to prevent disclosure to CF.