20
feature request: give users a cancel Cloudflare config option (lemmy.dbzer0.com)
submitted 1 year ago by diyrebel@lemmy.dbzer0.com to c/lemmy_support@lemmy.ml
11 comments fedilink hide all child comments

Apart from Cloudflare being an access restricted walled garden that harms interoperability, I really do not want my content on CF & I do not want CF content reaching me. This bug is one of many issues likely caused by Cloudflare:

https://lemmy.dbzer0.com/post/4806490

I would like to flip a switch that has the effect of making my whole UX Cloudflare-free. Cloudflare is antithetical to decentralization and it has clearly broken the #Lemmy network.

top 11 comments
sorted by: hot top controversial new old
[-] mypasswordis1234@lemmy.world 12 points 1 year ago* (last edited 1 year ago)

https://spyware.neocities.org/cloudflare.txt

Tl;dr: The text states that CloudFlare acts as a bad Man-In-The-Middle for the entire internet:

  1. It tells you which browser to use, or else you'll face a captcha or a "Access Denied" screen.
  2. The extensive data collected by JavaScript scripts injected on-the-fly by CloudFlare poses a privacy threat to users (mouse movements, scrolling, keystrokes, device information, mouse clicks, and more).
  3. It acts as a Man-In-The-Middle for SSL. When you connect to a website, you're actually connecting to CloudFlare's servers, which then relay the data to the actual website, allowing them to intercept all traffic between you and the website.
  4. CloudFlare often blocks Tor users without reason. Using Tor doesn't make you a criminal, right?
  5. CloudFlare makes browsing the internet without JavaScript nearly impossible.
  6. Cloudflare can potentially attack individual users with malicious JavaScript because you typically enable JavaScript to use websites, falling into their trap. Since they track users, provide personalized code, and collaborate directly with the US government/DHS, there's no reason they couldn't tailor attacks to specific users.

This isn't just an individual problem but a fundamental threat to the internet ecosystem.

[-] Potatos_are_not_friends@lemmy.world 2 points 1 year ago

Interesting stuff. Is there more? Some more technical resources (and not a neocities site?)

I like Cloudflare for all of its conveniences. But this definitely gives me food for thought.

[-] mypasswordis1234@lemmy.world 2 points 1 year ago

Do you mean CloudFlare related stuff or privacy in general?

[-] scrubbles@poptalk.scrubbles.tech 6 points 1 year ago

Many of us admins specifically added cloudflare because of users trying to use our instances for nefarious purposes. For myself, it was the last option before shutting down my instance altogether. From Tor users trying to use it without any regard for my hosting to the CSAM attacks, cloudflare gave me an option to keep it running for the time being. I don't agree with everything they do, but it's the only way right now I can keep the server on without a constant despamming.

There is no way to "disable" cloudflare if an instance has chosen to use it. It will sit between you and the server for all traffic. You can choose to use another instance if you like, but server owners can choose what to do with their own servers.

[-] diyrebel@lemmy.dbzer0.com 0 points 1 year ago

W.r.t CSAM, CF is pro-CSAM. When a CF customer was hosting CSAM, a whistleblower informed Cloudflare. Instead of taking action against the CSAM host, CF doxxed the ID of the whistleblower to the CSAM host admin, who then published the ID details so the users would retaliate against the whistleblower. (more details)

There is no way to “disable” cloudflare if an instance has chosen to use it. It will sit between you and the server for all traffic.

Some people use CF DNS and keep the CF proxy disabled by default. They set it to only switch on the CF proxy if the load reaches an unmanageable level. This keeps the mitm off most of the time. But users who are wise to CF will still avoid the site because it still carries the risk of a spontaneous & unpredictable mitm.

[-] scrubbles@poptalk.scrubbles.tech 1 points 1 year ago

Right... well while I'm interested in a site that's hosted on... kescher.at with wild accusations... I'm going to keep CF's proxy on. It blocks tor users from maliciously using my instance, and idk why they would ever be pro-csam if they literally have an auto reporting feature that reports csam to the feds. Soooooooo... have fun with your belief system

[-] diyrebel@lemmy.dbzer0.com 0 points 1 year ago* (last edited 1 year ago)

Which git repo is used to host the article doesn’t matter. That project is mirrored on ½ dozen other repos. Did you follow the links of the citations? The article is well cited but sometimes the links go stale (or become cloudflared). If you had trouble reaching the cited sources plz let me know & I'll get the author to fix it. Or you can file a bug report in the issues tab.

[-] fbmac@lemmy.fbmac.net 1 points 1 year ago

cloudflare has an option to serve your content inside tor without an exit node, is that better or worse?

I'm using it to allow my ipv6 only server be visible for ipv4 users, maybe I'll think on alternatives now

[-] diyrebel@lemmy.dbzer0.com 1 points 1 year ago

Better or worse depends on who you ask.

I boycott Cloudflare and I avoid it. Some CF hosts are configured to whitelist Tor so we don’t encounter a block screen or captcha. For me that is actually worse because I could inadvertently interact with a CF website without knowing about the CF MitM. I want to be blocked by Cloudflare because it helps me avoid those sites.

The CF onion (IIUC) cuts out the exit node which is good. But CF is still a MitM so for me that’s useless.

Some users might not care that CF has a view on all their packets - they just don’t want to be blocked. So for them the onion is a bonus.

[-] Max_P@lemmy.max-p.me 1 points 1 year ago

That would be misconfiguration on the remote instance's end. Are you sure it works if you're not on Tor in the first place?

That's definitely server to server traffic, it basically goes client->home instance->remote instance and AFAIK it's not a passthrough request, it makes it own request.

[-] diyrebel@lemmy.dbzer0.com 1 points 1 year ago* (last edited 1 year ago)

The bug is most likely in the scenario of a default Cloudflare config. Cloudflare pushes a captcha to all apps other than the Tor Browser that come over Tor (in the default config). This would of course cause the #Lemmy javascript to go apeshit.

this post was submitted on 24 Sep 2023
20 points (81.2% liked)

Lemmy Support

4651 readers
2 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 5 years ago
MODERATORS
dessalines@lemmy.ml