Daily reminder that sites “protected” by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.

And if you think Cloudflare aren’t being tapped by the NSA, you’re sadly sadly naive.

All the “privacy respecting” sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they’ve modified.

Edit: good info link below https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

  • Harrison@infosec.pub
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Cloudflare is a MITM by design. Calling it an attack is disingenuous; you’re signing up for the service of your own free will, not a victim.

    If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren’t doing that.

    So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.

    But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don’t use it.

    • waitmarks@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      the NSA (which lacks a mandate to act on US soil, and CF is a US company)

      They absolutely do have a mandate to operate on US soil, that is actually the main mandate and there is a separate military agency (CNMF) that operates on foreign soil. They are both headed by the same guy though so they might as well just be one agency.

    • FaceDeer@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      I could imagine the NSA embedding an agent inside Cloudflare specifically to keep an eye out for any foreign agents also being embedded in Cloudflare, rather than to dig out its secrets for themselves.

      • BearOfaTime@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        In the 90’s telcos were exposed as providing a connection for feds to duplicate any and all comms.

      • Harrison@infosec.pub
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        I’m sure the TLAs work closely in conjunction with all companies responsible for internet infrastructure, yeah. That is their mandate.

    • Scolding0513@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren’t doing that.

      excuse me, what?? The Snowden documents came out showing all these companies literally giving over all their data to the NSA like it was water from a spring, and they are all still in business. AT&T, facebook, google, microsoft, dropbox, etc. Yet you claim somehow cloudflare would be destroyed?? This isnt even funny bro.

      more recently, Hetzner was showed to have given backdoor access to the feds, yet people still buy VPSs from them, and in fact, 20% of TOR guard nodes are sitting on their infra RIGHT NOW!

      Case in point: people using such companies either don’t care or are really ignorant or stupid.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      What concerns me is that we really do not know what the three letter agencies are capable of. They operate outside of the demographic government. Many Americans are increasingly losing faith in the government and secret government programs do not help. It causes what is known as a chilling effect. People start self censoring which is very dangerous and harmful to democracy. Democracy needs transparency not secrecy.

    • anar@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      Maybe I’m just jaded and cynical but it won’t “destroy the company” even if it comes out like that. The laws don’t apply to people at the top

    • Coasting0942@reddthat.com
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      I don’t believe that the NSA has a portal giving them direct access (probably naive).

      They definitely have a secret agent 🕵️‍♀️ nerd on the inside providing intel on the structure. Maybe inject exploits or guide them when needed.

      They definitely have a direct e-mail address to cloudflare legal to serve national security letters that cloud flare is obligated to comply with. Which is a portal with extra steps, but which cloud flare can raise a fuss if they notice the requests are turning into vacuum cleaners, and not union membership research.

      • plz1@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 months ago

        Internet traffic gets mirrored to NSA data centers, that’s old news from the Snowden leak.

    • milicent_bystandr@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      6 months ago

      But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don’t use it.

      Or do use E2E encryption. You can still have a layer of encryption within the SSL tunnel that cloudflare controls. Like you’d do for an E2EE filestore: the webserver (and cloudflare) see the website woosh by, and all that you do on it, but the files themselves are encrypted opaquely to both, and decrypted only by a browser at the other end.