this post was submitted on 20 Nov 2023
2 points (100.0% liked)

Self-Hosted Main

515 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?

you are viewing a single comment's thread
view the rest of the comments
[–] rollinghunger@alien.top 3 points 11 months ago (3 children)

Yes, you’re right that there’s a certain amount of trust you need to have in CF… but what are you trusting it to do? And if they fail, what are the consequences?

Honest question - even if you are sending your Vaultwarden traffic over CF, and they are watching or attacking, you have to trust that the e2e encryption of Vaultwarden is what’s keeping you safe, right? Not the SSL certs. Does the auth mechanism rely on the SSL certs not to be compromised? I would hope not.

For me, it’s about trade offs.

https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/

https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

These two data sources kinda sum it up for me - “If you are concerned that cloudflare can read your data - don't use cloudflare.”

But I do want to be sure that any e2e encrypted app doesn’t rely on SSL for its “end-to-end”.

[–] TheQuantumPhysicist@alien.top 1 points 11 months ago

The concern isn't that CF is reading your data. It's that 3-letter agencies can read your data at will, since they always make these deals with large companies to have open-hose access to all the data. There was a scandal that Facebook had a special access page for those people.

You might think you're innocent, and you're a good person, so nothing to worry about. This is the old "I have nothing to hide", but this isn't how the world works. People who want to get you can pull strings to get anything they want from government institutions. After all, government is just people. It's not a benevolent being.

Now all this is unlikely, granted. But the task of a good security setup isn't to make it impossible to hack you, but it's to make it hard enough and costly. I'm quite sure there's a zero-day somewhere that can hack my bare-bones Linux servers, but good luck breaking the 10 layers of security I have before even reaching these servers to find something remotely valuable about me. I don't need to make concessions in that regard. You don't have to trust anyone.

[–] spottyPotty@alien.top 1 points 11 months ago

Thanks for the links

[–] Psychological_Try559@alien.top 1 points 11 months ago

Thanks for the link, it's an interesting read with more detail than I've ever heard (not having used cloudflare for this myself).