this post was submitted on 20 Nov 2023

2 points (100.0% liked)

Self-Hosted Main

587 readers

3 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 2 years ago

MODERATORS

communick@selfhosted.forum

How are so many sites OK with using cloudflare when they are basically a MITM? (alien.top)

submitted 2 years ago by spottyPotty@alien.top to c/main@selfhosted.forum

87 comments fedilink hide all child comments

Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?

(page 2) 37 comments

sorted by: hot top controversial new old

[–] Brent_the_constraint@alien.top 1 points 2 years ago

You need them if you really want to be secure from DDOS... well with knowledge of HTTP2 DOS is enought... :-)

[–] InsertNounHere88@alien.top 1 points 2 years ago

People go out of their way to de-Google their phones but them are ok with this situation.

people selfhost for many different reasons. you may self host so you can degoogle, but I selfhost so I can put Kubernetes/mqtt/zigbee/flask etc etc etc on my resume

[–] saxobroko@alien.top 1 points 2 years ago (1 children)

Yes by default traffic is only encrypted between cloudflare and users, but you can set it to “full (strict)” and have it end to end encrypted

[–] Darkassassin07@lemmy.ca 1 points 2 years ago* (last edited 2 years ago)

That's not end to end encryption, it's two seprate ssl connections both terminated at cloudflare. One from client to cloudflare, one from cloudflare to your server. Cloudflare is still a MITM inspecting your traffic in that scenario.

They do however let you disable their proxy(WAF) service, acting as pure DNS so clients connect directly to your IP instead of theirs. But they can at any point toggle that back on and intercept your traffic, nothing really stopping them except morals and T&Cs, but that's not exactly bullet proof. T&Cs can be rewritten and corporations with Morals? Right.....

[–] Initial-Repeat9146@alien.top 1 points 2 years ago (1 children)

OP, what you're describing is not the "big scary MITM" attack vector. It's how TLS/Reverse proxies work. Whether you are using Cloudflare or hosting your own reverse proxy somewhere with full control, it's still terminating TLS at the endpoint and passing back traffic in the clear to the backend.

Some people like Cloudflare for whatever reasons, and that's okay. I host my own reverse proxy out on a VPS and it works just fine.

You'll find that not all of the seflhosted community is super-focused on privacy as say r/privacy is.

[–] spottyPotty@alien.top 1 points 2 years ago

Maybe it's my fault for posting this in selfhosted. My question was of a more generic nature about security and privacy in general. You're right, r/privacy might be a better sub for this conversation.

In my case my reverse proxy (nginx) runs on the same machine as my backend. In fact nginx also serves all static data with the backend only serving api requests.

[–] GeekCornerReddit@alien.top 1 points 2 years ago

You realize your computer can have a backdoor put in place by the brand right? Pretty much same deal isn't it?

[–] I_EAT_THE_RICH@alien.top 1 points 2 years ago

Cloudflare is awesome and undervalued in my opinion. They provide dozens of services and charge extremely reasonable pricing.

[–] daywreckerdiesel@alien.top 1 points 2 years ago

It sounds like you think the issue with a man-in-the-middle attack is the MITM part, not the attack.

[–] agrajag9@alien.top 1 points 2 years ago

Outsourcing of (some) risk

If Cloudflare loses the data and it negatively impacts our brand, we can sue the shit out of them.

[–] rad2018@alien.top 1 points 2 years ago

Also...shouldn't we talking more about self-hosting rather than privacy and efficiency issues? I think the topic is a moot point - either you feel that Cloudflare is 'trustworthy'...or you don't.

IMHO, it's sorta like using Google's Gmail for business purposes. Read the fine print - they can do whatever they want with your data, despite their privacy statements. Same goes with Cloudflare. You're using *their* services on *their servers.

They have to lookout for themselves and the risks involved.

[–] manawenuz@alien.top 1 points 2 years ago

It comes down to the same line of reasoning that most people are "OK" with using cloud, be it aws, google, oracle, microsoft etc .. Out of laziness and lack of expertise, basically sysadmins are dead. Otherwise it's always a bad idea to offload anything on a third-party specially without transparency (pinky promise)

Badger DAO lost 120M, to this pinky trust. https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack

Same issue however exists wirh domain name registerers, etc, hence even such a thing as ens.domains are much more trustworthy, and it's much harder to exploit.

[–] danychouinard@alien.top 0 points 2 years ago

Yes. This means they can see your native encrypted self-signed traffic.

Which does not do much. Unless you expose unsecured content to the internet. Please don't.

load more comments