I know lemm.ee is hosted in the EU, but I can’t find that information for lemmy.world.

  • notabot@lemm.ee
    link
    fedilink
    arrow-up
    3
    ·
    21 hours ago

    Cloudflare don’t hoat sites, but they do end up being a ‘man in the middle’ attack on any site they proxy for, regardless of where that site is nominally hosted. That ends up exposing all traffic on those sites to a US corporation, and ultimately the US government. Considering that Cloudflare proxy somewhere between 19% and 40% of all websites, I think that’s pretty alarming.

      • notabot@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        15 hours ago

        You’ll be attacked and pay for the priviledge! I suppose what you’re really paying for is knowing who’s attacking you. Mind you, I think it’s free for small sites, which is probably quite an attractive trade-off for many.

    • Successful_Try543@feddit.org
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      18 hours ago

      I don’t get the ‘man in the middle’ part. Is the ssl key for the encrypted https connection not from LW, but from cloudflare?
      It’s still problematic that they have metadata of the connections.

        • Successful_Try543@feddit.org
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          17 hours ago

          But isn’t for https the traffic supposed to be e2e encrypted between the client web browser and the server hosting the web page with the same cert? Does cloudflare decrypt and then re-encrypt the traffic data?

          • Evotech@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            8 hours ago

            Supposed and supposed… It’s easier to manage encryption and certificates on a layer above, you can reencrypt backwards with some whatever cert

            You can of course not use cloudflares infra for this but then you lost a lot of insight and features

          • notabot@lemm.ee
            link
            fedilink
            arrow-up
            3
            ·
            16 hours ago

            You see the problem. Yes, cloudflare decrypt the request from the browser, inspect it, then reencrypt it and send it to the host server. Then they take the response, decrypt that, inspect it, reencrypt it and send it to the browser.

            Basically there are two TLS flows, one from the browser to cloudflare, and one from clourflare to the host server. Between those, on the cloudflare system, both the traffic and response are in plain text. That includes usernames, passwords (for HTTP basic auth anyway) and any sensitive data you send or receive.

            Given that they front sonewhere between 19 and 40% of all websites, d£pending on whose stats you trust, that should be pretty alarming.