There’s no way to know what cloudflare is doing with your data. It is therefore a true risk. We have the technology (end-to-end HTTPS) to allow DDOS protection without allowing man in the middle. If Cloudflare is doing something else, we have full reason to be skeptical.
Sure, and it’d be nice for CloudFlare to offer a service that was compatible with end-to-end HTTPS
But this would be incompatible with the CAPTCHA insertion, right?
And instead of being able to use signal from the content of requests to identify an attack, they’d only be able to use the signal from the unencrypted part of the TCP exchange
This seems like inferior protection to me, but for some this might be the better compromise, and we have every right to seek such a compromise
Using captchas is another problem with cloudflare, no other hoster/provider needs that. So for users there are just downsides with cloudflare. Unfortunately a lot of websites decide to use it, and there is nothing we can do.
True, there are some attacks that cloudflare may be better positioned to mitigate…but a well-designed application won’t be susceptible to attacks unless they involve a huge amount of traffic, and in those cases the amount of traffic is so huge that it can be detected easily without needing to see the http content.
For some sites, both the content publisher and the consumer may prioritise availability over perfect secrecy (e.g. distributing life-saving information in a natural disaster or war)
There might not be a single product on the planet that is more suitable for this use case than Cloudflare
Many sites and many consumers will not share this priority of values, however, so I agree that Cloudflare is inappropriate for these cases
There’s no way to know what cloudflare is doing with your data. It is therefore a true risk. We have the technology (end-to-end HTTPS) to allow DDOS protection without allowing man in the middle. If Cloudflare is doing something else, we have full reason to be skeptical.
Sure, and it’d be nice for CloudFlare to offer a service that was compatible with end-to-end HTTPS
But this would be incompatible with the CAPTCHA insertion, right?
And instead of being able to use signal from the content of requests to identify an attack, they’d only be able to use the signal from the unencrypted part of the TCP exchange
This seems like inferior protection to me, but for some this might be the better compromise, and we have every right to seek such a compromise
Using captchas is another problem with cloudflare, no other hoster/provider needs that. So for users there are just downsides with cloudflare. Unfortunately a lot of websites decide to use it, and there is nothing we can do.
See: https://lemmy.ml/post/209462/comment/144156
True, there are some attacks that cloudflare may be better positioned to mitigate…but a well-designed application won’t be susceptible to attacks unless they involve a huge amount of traffic, and in those cases the amount of traffic is so huge that it can be detected easily without needing to see the http content.
For some sites, both the content publisher and the consumer may prioritise availability over perfect secrecy (e.g. distributing life-saving information in a natural disaster or war)
There might not be a single product on the planet that is more suitable for this use case than Cloudflare
Many sites and many consumers will not share this priority of values, however, so I agree that Cloudflare is inappropriate for these cases