How are so many sites OK with using cloudflare when they are basically a MITM? - eviltoast

Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?

  • GolemancerVekk@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I use Cloudflare tunnels because they are a good way of exposing sites to the internet without exposing my IP

    What difference does that make? I only ever heard one realistic reason for hiding your IP, which was a guy living in a suburban neighborhood with static IPs where the IP indicated his house almost exactly.

    If you have a dynamic IP it will get recycled. If you get a static IP it will eventually get mapped to your precise location, Google & other big data spend a lot of time doing exactly that.

    or opening ports […] or other attacks

    If your services are accessible from the internet they are accessible… doesn’t matter that you don’t open ports in your local LAN, there’s still an ingress pathway, and encrypting the tunnel doesn’t mean your apps can’t get hacked.

    I don’t have to worry as much about DDoS

    How many DDoS’s have you been through? Lol. CF will drop your tunnel like a hot potato if you were ever targeted by a DDoS. If you think your $0/month plan is getting the same DDoS protection as the paid accounts you’re being super naive. Let me translate this page for you: your DDoS mitigation for $0/mo amounts to “basically nothing”. Any real mitigation starts with the $200/mo plan.