How are so many sites OK with using cloudflare when they are basically a MITM?
How are so many sites OK with using cloudflare when they are basically a MITM?
Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
A lot of people in this thread have never been ddosed and it shows. You don't need to host a super popular thing to get ddosed.
When you host game servers there are gonna be salty 16 years old that go to a free stresser and hit you with 1gbps.
And you might think "well yeah but it's not like cloudflare's free plan protects that much".
It does, believe me. I've done tests with people who have access to botnets and without cloudflare with 1gbps our connection was dead. With cloudflare it didn't go down and reported more than 50gbps on the cloudflare dashboard.
Also another thing is that a lot of these people are 16 year old script kiddies, and not seeing your IP directly discourages them.
4nginx can be configured to throttle connections and fail2ban to refuse them to mitigate this
1
If you want then to cache your content to reduce the load of your servers, they have to decrypt the traffic. This is how a reverse proxy works.
And, well, you have to trust them before contract their services. The same way people trust vpns to route their traffic. If I was from some 3 letter agency and want to spy on potential illegal content, I would tap into a vpn server.
3Thats not what a MITM is
A MITM is a Man-in-the-Middle Attack, someone whom you dont trust or dont know has hijacked your network connection to either read, remove or modify data from your network packets and then proxy-send it to your initial intended target
Cloudflare is a proxy server, a person you TRUST and designated to passthrough first to scan and check for network security before it redirects and pass your packets through to your intended target, like a gatekeeper
What, you gonna call all your gatekeepers, your bouncers, your proxy servers a MITM?
3Get some reading comprehension. He said MITM and not MITM Attack. He's referring to Cloudflare as a middle man.
What OP is trying to say is why everyone is okay with using Cloudflare when it basically is a middle man where your traffic/requests go through and could potentially be sniffed at.
0
What is it you're afraid cloudflare is doing? This is a company trusted by tons of corporations who have legit secrets to protect. Why would they care about intercepting your traffic? To what end?
Cyber attacks are goal-oriented and based on attack cost, basically how much effort for how much reward. Is your selfhost traffic super valuable? So valuable that someone would hack cloudflare to get it?
In reality, other than commodity malware that your security suite should easily pick up, there isn't much threat in my opinion.
3The question was a more general one, and not specific to my personal data needs.
The existence of such a ubiquitous centralised service that actually IS a MITM, whether they are malicious or not, seems curious to me.
As they say, if the product is free, then you are the product. If people accept, but recognise, a loss of privacy when using free services from Google and meta, for example, knowing that the data they provide is used for personalised ads, then how come CF's free tier isn't viewed with the same level of scrutiny?
2
Yes, you’re right that there’s a certain amount of trust you need to have in CF… but what are you trusting it to do? And if they fail, what are the consequences?
Honest question - even if you are sending your Vaultwarden traffic over CF, and they are watching or attacking, you have to trust that the e2e encryption of Vaultwarden is what’s keeping you safe, right? Not the SSL certs. Does the auth mechanism rely on the SSL certs not to be compromised? I would hope not.
For me, it’s about trade offs.
https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/
These two data sources kinda sum it up for me - “If you are concerned that cloudflare can read your data - don't use cloudflare.”
But I do want to be sure that any e2e encrypted app doesn’t rely on SSL for its “end-to-end”.
3Thanks for the link, it's an interesting read with more detail than I've ever heard (not having used cloudflare for this myself).
1The concern isn't that CF is reading your data. It's that 3-letter agencies can read your data at will, since they always make these deals with large companies to have open-hose access to all the data. There was a scandal that Facebook had a special access page for those people.
You might think you're innocent, and you're a good person, so nothing to worry about. This is the old "I have nothing to hide", but this isn't how the world works. People who want to get you can pull strings to get anything they want from government institutions. After all, government is just people. It's not a benevolent being.
Now all this is unlikely, granted. But the task of a good security setup isn't to make it impossible to hack you, but it's to make it hard enough and costly. I'm quite sure there's a zero-day somewhere that can hack my bare-bones Linux servers, but good luck breaking the 10 layers of security I have before even reaching these servers to find something remotely valuable about me. I don't need to make concessions in that regard. You don't have to trust anyone.
1Thanks for the links
1
Yeah. I believe Cloudflare basically has its heart in the right place but it is is still a dangerous central choke point.
2My take is: Any data worth your while shouldn’t just rely on HTTPs anyway. You should have more layers of encryption. That’s how majority of the companies do it.
And for people who do not even know this, are better off using CF as MITM.
2CF is not using „their own“! The certificates the client see must be provided and authorized by the provider of the service. Or put in other words: CF is acting as the hosting provider to the outside, to the clients.
The rest of journey is „inside“ the domain of the provider of the service. It is totally normal that traffic has some journey to go and often it never touches the premises of the provider or even a server owned by the provider.
The important thing that all the part which from a customer‘s view is „internal to the provider of the service“ (behind the CF address) is responsibility of the provider of the service, no matter what 3rd party services they use.
2I'm either reading this wrong or there's a disconnect in knowledge. If you have your own SSL cert and do the termination of that on your end, CF cannot do any MITM without an error on the user's end.
However, if your just setting up an a record or whatever to your server that isn't doing ssl termination, then yes they are mitm
1Cloudflares Web Application Firewall or 'WAF' is a reverse proxy that sits in front of your server issuing it's own certs valid for your domain (cloudflare is a CA, and has control over your DNS to get others to issue certs for them). They then provide caching alongside DDOS protection, geoblocking, various customizable firewall settings, as well as just masking your servers ip with their own. This is their primary service aside from just basic DNS/registrar services.
1
Cloudflare’s default setup is to proxy your traffic but that’s easily disabled with a click of the admin’s mouse. Of course disabling their proxy service exposes the origin IP’s, server certs, etc. but the point is that you use Cloudflare services the way you want to; it’s not a Boolean “cloudflare or no Cloudflare”.
1Half of the people don't remotely understand the issue. The other half is aware that what's in behind isn't trustworthy anyways if it's "in da cloud" and just went all YOLO-mode.
1Do you want to be blown off the internet by DDoS? How much bandwidth do you have/can you pay for?
1Mostly they know how cf work but when asking simplicity cf do it
1Because it’s not always about the encryption. I use Cloudflare tunnels because they are a good way of exposing sites to the internet without exposing my IP or opening ports, which means I don’t have to worry as much about DDoS or other attacks and therefore I don’t need to spend as much effort defending against them.
Even Cloudflare decides to inspect my traffic (and seriously why would they care about a tiny hobbyist website) it’s not like it gives them full access to everything, there are other controls you can use depending what your site is for.
Honestly what I don’t understand is why some on this sub have such strong objections to Cloudflare. Like I get they are a terrible company in a lot of ways, but name a tech company that isn’t?
1Even Cloudflare decides to inspect my traffic (and seriously why would they care about a tiny hobbyist website)
The good old "eh what do i care i dont have anything to hide" approach to security and privacy. Excellent!
"If you have nothing to hide then you dont have to worry!"
I wont respond further in this thread because i already know how these discussions go.
Like I get they are a terrible company in a lot of ways, but name a tech company that isn’t?
Why would anyone argue that other companies are saints? Are you aware you are in /r/selfhosting here? The whole point is to regain control of your own data, be in charge of who stores what, where and how.
2But if you don’t trust Cloudflare, who do you trust, and why? Do you trust your ISP? Do you trust Intel or AMD? The people who manufacture your router or other networking kit? People’s trust boundaries exist at different levels. If you are happy with your own, fine, but you don’t get to tell other people that they are doing it wrong just because their boundaries are different.
1
Honestly what I don’t understand is why some on this sub have such strong objections to Cloudflare.
I am concerned about them being a technical SPOF for much of the internet, and there is the possibility that some hitherto unknown long-term persistent data gathering infiltration is able to sweep up a massive amount of information. And maybe they will turn malicious? Who can say? There's plenty of precedent. How long between when it happens and when we find out?
1You don't need to use CF tunnels to get DDoS protection and to hide your IP. If you are using CF tunnels without being undee a CG-NAT then you are getting MITM'd for nothing.
1You have a very narrow view of why certain technologies should or should not be used. I'm not behind CG-NAT but there is still plenty of value to Cloudflare tunnels for me. Even behind my IP I have a fairly complex network environment but CF tunnels make it easy for me to stand up a connection from a cluster, make it resilient and highly available, and automatically handle failure modes to keep the service up to the world. They also give me a transferable configuration that allows me to quickly move my apps to the cloud or to other hosting if I need to.
So no, I'm not "mindlessly" using them, and I'm not using them just for security or just for DDoS protection. I've actually put quite a lot of thought into my architecture and why I used certain technologies, thank you very much.
1If you use CF for DNS and turn on the proxy, they still MITM you.
1
I use Cloudflare tunnels because they are a good way of exposing sites to the internet without exposing my IP
What difference does that make? I only ever heard one realistic reason for hiding your IP, which was a guy living in a suburban neighborhood with static IPs where the IP indicated his house almost exactly.
If you have a dynamic IP it will get recycled. If you get a static IP it will eventually get mapped to your precise location, Google & other big data spend a lot of time doing exactly that.
or opening ports [...] or other attacks
If your services are accessible from the internet they are accessible... doesn't matter that you don't open ports in your local LAN, there's still an ingress pathway, and encrypting the tunnel doesn't mean your apps can't get hacked.
I don’t have to worry as much about DDoS
How many DDoS's have you been through? Lol. CF will drop your tunnel like a hot potato if you were ever targeted by a DDoS. If you think your $0/month plan is getting the same DDoS protection as the paid accounts you're being super naive. Let me translate this page for you: your DDoS mitigation for $0/mo amounts to "basically nothing". Any real mitigation starts with the $200/mo plan.
1
Because it's everyones MITM. I trust them with security because it's the only thing they focus on, I focus on making my stuff stop randomly shutting down. If absolutely everyone is using it, I don't care too much if an issue appears- nobody cares about my tiny little thing when Discord goes through Cloudflare
1Because it's "everyone's MITM" it would make it a perfect spot for state actors to tap into in order to surveil pretty much everything without anyone being able to notice.
Hell, just the server logs (timestamps, IP addresses and exact URLs) would be unbelievably valuable.
I'd be really surprised if someone wasn't taking advantage of that.
Which is to say if you selfhost because you want more control and privacy, you probably want to avoid services like that.
1Hell, just the server logs (timestamps, IP addresses and exact URLs) would be unbelievably valuable.
People say that, but the actual data would be so vast and with so little actual usability, that the dilution of it still results in largely garbage data. Its only when you have a particular focus and have the ability to filter to that focus that the data becomes very valuable.
Even banks and card processors, who have direct, legal, and completely open access to data as critical as where every one of their customers spends money struggle to do more than harvest aggregated usage patterns. The idea that data volumes, at a couple more orders of magnitude and notably more generalized will be easily processed and harvested ends up being pretty silly.
1Because it's "everyone's MITM" it would make it a perfect spot for state actors to tap into in order to surveil pretty much everything without anyone being able to notice.
Yep, that's my main point
1
You need them if you really want to be secure from DDOS... well with knowledge of HTTP2 DOS is enought... :-)
1People go out of their way to de-Google their phones but them are ok with this situation.
people selfhost for many different reasons. you may self host so you can degoogle, but I selfhost so I can put Kubernetes/mqtt/zigbee/flask etc etc etc on my resume
1In regard to enterprises, they don’t give a rats ass about any potential intellectual property theft. That risk has been written off. What matters is compliance and security.
Not having DDOS protection in place can potentially have legal consequences and can be very costly. DDOS protection is either investing millions of dollars in equipment or offloading that responsibility to a company like Cloudflare.
1they don’t give a rats ass about any potential intellectual property theft. That risk has been written off
That's not true. It's a mitigated risk through contract.
1That's true, I didn't specify the circumstances.
In the case of overt IP theft, the contract is the mitigating factor.
However in the case of convert IP theft through systematic, transparent surveillance of traffic (what OP is alluding to), it's something that you cannot really mitigate apart from just not being digitally present. Cloudflare is a player there, but so is any ISP and nation state who is curious enough. To be on the internet, you have to accept the risk that systematic surveillance can impact your intellectual property.
In some cases, your mitigating factor is the law. But it's really difficult to prove that Cloudflare might be sniffing your data and using the IP unlawfully and it's downright impossible to prove that the NSA or foreign intelligence is using your IP.
1
security
i think you are completely wrong here. big corporations do cost assessments of security vs costs of security breaches. if security is more expensive than data breach, they will accept the breach.
1
Because it's easier and cheaper than setting up your own SSL tunnel securely.
From a non hobbyists point of view, you're paying for them to handle the messy business of maintaining a secure endpoint on the Internet. The sheer amount of bot crap you get hitting your servers as a result of an open SSL port is crazy. Also you are paying for their services as a CDN, which can significantly improve latency and reduce bandwidth bills.
Most self hosters won't benefit from a CDN (the volume and global distribution of traffic is too small for it to make much of a difference) or a global internal transit network.
Of course you definitely can set up your own SSL terminating proxy (where you own the box/process that unencrypted traffic goes through), it's just a lot more money and effort to do well than most would be willing to dedicate to it. But if you're not ok with your traffic going through a third party maybe it's worth it.
Just the mechanics of setting up SSL termination is a faff. Not only do you need to set up SSL properly on your app servers, you also have to do the same on your terminating proxy - and keep the certs renewed, disable insecure configurations, patch your SSL implementation. For many, the convenience of this all being someone else's problem is worth it compared to the privacy implications.
1Because it's easier and cheaper than setting up your own SSL tunnel securely.
Wut you can easily set up SSL with let's encrypt and traefik.
What CF gives you that you can't really do yourself is CDN
1And DDoS protection
1
They think it's not a problem for them. Because they think that:
- they have nothing to hide
- they don't think CF (or TLAs who have access) will use it against them. (Possible examples: Ukrainian sites, Russian sites who disagree with goverment on at least some things)
- they think alternatives are worse - it's...rather difficult to make CF censor you.
- they only use CF's DNS services and not other things
- It's just easier this way
This reminds me of current situation with "AI": There is OpenAI/Anthropic with their APIs (requests are sent via HTTPS but OpenAI/Anthropic are not only need to have access to do their work - they also censor it). There are paid-for alternatives who either host proxies for OpenAI/Anthropic/others (like OpenRouter.ai) or host local models for others (hosting require significant resources which will be unusused if you don't query often). There are means to host locally at home if you can. Some people prefer not to use local hosting even when they can do so.
1I mean, we trust Root Certification Authorities, which are basically self-proclamed-as-trusted entities. At least CF became widespread and is community-trusted :)
1Good point. Who's to say that LetsEncrypt doesn't keep a copy of my private keys?
1Because that's not how certificates work?
Your private key is never sent to the CA with you submit a Certificate Signing Request, only the public key and a bunch of metadata.
(The exception being code signing certs that are delivered on an HSM but the key never leaves the HSM)
1
It's not entirely true what you said. I use cloudflare -> my Proxyserver -> my machines behind the Proxyserver
My Proxyserver has my own certificates loaded and terminates the SSL/TLS connection from cloudflare
Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver
1When I visit one of the sites I manage, that goes through CF (my personal ones don't), I see that the certificate that the browser sees is one provided by CF and not the one that I create using LetsEncrypt.
1CF provides different encryption modes. So if it's "Full" you'll need a valid SSL cert on your server, which CF will use end-to-end. If it's "Flexible" (IIRC), then you don't need a cert on your server, in which case CF will use their own cert for encryption.
0
Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver
This is false, connect to your website, check the certificate, it will be Cloudlfare's. I assume either you have not checked, or are a Business customer paying quite some money yearly to Cloudflare.
Cloudflare decrypts inbound traffic, then re-encrypts it before sending it to you, unless you pay a decent amount of money so that they serve your certificate.
1
It's all a matter of trust.
There are many reasons to selfhosting. Paranoia is just one of them.1People go out of their way to de-Google their phones but them are ok with this situation.
I don't think this venn-diagram is a circle.
1Don't even get me started... I just made a huge comment about the clown-nature of this thought-process.
I think it all boils down to experience. Some people need time to understand how to make their systems secure (including myself). It took me years of experience to learn how to raise all defenses to ensure security in all my self-hosts.
1
Beyond what everyone else has said here about it being practically an industry standard now with insane levels of trust, it also foists a lot of the responsibility for security/uptime onto an external company with a good track record. That's great in the eyes of product management and likely the legal department too.
1The sites I expose to Cloudflare were already being publicly hosted for my friends. Anything actually private or sensitive I run via private DNS and Wireguard internally.
1You could say the same about any cloud provider. "AWS can read all my data! The horror!"
1You realize your computer can have a backdoor put in place by the brand right? Pretty much same deal isn't it?
1OP, what you're describing is not the "big scary MITM" attack vector. It's how TLS/Reverse proxies work. Whether you are using Cloudflare or hosting your own reverse proxy somewhere with full control, it's still terminating TLS at the endpoint and passing back traffic in the clear to the backend.
Some people like Cloudflare for whatever reasons, and that's okay. I host my own reverse proxy out on a VPS and it works just fine.
You'll find that not all of the seflhosted community is super-focused on privacy as say r/privacy is.
1Maybe it's my fault for posting this in selfhosted. My question was of a more generic nature about security and privacy in general. You're right, r/privacy might be a better sub for this conversation.
In my case my reverse proxy (nginx) runs on the same machine as my backend. In fact nginx also serves all static data with the backend only serving api requests.
1
It sounds like you think the issue with a man-in-the-middle attack is the MITM part, not the attack.
1Cloudflare is awesome and undervalued in my opinion. They provide dozens of services and charge extremely reasonable pricing.
1Outsourcing of (some) risk
If Cloudflare loses the data and it negatively impacts our brand, we can sue the shit out of them.
1Don’t forget, for selfhosters, the value proposition of free is always pretty strong. I have tiers of data and not everything needs to be super private at all times.
1Also...shouldn't we talking more about self-hosting rather than privacy and efficiency issues? I think the topic is a moot point - either you feel that Cloudflare is 'trustworthy'...or you don't.
IMHO, it's sorta like using Google's Gmail for business purposes. Read the fine print - they can do whatever they want with your data, despite their privacy statements. Same goes with Cloudflare. You're using *their* services on *their servers.
They have to lookout for themselves and the risks involved.
1Yes by default traffic is only encrypted between cloudflare and users, but you can set it to “full (strict)” and have it end to end encrypted
1That's not end to end encryption, it's two seprate ssl connections both terminated at cloudflare. One from client to cloudflare, one from cloudflare to your server. Cloudflare is still a MITM inspecting your traffic in that scenario.
They do however let you disable their proxy(WAF) service, acting as pure DNS so clients connect directly to your IP instead of theirs. But they can at any point toggle that back on and intercept your traffic, nothing really stopping them except morals and T&Cs, but that's not exactly bullet proof. T&Cs can be rewritten and corporations with Morals? Right.....
1
It comes down to the same line of reasoning that most people are "OK" with using cloud, be it aws, google, oracle, microsoft etc .. Out of laziness and lack of expertise, basically sysadmins are dead. Otherwise it's always a bad idea to offload anything on a third-party specially without transparency (pinky promise)
Badger DAO lost 120M, to this pinky trust. https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack
Same issue however exists wirh domain name registerers, etc, hence even such a thing as ens.domains are much more trustworthy, and it's much harder to exploit.
1Yes. This means they can see your native encrypted self-signed traffic.
Which does not do much. Unless you expose unsecured content to the internet. Please don't.
0