Hacker Neue

Preferences
arianvanp parent
Complains about TLS inspection, yet fronts their website on the biggest and most widely deployed TLS introspection middle box in the world ...

Why do we all disdain local TLS inspection software yet half the Internet terminates their TLS connection at Cloudflare who are most likely giving direct access to US Intelligence?

It's so much worse as it's infringing on the privacy and security of billions of innocent people whilst inspection software only hurts some annoying enterprise folks.

I wish we all hopped off the Cloudflare bandwagon.

cornonthecobra
Three of the banks I use have their websites/apps go through CloudFlare. So does the electronic records and messaging system used by my doctor. A lawyer friend uses a secure documents transfer service that is protect by guess who.

Who needs to let CF directly onto their network when they already sit between client and provider for critically-private, privileged communications and records access?

progbits
NSAaaS and people even pay for it.
apexalpha
I'm not sure if you're serious but in case you are (or other people):

TLS inspection is for EVERYTHING in your network, not just your publicly reachable URLs.

Putting Cloudflare anti-DDoS in front of your website is not the same as breaking all encryption on your internal networks.

Google can already see the content of this site since it's hosted... on the internet.

dns_snek
> Putting Cloudflare anti-DDoS in front of your website is not the same as breaking all encryption on your internal networks.

You misunderstood, they're complaining about it as a user. If your website uses Cloudflare then our conversation gets terminated by Cloudflare, so they get to see our unencrypted traffic and share it with whomever they want, compromising my privacy.

Which wouldn't be such a problem if it was just an odd website here or there, but Cloudflare is now essentially a TLS middle box for the entire internet with most of the problems that the article complains about, while behind hosted behind Cloudflare.

arianvanp OP
Given that 50-70% of the critical services I use in my daily life (healthcare, government, banking, insurance) all go through Cloudflare this practically means everything that is important to me as an individual is being actively intercepted by a US entity that falls under NSA's control.

So for all intents and purposes it's equivalent.

My point is: it's very hypocritical that we as industry professionals are complaining about poor cooperates being MITM'd whilst we're perfectly fine enabling the enfringement of fundamental human right to privacy of billions of people by all fronting the shit that we build by Cloudflare in the name of "security".

I find the lack of ethical compass in this regard very disturbing personally

kreetx
Having an organization install custom root certificates onto your work or personal computer and hosting a public blog on Cloudflare are two entirely different topics.

That your healthcare, government, bank, etc. are using Cloudflare, is a third. In an ideal world I guess I'd agree with you, but asking any of these institutions to deploy proper DDoS protection may just be too much of an ask.

ForHackernews
...do you send private messages using services hosted on publicly reachable URLs?
port11
Do you have an alternative, potentially one that's less centralised or private or in bed with three-letter agencies? I ask because my last infra was probed for vulnerabilities hundreds of times per day; putting Cloudflare in front with some blocked countries and their captchas brought the attempted attacks down to a few dozen per month.
halJordan
I mean, is doing your own geo blocking actually a blocker for you?
port11
Okay, but wouldn't that be based on IP ranges assigned to a country? How do you mimic their modelling of threat levels? I'm not sure, really, maybe F/LOSS has an equally good solution for small businesses.
tptacek
The author is not complaining about reverse proxies, which would be a very silly position to take.
aprilnya
I think it’s misleading to imply hypocrisy considering the reasons listed in the article don’t apply to the scenario of a site being behind Cloudflare.
OptionOfT
The certificate presented is not a Cloudflare one.

So it might be that they're using a custom one, which I believe is passed through end-to-end.

arianvanp OP
Cloudflare doesn't have their own CA. They use a bunch of third party CAs (LetsEncrypt, Google and W2)
phito
I wish so too, same for all the self-hosters using tailscale...
dns_snek
Tailscale connections don't get terminated by a middle box, it's just end-to-end encrypted Wireguard under the hood. Cloud-hosted control panel is a risk because they could push malicious configuration changes to your clients (ACLs and new nodes if you're not using the lock feature), but they can't do it without leaving a trace like Cloudflare can.
progbits
Tailscale cannot passively observe traffic.

They could inject malicious keys into your config but would be hard to mask the evidence of that.

treesknees
Would it be hard? I thought the point of tailscale was not having to manage or concern yourself with key distribution.
newdee
Lookup the Tailnet Lock feature.
yencabulator
A feature in the client software they control, that you run as root, that auto-updates regularly?
newdee
You didn’t look it up, did you?
kreetx
These are not the same thing, the parent is confused..

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal