The EFF wrote in their most recent newsletter:
… Because it's your rights we're fighting for.
- Your right to speak and learn freely online, free of government censorship
- Your right to move through the world without being surveilled everywhere you go
- Your right to use your device without it tracking your every click, purchase, and IRL movement
- Your right to control your data, including data about your body, and to know that data given to one government agency won’t be weaponized against you by another
- Your right to do what you please with the products and content you pay for …
Cloudflare has been DoSing the whole Tor community for over a decade now. Those who are not excluded from CF sites (over ⅓ of the web), who are free to move around only have that liberty because they submit to surveillance and give up their privacy.
EFF has ties to the Tor Project that are closer than most people realise. At the same time, Tor Project itself has submitted to licking Cloudflare’s boots. TP has quietly removed material from their blogs that criticises Cloudflare.
Searching EFF newsletters for Meta, Facebook, Google, Amazon, etc has no shortage of hits. But not a word about Cloudflare -- the most direct adversary of what EFF claims to fight for.
People are already aware of Google and Facebook. If they choose to pawn themselves to those platforms, they know what they are signing up for. It’a waste of energy and resources to fixate on those known evils. EFF is doing a gross injustice by not informing people about Cloudflare.
Cloudflare is one of the few tech giants that wise users cannot escape. In some US states you cannot even register to vote without Cloudflare knowing. You can submit a paper registration but then the data entry worker still submits your personal data to a Cloudflare website.
It’s relatively trivial to escape Google and Facebook and protect yourself. Most of that battle is a matter of not registering and not accessing the services, and watching out for a few corner cases. Cloudflare fucks everyone by compromising websites whose admin doesn’t even know what they are signing up for and the fact that they are pawning all their own users. When your gov publishes legal statutes exclusively in Cloudflare’s walled garden or puts gov services inside CF, we’re fucked to an extent that is much more beyond our control.
I will not donate to EFF until they get their priorities straight.
…continued (due to post size limits)…
@joepie91@fedi.slightly.tech is an infosec researcher IIRC. I’m not up to speed on any recent CF changes but certainly what you call fiction was in play in 2016. It also make no sense that that would change.
Do you understand the difference between your 1st diagram and your last? The last config (which you call fictional) is actually more secure than the 1st (which has no CF←→origin TLS). The 1st diagram is the most reckless config.
I’m not a CF user, but I am certain admins have a choice whether to use TLS between their host and CF.
What are you saying a gratis (non-paying) subscriber does?
No, it does not “improve” privacy (LOL!) to put Cloudflare in the loop, who proxies over 30% of the world’s web traffic all with centralized access in a country without privacy safeguards. Imagine someone in Europe with two ISPs (home+work) and a few VPNs. Cloudflare has an inescapable aggregated view of their activity on ½ dozen different networks.
Separately, Cloudflares exclusion is an assault on privacy. The loss of privacy inherent in CGNAT and Tor is at the hands of CF.
Tor is better for that. CF just fucks up privacy.
Can you cite a source for this claim? The premium (paying) CF subscribers are a tiny minority.
Well, that’s interesting for sure. Can you link to something about that? I’ve not heard of those rules, but if it’s illegal (in the US, presumably) to let CF see CC data, rightfully so but seems unlikely. I would like to read about that.
BTW, I will be the judge of what is sensitive. A body of law can cover some obvious categories of sensitive data but that’s a very low bar. Each user can do their own threat model which cannot be prescribed by someone else.
It also means Cloudflare’s role of bringing the muscle is useless. CF cannot respond to client requests encrypted by another entity’s cert, so the original server bears the full load, thus defeating the top attraction to CF.
Can you explain why adding TLS to the CF←→origin segment in a “Universal/Flexible” config scenario would be impossible? If anything, it should be encouraged. It’s malicious to block that possibility.
You seem to have also missed the thesis of my post. The thesis is important because without it you’re blind about what the facts and arguments are trying to support. To be clear:
Without seeing the 3rd link, you mentally substituted a “CF is evil” thesis when reading my post and when reading the 1st link. So your analysis misses the purposes. I.e. you basically replied to “CF is a walled garden” with “CF is not evil”, and replied to my “CF is not aligned with EFF’s public values” post with “CF is not evil”.
Getting the facts right is the most important thing you can do. Opinions, meh, they are useful only to the extent that they put accurate facts into context. But the facts you present are dodgy. Joepie is more convincing. What he says makes sense. And it also concurs with others who have exposed the same problem as Joepie (he was not the 1st). Though you’ve seeded something that could be useful/insightful with the PCI rules.
It makes absolutely no sense that CF’s flexible config would refuse to proxy a TLS-only origin. There is a how-to doc covering how to Cloudflare proxy someone else’s website. I’m not going to dig for the link but that how-to would be fake news if your claim were true (that joepie’s diagram were bogus).
It’s really a tough sell to claim the e2ee configs are common enough to be noteworthy when that config dumps the gratis performance gains that bring CF patrons.
It was interesting to discover that I can see your pics. Lemmy.world is a Cloudflare site (last I checked). Pics are not cached or mirrored, so when pics are uploaded to a CF’d Lemmy node, everyone outside of Cloudflare’s walled garden just see broken links to unreachable images. Yes, CF breaks the fedi. So either LW ditched CF, or LW finally figured out how to whitelist Tor.
I trust you that your thesis is built upon your cited works. Therefore, I reject your thesis because your supporting cited words are flawed with bad analysis and incorrect conclusions.
I asked about the nature of your argument. Your provided the supporting documents, which are wrong, and they themselves are citing incorrect works. I don't blame you if you've arrived at wrong conclusions, you've started with bad source material. I'm not sure how to tell you to vet your sources better except perhaps to learn more about modern enterprise computing in both the public and private sectors. Your original claims had a stink on them when I first read them, but I gave them a chance because I wanted to see if I had incorrect info and I myself had formed incorrect conclusions. Nope, the stink was accurate and started from your bad source material.
You only read the article about the walled garden. And you actually agreed with the relevant facts that were there, and ultimately concluded that you have no problem with the circumstances that makes CF a walled garden. Your only dispute with the facts were in fact irrelevant. That is, CF is a walled garden regardless of whether there is TLS in the CF←→origin segment. It’s you who has the facts wrong on that (and failed to support your astonishing claim), but either way it does not matter for the walled-garden thesis or for my thesis.
As you said, you did not read the 3rd link, so you haven’t even begun to look at the supporting facts for my thesis. The fact that CF is a walled garden (1st article) barely scratches the surface of Cloudflare’s disalignment with EFF principles. That’s mostly covered in the cited works from the 3rd link that you ignored.
My astonishing claims? I failed to support my argument? I read actual Cloudflare documentation, which your sources apparently didn't. I provided screenshots and links to actual facts of the product. I'm not sure you have an actual understanding of what it means to support an argument. Wild conjecture not found upon factual information on your part isn't how you support an argument.
I gave you my time and attention and inquired about your position. You have to understand that offer from an audience isn't obligatory. You have a certain amount of time/effort to make your case. You chose to give 3 links and your first two were bad. If your thesis depended upon the 3rd, you should have lead with that. As it was, your links presented factually incorrect information and further cited factually incorrect information. Any faith I had in your arguments or interest in further understanding your position evaporated.
In the future, if you're trying to advocate for your position, have a little more respect for your audience's time or you will alienate them and never make your message heard exactly as you did here. You may have a valid thesis, though I doubt it, but I'll never know because of your presentation and poor sourcing.
Have a great day. Feel free to respond if you like, I won't be engaging further on this.
It makes no technical sense that Cloudflare would refuse to proxy a TLS site, which is implied by comparing your 1st diagram to @joepie91@fedi.slightly.tech’s diagram, the only difference of which is the CF←origin segment. Hence why the claim is astonishing.
Cloudflare is a biased source and they have been caught in lies (ref: 3rd article).
There are no links in your comment. Just pics. You would not likely be able to find a source that supports the claim the CF←origin segment is necessarily in the clear.
You quoted from the first link so obviously it’s a good link.
If you’re actually trying to say the /content/ is bad, this is what you’ve failed to show. You attempted to criticise @joepie91@fedi.slightly.tech’s article which was 2 links deep. You failed because the viability of the 1st diagram does not obviate the joepie’s more accurate reality (most sites use TLS these days).
Indeed it was a non-intuitive sequence. The links were pasted in a hurry.
This is what you failed to show. You did not even address the 2nd link; in fact said you did not read it. Your 1st response presented bogus misinfo on your part. The last diagram (@joepie91@fedi.slightly.tech’s) is by far the most common configuration.