Cloudflare is a honeypot. Free honey for everyone. Some strings attached. Cloudflare sits between you and origin web server. You are not able to connect to your chosen destination. You are connecting to Cloudflare and all your information is being decrypted and handed over to them.

submitted by In-the-clouds from blog.ononoki.org

sorted by:
top
newinsightfulfun
you are viewing a single comment's thread.

view the rest of the comments →

[–]ID10T 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (8 children)

They get a certain amount of information, like IP address and the sites you like to visit. They do not decrypt the data you send and receive over SSL.

Edit: I stand corrected. The own the SSL cert so they decrypt the traffic and pass it on to the websites.

They can scrape public pages like these to see what you read, and if they really cared they could scrape multiple pages you visit frequently and figure out your usernames from when you leave comments. However this would violate laws in many countries if they did so without notifying you, so this is not happening. They can read the get parameters that end up in URLs, like if you search in a search engine on cloudflare, they can associate your query string with your IP address. You can use a VPN if your really concerned about privacy. Cloudflare is pretty low down on the list of companies and organizations you should be concerned about slurping your info.

[–][deleted] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (0 children)

They do not decrypt the data you send and receive over SSL.

That isn't actually true

"Cloudflare Gateway can perform SSL/TLS decryption in order to inspect HTTPS traffic for malware and other security risks. When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with the Cloudflare certificate."

https://developers.cloudflare.com/cloudflare-one/policies/filtering/http-policies/tls-decryption/

However this would violate laws in many countries if they did so without notifying you, so this is not happening.

Lmao

[–]In-the-clouds[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (4 children)

They do not decrypt the data you send and receive over SSL.

What you say directly contradicts what is on Cloudflare's own website:

Cloudflare must decrypt traffic in order to cache and filter malicious traffic.

Screenshot

[–]ID10T 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

Damn that's kind of fucked up. Whelp I stand corrected. Thanks

[–]In-the-clouds[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Haha, well it is strange to me, too, that a middleman is allowed to decrypt all the traffic.

I respect you for coming back, humbling yourself a bit, and coming into agreement with us.

[–]ID10T 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

There should never be any shame in admitting when you're wrong. How else can you learn? I like learning things.

[–]notafed 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

There's no way to peform "application layer" filtering if you can't decrypt the data, and if any one entity can decrypt the data, then anyone can and the system is completely broken.

[–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

Look at the SSL cert for this site. You are interacting with cloudflare directly, and saidit only indirectly.

[–]In-the-clouds[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

That was a good suggestion. I just now clicked on the lock in the address bar. Sure enough, the SSL certificate belongs to Cloudflare.