I'm a typical non-geek user who has spotty knowledge of the details. It's frustrating to want to know more, only to run into incomprehensible explanations. Thanks for the link to something I can understand.
Basically, if you visit a website which uses HTTP your browser will show you a warning that the site is not secure. Because data transferred using HTTP (a medium like air for our voice) is not encrypted. Anyone can see the data just like anyone can hear us speaking. In this case, lets say you person A said "I am a butterfly" to person B. Person C can also hear that but he is evil.
To avoid other people from listening what you are saying (sending data), we use HTTPS, which encrypts (scrambled) the data so only the person speaking (A) and listening (B) can understand and person C can go brrrr. In this case, person A will use convert "I am a butterfly" to something else, such as "da sd asd asd as das d". Now only A and B can understand it because they know how to convert the letters. Person C can go brrrrr because he does not know the secret.
Now in case of Cloudfare, there is a person D (which is cloudfare itself). Instead of speaking to person B directly, person A sends the message to D to pass to B, which does not hurt as person D does not know the secret too. This is called end to end encryption in nerdy world.
But that does not happen, Cloudfare is like a bitch that tell the person A that she can share the secret and she will not share it with anyone else except B. But that depends on the integrity and honesty of person D. If person C is a close friend with D, D will most likely share the secret leaking the conversation. There is a very good incentive to share your data with person C so person D does that. Or may do that.
It is like allowing the postman to read your letters first and then giving it to the recipient. The postman should do its fucking job and do not interfere with our personal shit. Cloudfare is or is not a good postman. But for providing the services, cloudfare provides, it may be necessary to do that but you are trusting a business bound to US laws.
I hope it helps.
That does help. So Cloudflare is the middleman, and the point of all this is that the middleman might not be an honest broker.
I think the mail analogy, while useful, breaks down on closer examination. I don't have an overstuffed traditional mailbox because the sender has to pay to send me anything, and he can't logically send me something that will break my mailbox or otherwise interfere with my ability to send and receive traditional letters and packages. On the electronic side, there's no material marginal cost to send anything electronically. The opportunity for various forms of sabotage are legion -- which we've seen ever since electronic communications became a mass-level thing 20 or 30 years ago.
So, from a non-geek view, the *concept* of something *like* a Cloudflare makes sense. In fact, it seems *necessary* for the system to function in a useful way. The issue, to the extent I can understand it, seems to lie with whether or not Cloudflare is a trustworthy entity. If not, then why not, and what should replace it?
Yeah it is necessary in a way but this is not the only way. Most of the users I have seen using Cloudfare or similar services, use it to protect from DDoS (too much traffic to bring down your server), global cache (quick access), free SSL and some more useful services. There are ways to do these things yourself but that costs more $$$ and nowadays, people tend to go with cheaper or usually free options for any reasons. Especially small businesses.
But even if you use cloud or something to do some things yourself, they do the same thing. Honestly, it is inevitable now. So you just trust service providers.
And honestly it is harder for me to explain these things in a non-technical nerdy way which itself show the gap there is. We need to educate more people. You may find these useful:
https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/
https://www.reddit.com/r/privacytoolsIO/comments/8z3d3s/block_cloudflare_mitm_attack_addon/
And join +privacy if it is something that interests you.
What are your thoughts on using CloudFlare as only a managed DNS service, not enabling any of the proxying or caching? It isn't the point of the service but it works much better for this then zoneedit for instance.
8 comments
2 u/nomad_cz 24 Aug 2020 18:31
2 u/None 24 Aug 2020 18:50
2 u/Drewski [OP] 24 Aug 2020 19:09
1 u/None 24 Aug 2020 19:32
2 u/QuantumPoop 24 Aug 2020 20:11
1 u/None 24 Aug 2020 20:25
1 u/QuantumPoop 25 Aug 2020 13:05
1 u/BeegIndependence 25 Aug 2020 01:29