What do you think about Cloudflare? #374
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#374
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This is a xreference from prism-break, the similar website endorsing privacy-focused software.
https://github.com/mozilla-mobile/focus-android/issues/1743
I think your website need to mention Cloudflare under "Recommended Privacy Resources" - "Information".
A big company that works with millions of sites, potentially tracking all their users.
Didn't it had a security breach a few weeks ago?
I remember that, of course, they didn't say a word.
https://en.wikipedia.org/wiki/Cloudflare#Criticism_and_controversies
Fun fact: www.privacytools.io is using Cloudflare.
https://iplookup.flagfox.net/?ip=104.31.90.13&host=www.privacytools.io
https://www.shodan.io/host/104.31.90.13
#96
Now the company websites are forced to write GDPR compatible privacy policy, what makes me laugh is they - who use Cloudflare to serve websites - are forgetting about Cloudflare MITM thing.
@CHEF-KOCH
"places now a cookie"? Really? I didn't noticed it... Oh ok, I always browse website without cookies anyway. (deny all)
I have a few issues with CloudFlare:
Problem with CloudFlare
CloudFlare is a vigilante extremist organization who takes the decentralized web and centralizes it under one corporate power that controls the worlds largest walled-garden. A very large portion of the web (10%+) that was once freely open to all is now controlled and monitored by one central authority who decides for everyone who can see what web content. This does serious damage to net neutrality, privacy, and has immediate serious consequences:
E.g. CloudFlare's GUI CAPTCHA breaks
torsocks lynx 'https://www.simplyrecipes.com/recipes/buffalo_wings/'. CloudFlare effectively dictates that all Tor users must use a GUI browser and in many cases it must also be javascript capable.Actions needed
Problem with siteground.com
Looks like another malicious player has emerged with reckless false-positives in their anti-bot agenda. Web hosting service siteground is hitting human visitors of their sites with CAPTCHAs (e.g. https://thewimpyvegetarian.com/.well-known/captcha/). Siteground also has the misconception that all bots are malicious. Siteground can run along with CloudFlare to really compound the denial of service to legitimate Tor users. We need to get this problem on the radar as well before this bad player spreads.
Isn't Cloudflare access through Tor supposed to be better since their onion service? I don't have anything to say on the other points.
I won't touch that cloudflare onion site even with a ten foot pole.
@Mikaela
Perhaps, if by "better" you mean fewer CAPTCHAs. I've actually come to appreciate the CloudFlare CAPTCHAs because they quickly indicate a site I should avoid. The non-CAPTCHA related privacy abuses still remain for everyone and the CAPTCHA abuses still persist for Tor users who are not using CF's chosen browser. I shit you not, CF is dictating to Tor users which browser they may use -- so cURL, lynx, w3m users are still outright denied service. Controlling which tools users may use is unnecessary. If you visit
privacyinternational.orgusing Tor, you are automatically diverted to a.onionsite. CloudFlare could have used that technique which would have been tool-agnostic but they decided to dictate tools to the user.This is laughable, and actually gives cause to distrust CF:
(from the CF link)
First of all, you do have to trust CloudFlare because they still see all the traffic (they are still a MitM). That's true of their surface web pages and remains the same with the onion service they describe. They see all passwords in an unhashed form, for example.
(from the CF link)
It's ridiculous that they use the SSL cert because it's totally unnecessary for an onion site.
(from the CF link)
I get: "This site can’t be reached"
ReCAPTCHA is a google service. Tor users are abused by this thing, Cloudflare offers - out of thin air - a ReCAPTCHA bypassing option for Tor users. Surely they track those who use their sevice.
@libBletchley
Be advised, GitHub Staff said talking about Cloudflare on Github is off-topic and can be considered spam.
Welcome to Microsoft Github, where Microsoft is a friend of Cloudflare.
@unnaturalname the spam is when you search all public repos for the word CloudFlare and then indiscriminately post the same message. Especially when you bump old issues sending notifications to maintainers and users
You're being flagged for the methods, not the content
@coagmano
When there is this unusual case of a wide spread bug impacting potentially thousands of projects, it seems quite reasonable that a contributor would use the search tool to id those projects and report or elaborate on the bug.
When you say "indiscriminately post the same message" then it indeed sounds like something that needs to be controlled. But when I look at the list of references ~3-6 days ago to the bug report herein, that's not indiscriminate. The few posts that I sampled out of the 15 rightly discriminate manifestations of the same bug.
It's not the same message verbatim either. I can see that the author took the time to understand the CF role and write each post custom. That's not spam. Spam would generally have the same text verbatim, but then possibly add some gibberish to go undetected. But in this case each message was manually composed by a human. It's actually a bit ironically perverse that someone exposing CF would be called a spammer, when they represent humans advocating for privacy in the fight against the CloudFlare machine which inappropriately treats humans as robots as a consequence of using Tor. @unnaturalname is a human who was just treated like a robot, as CloudFlare does. But worse, it was a human who assessed and treated that contributor as a bot.
The abuse seems to be on the part of whoever controlled @unnaturalname. I say "seems" because I don't really know how he was controlled, but I now see a ghost which implies his account was deleted.
If the bug persists then I don't see the problem with necroposting. Old bugs still need activity until they are ultimately resolved. It actually makes a project look dead or understaffed when old inactive bugs sit idly.
From where I sit, it looks like someone didn't like @unnaturalname bringing public awareness to a problem. I see someone who was doing a public service and got censored -- the act of which is a public disservice. It seems to reinforce @naturalname's warning, which consequently suggests that github may not be a good venue for privacy-focused projects like privacytools.io.
I have read this thread again and I see there are a lot of concerns about Cloudflare, but there is nothing to say what to do instead.
To quote @BurungHantu1605 (https://github.com/privacytoolsIO/privacytools.io/issues/96#issuecomment-267805190) on Privacytools.io using Cloudflare:
Personally I am currently using Cloudflare for DNS hosting as I don't ever know when I might wish I had DDoS protection and I have past experience with both, the domain being unreachable during registrar transfer (and I think it's recommended to have registrar and DNS at separate places) and had a VPS terminated due to getting DDoSed. Later they have also introduced easy DNSSEC (https://github.com/privacytoolsIO/privacytools.io/issues/731).
Currently I am using GitHub pages directly with their LetsEncrypt certificate, but I am loading files from https://cloudflare-ipfs.com/ as that gives them global CDN and I don't know who else than I have the files pinned. I am using https://pinata.cloud/ but they are located in the USA (Five Eyes) and as I am European I think most of my visitors would also be European so I don't think it would make sense to use https://gateway.pinata.cloud/ .
TL;DR: What do you recommend me and everyone getting linked here to use instead?
Additions:
I received response by email linking to https://notabug.org/themusicgod1/cloudflare-tor and https://ieji.de/@crimeflare/101785817888174114 (thank you!).
Wasn't Dyn.com evil or comparable to Cloudflare earlier? https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
On the other two alternatives you linked, I will need to investigate more.
Server building wouldn't help me due to being always behind CGN and flaky IPv6 (I have a Huawei 4G router and I think all of those seem to have a problem where they need to be rebooted often to not lose IPv6 connectivity) and it would cost money like a VPS and being unemployed I don't have money to put into it.
The "Cloudflare IPFS experiment" by Joe (at cloudflare-tor's PEOPLE.md) seems to be a broken link as I am unable to access it with my local IPFS Go or IPFS.io gateway. Maybe Joe didn't have a device online enough often or no one has it pinned anymore?
I have IPFS gateway as a variable anyway so I can change it with one line, but I think it's preferable for people to install IPFS Companion to redirect traffic to their local gateway or wherever they prefer (by default https://ipfs.io/ipfs)
PS. Can I also invite you to https://github.com/privacytoolsIO/privacytools.io/issues/785 on Mozilla's DNS over Cloud(flare) and what kind of advice should be given on it? Enforce something not-Cloudflare or disable it explicitly to miss out on encrypted SNI?
I've not tried to dig up dirt on Netlify, but that's one possible answer. Netlify is gratis, will handle traffic to a github page, and comes with SSL. I don't know the extent of their DDoS protection.
I'm very pleased to see that project is still going. When it disappeared from github I was concerned that the project died. Makes sense to move to notabug.org.
It's very pleasing as well to see that a searx instance finally makes use of that project:
https://searxes.danwin1210.me/
Seems to work well. CloudFlare sites are folded. So that's my new default search engine.
(edit) works well when it's running, but it's very unstable.
I've not heard that. Your link just shows that Dyn.com was a victim. It's also unclear from that article why those pissed at Equador for cutting Assange's internet connection would have a bone to pick with Dyn.com. But I do see about 10 or so notoriously evil companies among Dyn.com's clientel. Perhaps that's worth consideration.
CloudFlare is technically only gratis if you're not getting attacked. When CloudFlare users get attacked, bandwidth goes up and CF considers that out of the scope of the gratis package and forces an upgrade to premium service. So if your site is likely or expected to get attacked then CF is not really a gratis option anyway. So if you need premium service, PerimeterX and Impurva Incapsula tend to be competitors of CF. I don't know much about them, but no CDN exceeds the evil of CloudFlare. So if CF is what you have you can do no worse AFAIK. Netlify is worth a look first though. They've been good for me but OTOH I've not been DDoSd.
@puzzle0solver
Thanks for the tips. The add-on didn't work for my version but this one does: https://addons.mozilla.org/en-US/firefox/addon/bcma/. I didn't realize that searx instance was special and since it had no cache links I ignored it. It wasn't until @Mikaela pointed me to the new project site for https://notabug.org/themusicgod1/cloudflare-tor that I realized they've done something great with that searx instance. So I'll be using it from now on.
Since my previous comment, I have migrated from Cloudflare to Gandi LiveDNS (my registrar). It's not entirely painless process, but here are the general steps:
In case of IPFS, I changed my IPFS gateway variables from cloudflare-ipfs.com to ipns.co (GitHub repo).
We should be moving
privacytools.iooff CloudFlare... soon. If all goes well. Not to Netlify though, I'm not sure if moving everything to a Cloudfront CDN (which is what Netlify does) is any better than CloudFlare.@JonahAragon that has been discussed in #96
Looks like #96 gives a bit of history, but things change and it's also clear that the 2016 decision was not fully informed (the abuses above were known at that time but no one brought them up).
It was most recently discussed in #711. The discussion should really continue until PTIO is off both GH and CF -- perhaps using
netlify andnotabug.I wasn't making a suggestion, rather stating a fact :)
@JonahAragon
what's wrong with netlify?
Because I don't see why we would move to a platform built on Amazon? Their CDN for static assets is literally just AWS Cloudfront.
You can go to https://www.opennic.org/ (which is hosted on netlify) and see for yourself, all images are hosted on Cloudfront, which is something Netlify does automatically, not a decision the OpenNIC team made. Too many third party requests for this project I think.
ah, I didn't know Netlify fed Amazon. Amazon is definitely a problem.
We are off CloudFlare. Hopefully we don't take too much of a performance hit. Try it out! https://www.privacytools.io/
Subjecting visitors to CF is worse than subjecting them to bad performance. So it was a good move.
One more anti-CloudFlare change needed: the searx endorsement suggests the searx.me instance. That instance returns CloudFlare results. It should be replaced with searxes.danwin1210.me. The Danwin link randomly picks a decent instance, and then filters the CloudFlare results from that.
I also have some performance optimization suggestions:
BTW, I'm impressed with how viewable (and speedy) the page is in lynx. Hopefully that never changes. You could advertise that somewhere on the page to encourage that kind of lean usage.
Image dimensions is something I’ll work on today, I think we’re mostly good on that but there are definitely a few that need those specified.
I don’t really think we should use third parties to host our images. We actually get a performance improvement from hosting them all ourselves with HTTP2, since there’s fewer external requests. Plus, for privacy related reasons I don’t think we should make all our visitors request third party resources where their servers may log traffic. With the current solution we can guarantee that there’s no access logging for web visitors.
When I say we took a performance hit, it wasn’t that bad. Of course there was going to be a difference between a single server in Germany vs a network of hundreds of servers internationally serving our content, but we do have a high performance server and like you said, I think the trade-off was worth it to move off CloudFlare.
I’m pretty happy with the results so far :)
We have our own Searx instance now, I’ll probably just link to that or a list of public instances once we get ours listed in more places.
Regarding everything else, probably best if you open a separate issue for them, like PayPal. Not much I can do about that currently personally.
I didn't read this before but this is probably a good idea. We do have good bandwidth and a great server though so I'm not sure if this will end up being an issue. Something to investigate...
There are a couple issues with that:
I would say if the PTIO instance is configured to filter out CF sites then self-endorsement is well-earned and easily justifiable. If not, then I think the best move is to list the Danwin searx instance which randomly selects a quality instance and then does the CF filtering on the results. When the PTIO instance seems stable enough, the Danwin operator could be asked to ensure that ptio is among the selection.
There's nothing wrong with mentioning the PTIO searx instance, but it's a disservice to PTIO visitors to not make searxes.danwin1210.me the top recommendation and disclose the CloudFlare anti-feature of the PTIO instance.
(edit)
This could be discussed as a separate issue, but to me the searx endorsement is part of the CloudFlare avoidance remedial action.
Danwin just got complicated. CloudFlare filtering is now off by default for those who use the clearnet site, and it looks non-trivial for users to switch that back. They caved to foolish clearnet users complaining about CloudFlare filtering. But the Danwin onion site still does the right thing.
So the best recommendation for Tor users is to use the Danwin onion, and the best option for clearnet users is probably the PTIO instance.
You're welcome to open an issue at https://github.com/privacytoolsIO/search/issues to continue this discussion in a more relevant repo, but at this moment I don't think the benefits of removing all CloudFlare-using websites from the results (if I understand you correctly) outweighs our main goal of being a feasible search engine for general use. So many sites use CloudFlare that if we filtered them by default our results wouldn't be nearly as generally useful.
I would have to discuss it with @BurungHantu1605, but as far as I'm currently aware our main goal with the search project is to be a privacy-focused (anti advertising, anti logging) Google alternative, not a search engine for returning only privacy friendly results.
What do you think about the possibility of sending all network traffic from your phone to Cloudflare? 😆
EDIT: Maybe that is a wrong emoji, I just hope no one gets a heart attack or something on reading the news.
CloudFlare MITM: Now on sites that didn't agree to it.
Edit: well if you're a webmaster and you're so bad at it that you still use http then you get what's coming to you. At least CloudFlare openly admits this is happening with their VPN lol