Why is everyone ignoring Cloudfare's MITM that affects 13% of sites worldwide and maybe 30% of English-language sites?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: debian, lfs, whatever else i need in qemu
Posts: 268
Rep:
android and ios are deeply underestimated too.
cf is free and so are ios and android so when you come across it you sell your data in return. sounds like a good deal. plus they all get all the data of your contacts too! i'm not sure why is it not on ToS that everything you type on cf-injected website goes not only to website owner but primarily to NSA and CIA but there you go.
It's Cloudflare, not Cloudfare. No need to obfuscate.
I wholeheartedly agree about it being pure evil.
But TOR is about Anonymity, no more no less. There's no point in blocking Cloudflare, or anything.
The whole point of TOR is enabling people to safely surf evil sites, because they're anonymous while doing it.
Diagonally reading this bug report I don't see a clear statement that Cloudflare actually counteracts TOR anonymity. Not saying it's impossible! I just didn't see it, so if somebody has a definite answer to that, please tell!
BTW, that user cypherpunk made a FF addon called "Cloudflare MITM" or some such. It's mentioned in the bug report several times.
The problem comes and goes. LQ is only intermittently blocked by Cloudflare. At just this moment, from my current ISP, I get the normal certificate, not the MitM'd one:
I don't see a clear statement that Cloudflare actually counteracts TOR anonymity. Not saying it's impossible!
Information about that is elsewhere, it's the captchas that can de-anonymise you. Captchas happen to generate known bursts of traffic that any ISP or law enforcement can record, later send to Cloudflare and find out what Cloudflare site a user was visiting through Tor.
An additional thing that might be happening with captchas: they may be doing canvas or other fingerprinting for tracking purposes other than law enforcement, for example to target you with ads or for other nefarious purposes. Some Clouflare sites take a while to get started before they show the captchas - they probably exercise a lot of the browser's scripting capabilities to discover if it is a bot, and that is an ideal time to run fingerprinting scripts too.
The problem comes and goes. LQ is only intermittently blocked by Cloudflare. At just this moment, from my current ISP, I get the normal certificate, not the MitM'd one:
I don't understand, what do you mean by that, that the problem comes and goes? LQ has chosen Cloudflare to route the website through their network. There's no problem in that, it's intentional.
That Cloudflare is far from well-intention, yes, sure, that's rather clear, but I don't understand your rationale
@Turbocapitalist, I've also checked the certificate through openssl, and it's beyond me, I really don't get it. openssl consistently shows a different certificate than the one in my browser (which shows cloudflare's).
I'm typically of the crowd that says "if you have nothing to hide...". But I'm amazed people are shocked when they find stuff like this. That is the real surprise to me. If you are connected in any way shape or form, someone is watching. Doesn't matter if you like it or not. There is no magic anonymity bullet for the internet. I've seen that said in other threads and forums. There is always something going on in the background, and 9 times out of 10 no one knows, and even less cares about it.
At the end of the day it's like a speed trap. I'm of the opinion that shouldn't be legal. But good luck getting any court to agree with you. Law enforcement, and or money makers will do whatever the hell they want if they feel they have a good reason, and as has been proven in the last decade, not hard to get warrants for wrong reasons (talking about both sides here). Freedom is an illusion, and so is being anonymous. They can disappear in a flash. If you truly don't want anyone tracking you then unplug.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.