LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-24-2020, 12:11 PM   #1
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,247

Rep: Reputation: 57
Why is everyone ignoring Cloudfare's MITM that affects 13% of sites worldwide and maybe 30% of English-language sites?


What on earth is going on with Cloudfare? It is almost ignored by everybody, including security and privacy experts, including the Tor Browser devs!

https://gitlab.com/librewolf-communi...x/-/issues/119
 
Old 05-24-2020, 12:35 PM   #2
teckk
Senior Member
 
Registered: Oct 2004
Distribution: FreeBSD Arch
Posts: 2,900

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
Quote:
users of unconventional browsers,
It sure does. Dillo, w3m, Palemoon with script turned off won't load some cloudflare sites at all.
In fact https://www.linuxquestions.org get a
Code:
403 Forbidden
cloudflare
When dillo tries to load it.

Interesting info. Thanks.
 
Old 05-24-2020, 09:07 PM   #3
tinfoil3d
Member
 
Registered: Apr 2020
Location: Japan/RJCC
Distribution: debian, lfs, whatever else i need in qemu
Posts: 202

Rep: Reputation: Disabled
android and ios are deeply underestimated too.
cf is free and so are ios and android so when you come across it you sell your data in return. sounds like a good deal. plus they all get all the data of your contacts too! i'm not sure why is it not on ToS that everything you type on cf-injected website goes not only to website owner but primarily to NSA and CIA but there you go.
 
Old 05-25-2020, 02:08 AM   #4
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 14,607
Blog Entries: 9

Rep: Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093Reputation: 4093
Quote:
Originally Posted by Ulysses_ View Post
What on earth is going on with Cloudfare? It is almost ignored by everybody, including security and privacy experts, including the Tor Browser devs!

https://gitlab.com/librewolf-communi...x/-/issues/119
It's Cloudflare, not Cloudfare. No need to obfuscate.

I wholeheartedly agree about it being pure evil.

But TOR is about Anonymity, no more no less. There's no point in blocking Cloudflare, or anything.
The whole point of TOR is enabling people to safely surf evil sites, because they're anonymous while doing it.
Diagonally reading this bug report I don't see a clear statement that Cloudflare actually counteracts TOR anonymity. Not saying it's impossible! I just didn't see it, so if somebody has a definite answer to that, please tell!
BTW, that user cypherpunk made a FF addon called "Cloudflare MITM" or some such. It's mentioned in the bug report several times.
 
Old 05-25-2020, 04:29 AM   #5
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware, OpenBSD
Posts: 4,362
Blog Entries: 11

Rep: Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469Reputation: 2469
Isn't this site somehow involved with cloudflare?
 
Old 05-25-2020, 05:22 AM   #6
tinfoil3d
Member
 
Registered: Apr 2020
Location: Japan/RJCC
Distribution: debian, lfs, whatever else i need in qemu
Posts: 202

Rep: Reputation: Disabled
@hazel: back when i first signed up here a decade and a half ago there wasn't any cf yet.
 
Old 05-25-2020, 01:45 PM   #7
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,149

Rep: Reputation: 85
@hazel Yes, the TLS certificate is provided by Cloudflare. There you go...
 
Old 05-25-2020, 02:12 PM   #8
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,844
Blog Entries: 3

Rep: Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401Reputation: 2401
The problem comes and goes. LQ is only intermittently blocked by Cloudflare. At just this moment, from my current ISP, I get the normal certificate, not the MitM'd one:

Code:
openssl s_client \
        -showcerts \
        -servername linuxquestions.org \
        -connect linuxquestions.org:443 </dev/null \
| less
 
Old 05-25-2020, 02:44 PM   #9
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,247

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by ondoho View Post
I don't see a clear statement that Cloudflare actually counteracts TOR anonymity. Not saying it's impossible!
Information about that is elsewhere, it's the captchas that can de-anonymise you. Captchas happen to generate known bursts of traffic that any ISP or law enforcement can record, later send to Cloudflare and find out what Cloudflare site a user was visiting through Tor.

An additional thing that might be happening with captchas: they may be doing canvas or other fingerprinting for tracking purposes other than law enforcement, for example to target you with ads or for other nefarious purposes. Some Clouflare sites take a while to get started before they show the captchas - they probably exercise a lot of the browser's scripting capabilities to discover if it is a bot, and that is an ideal time to run fingerprinting scripts too.

Last edited by Ulysses_; 05-25-2020 at 02:52 PM.
 
Old 05-25-2020, 03:05 PM   #10
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,149

Rep: Reputation: 85
Quote:
Originally Posted by Turbocapitalist View Post
The problem comes and goes. LQ is only intermittently blocked by Cloudflare. At just this moment, from my current ISP, I get the normal certificate, not the MitM'd one:
I don't understand, what do you mean by that, that the problem comes and goes? LQ has chosen Cloudflare to route the website through their network. There's no problem in that, it's intentional.
That Cloudflare is far from well-intention, yes, sure, that's rather clear, but I don't understand your rationale
 
Old 05-25-2020, 03:06 PM   #11
cwizardone
LQ Guru
 
Registered: Feb 2007
Distribution: Slackware64-current with "True Multilib."
Posts: 5,690
Blog Entries: 1

Rep: Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043
So, it is a source of income? For who?
 
Old 05-25-2020, 03:24 PM   #12
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,149

Rep: Reputation: 85
Well, for cloudflare, of course, for whom else?

@Turbocapitalist, I've also checked the certificate through openssl, and it's beyond me, I really don't get it. openssl consistently shows a different certificate than the one in my browser (which shows cloudflare's).

Can anyone explain this to me?
 
Old 05-25-2020, 03:32 PM   #13
cwizardone
LQ Guru
 
Registered: Feb 2007
Distribution: Slackware64-current with "True Multilib."
Posts: 5,690
Blog Entries: 1

Rep: Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043Reputation: 3043
Quote:
Originally Posted by vincix View Post
Well, for cloudflare, of course, for whom else?..........
And the websites who participate?
 
Old 05-25-2020, 03:35 PM   #14
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,149

Rep: Reputation: 85
They are offered a free CDN, location proxmity, that's a huge advantage already. You wouldn't expect the website to be paid for that, right?

Depending on the subscription plans, you can pay for more things: https://www.cloudflare.com/plans/ (now I'm promoting cloudflware )
 
Old 05-25-2020, 06:36 PM   #15
jmgibson1981
Member
 
Registered: Jun 2015
Location: Tucson, AZ USA
Distribution: Debian
Posts: 484

Rep: Reputation: Disabled
I'm typically of the crowd that says "if you have nothing to hide...". But I'm amazed people are shocked when they find stuff like this. That is the real surprise to me. If you are connected in any way shape or form, someone is watching. Doesn't matter if you like it or not. There is no magic anonymity bullet for the internet. I've seen that said in other threads and forums. There is always something going on in the background, and 9 times out of 10 no one knows, and even less cares about it.

At the end of the day it's like a speed trap. I'm of the opinion that shouldn't be legal. But good luck getting any court to agree with you. Law enforcement, and or money makers will do whatever the hell they want if they feel they have a good reason, and as has been proven in the last decade, not hard to get warrants for wrong reasons (talking about both sides here). Freedom is an illusion, and so is being anonymous. They can disappear in a flash. If you truly don't want anyone tracking you then unplug.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
my english is getting worst..., but everyone talk in english :-) aizkorri General 20 08-02-2010 11:41 PM
Is there English-to-English dictionary in linux? uishen Linux - General 27 06-03-2009 10:36 PM
Can I have english menu with chinese/english/spanish input? codec Linux - General 9 10-04-2003 07:18 PM
english-english dictionary for linux zozia Linux - Software 4 09-21-2003 02:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration