Why is everyone ignoring Cloudfare's MITM that affects 13% of sites worldwide and maybe 30% of English-language sites?

Quote:

Originally Posted by vincix I don't understand, what do you mean by that, that the problem comes and goes? LQ has chosen Cloudflare to route the website through their network. There's no problem in that, it's intentional. That Cloudflare is far from well-intention, yes, sure, that's rather clear, but I don't understand your rationale

My mistake, if you point openssl at www.linuxquestions.org one gets a different certificate than from pointing at linuxquestions.org, without the www. prefix.

Code:

openssl s_client \
        -showcerts \
        -servername www.linuxquestions.org \
        -connect www.linuxquestions.org:443 </dev/null \
| less

That will show the certificate chain, which is generally only two deep due to the excessive number registered in either browser. Certificates are just signed public keys. It's an admirable scam but one that has gone on for too long. The browsers don't warn about MitM certificates in general, even if they seem to be used increasingly and not just with Cloudflare. How encryption is on in the browser is long overdue an overhaul.

Back to the current situations, if you want just the certificate names,

Code:

openssl s_client \
         -showcerts \
         -servername www.linuxquestions.org \
         -connect www.linuxquestions.org:443 </dev/null 2>/dev/null \
| grep -A1 -P '^\s+\d+\s+'

It's their choice to run behind Cloudflare or not, and risk letting them become the gatekeeper for LQ, but it is something they could warn about since the browsers themselves don't make a warning for MitM attacks.

Quote:

Originally Posted by jmgibson1981 I'm amazed people are shocked when they find stuff like this. That is the real surprise to me. If you are connected in any way shape or form, someone is watching.

The shock is that security and privacy experts are ignoring it, not that Cloudflare exists.

The even bigger shock: the Tor Browser developers are ignoring it too. This is the best browser I know for privacy and there is no need to use it with Tor and raise flags, it can be used without Tor with a few tweaks. In fact I am about to switch to this as my main browser, minus the Tor functionality. But what is the matter with these people, why isn't there any warning that a MITM scheme is going on, what happened to the pretense of privacy?

Quote:

Originally Posted by vincix @hazel Yes, the TLS certificate is provided by Cloudflare. There you go...

Oh, it's more than that. Some scripts from cdnjs.cloudflare.com.

I am far from even remotely expert in this, but I know one or two sites that work perfectly without javascript - except for Cloudflare's despicable "DDOS protection", which would require me to enable javascript only for that once redirected to the actual site, it's not required anymore). Ah, thankfully there's the Tor Browser for cases like that...

Nota bene, LQ works perfectly without javascript, be it from cloudflare or elsewhere.

I am aware this thread is about Cloudflare and not javascript, but: giving up encryption while going through their servers is one thing, but being sucked dry by their sniffing scripts is a whole extra serving of bad.

Wtf? This site says I have a cloudflare IP:

http://ipinfo.info/html/privacy-check.php

and at the same time the following site reports the ISP-provided public IP as expected:

https://browserleaks.com/ip

Quote:

Originally Posted by Ulysses_ Wtf? This site says I have a cloudflare IP: http://ipinfo.info/html/privacy-check.php and at the same time the following site reports the ISP-provided public IP as expected: https://browserleaks.com/ip

Well, who is your ISP???