Nearly every website today seems to be hosted behind Cloudflare which is really concerning for the future of privacy on the internet.

Cloudflare no doubt logs, stores, and correlates network telemetry that can be used for a wide array of deanonymization attacks. Not only that, but Cloudflare acts as a man-in-the-middle for all encrypted traffic which means that not even TLS will prevent Cloudflare from snooping on you. Their position across the internet also lends them the ability to conduct netflow and traffic correlation attacks.

Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare… edit: i was wrong

So what options do we even have? What privacy concerns did I miss, and are there any workaround solutions?

    • freedomPusher@sopuli.xyz
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      1 year ago

      The long answer is here.

      The short answer: Cloudflare holds the TLS keys and terminates the tunnel. The padlock misleads people because they think that means the tunnel goes all the way to the server hosting the source website.

      Note as well that you are using lemmy.zip, a Cloudflared instance. CF sees your IP address, username, password (unhashed) and everything you do. (edit: See this comment for alternatives).

        • freedomPusher@sopuli.xyz
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Or that this isn’t talked more about.

          Indeed. It’s disturbing how not even EFF (the org most reputable for educating people about privacy among other digital rights) keeps Cloudflare’s attack on the privacy of 20%+ web traffic out of the spotlight that it should have.

      • driveway@lemmy.zip
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        By you, you mean the user or the site owner? Do I, as the user have a choice in the matter? And, as far as I know, CDNs are for delivering frontend bundles. How does TLS come into play here?