Nearly every website today seems to be hosted behind Cloudflare which is really concerning for the future of privacy on the internet.
Cloudflare no doubt logs, stores, and correlates network telemetry that can be used for a wide array of deanonymization attacks. Not only that, but Cloudflare acts as a man-in-the-middle for all encrypted traffic which means that not even TLS will prevent Cloudflare from snooping on you. Their position across the internet also lends them the ability to conduct netflow and traffic correlation attacks.
Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare… edit: i was wrong
So what options do we even have? What privacy concerns did I miss, and are there any workaround solutions?
How is Cloudflare able to decrypt TLS traffic?
The long answer is here.
The short answer: Cloudflare holds the TLS keys and terminates the tunnel. The padlock misleads people because they think that means the tunnel goes all the way to the server hosting the source website.
Note as well that you are using lemmy.zip, a Cloudflared instance. CF sees your IP address, username, password (unhashed) and everything you do. (edit: See this comment for alternatives).
Well, I’m surprised I didn’t know this. Or that this isn’t talked more about.
Indeed. It’s disturbing how not even EFF (the org most reputable for educating people about privacy among other digital rights) keeps Cloudflare’s attack on the privacy of 20%+ web traffic out of the spotlight that it should have.
It only does if you upload your private keys to them or if you use their certificate.
That’s what a vast majority of sites do. CF is not gratis if you use your own keys.
By you, you mean the user or the site owner? Do I, as the user have a choice in the matter? And, as far as I know, CDNs are for delivering frontend bundles. How does TLS come into play here?