Browse Source

new post :whoa:

master
sn0w 3 weeks ago
parent
commit
373b640316
3 changed files with 144 additions and 4 deletions
  1. 1
    0
      assets/css/style.css
  2. 8
    4
      build.sh
  3. 135
    0
      content/blog/2019-04-27_Abandon-Cloudflare.md

+ 1
- 0
assets/css/style.css View File

@@ -24,6 +24,7 @@ body {
24 24
     max-width: 786px;
25 25
     margin-left: auto;
26 26
     margin-right: auto;
27
+    padding-bottom: 64px;
27 28
 }
28 29
 
29 30
 .footer-msg {

+ 8
- 4
build.sh View File

@@ -61,7 +61,7 @@ echo "#> Making blog index"
61 61
 cat ./partials/blog_index_header.md >> ./_public/blog/index.md
62 62
 for page in $(ls ./content/blog/*.md | sort -d -r); do
63 63
     file="$(echo "${page}" | rev | cut -d/ -f1 | rev | sed 's/\.md//g')"
64
-    title="$(echo "${file}" | cut -d_ -f2-)"
64
+    title="$(echo "${file}" | cut -d_ -f2- | sed 's/-/ /g')"
65 65
     date="$(echo "${file}" | cut -d_ -f1)"
66 66
 
67 67
     echo "#>> Adding ${title} from ${date}"
@@ -72,17 +72,21 @@ cat ./partials/blog_index_footer.md >> ./_public/blog/index.md
72 72
 render ./_public/blog/index.md ./_public/blog/index.html
73 73
 rm ./_public/blog/index.md
74 74
 
75
+#
75 76
 # Copy media
77
+#
76 78
 echo "#> Transferring media"
77
-
78 79
 cp -r assets _public/assets
79 80
 
80
-if [[ "$1" == "--serve" ]]; then
81
+#
82
+# Post-build actions
83
+#
84
+if [[ "$1" == "--serve" || "$1" == "--server" || "$1" == "--preview" || "$1" == "-s" ]]; then
81 85
     php -t _public -S localhost:8080
82 86
     exit 0
83 87
 fi
84 88
 
85
-if [[ "$1" == "--push" ]]; then
89
+if [[ "$1" == "--push" || "$1" == "-p" ]]; then
86 90
     echo "#> Pushing..."
87 91
     neocities push ./_public
88 92
     exit 0

+ 135
- 0
content/blog/2019-04-27_Abandon-Cloudflare.md View File

@@ -0,0 +1,135 @@
1
+
2
+Hey there!<br>
3
+Still remember me?<br>
4
+Man i've been off-the-grid for a long time.
5
+
6
+In case you're new: Hi, my name is sn0w.<br>
7
+I bully bloated software for a living, and sometimes I even write texts like this one.
8
+
9
+I pretty much vanished from the internet during 2018 due to various job-related reasons, but I'm glad to be back.
10
+Expect more content soon-ish. I really enjoy writing, and I hope that some of the content here is useful for a few of you out there.
11
+Feel free to leave feedback or content suggestions using my [contact](/contact.html) page.
12
+
13
+With that said, let's start today's post!
14
+
15
+---
16
+
17
+## Obligatory Foreword
18
+
19
+Today I'd like to use my 5 minutes of internet attention to talk a little bit about
20
+Cloudflare, and why I think that you should avoid them as much as possible.
21
+I wrote a lot about this in chats during the last months, so I thought I might as well write a blog post about it.
22
+
23
+This post is *not* about Cloudflare's business practices, or their behavior towards TOR and VPN users.
24
+These are important problems too, but I want to talk about some of the potential privacy implications that I feel not everyone is aware of.
25
+
26
+## Proxies everywhere
27
+
28
+Normally you've got your user who initates a secure HTTPS connection to your server.
29
+Nobody who's eavesdropping on any hop between you and them should be able to decrypt the requested content.
30
+
31
+With Cloudflare you're voluntarily adding a "man in the middle".<br>
32
+And that's a problem.
33
+
34
+These are the security modes available on Cloudflare:
35
+
36
+```txt
37
+Off:
38
+[user] ----> [cloudflare] ----> [server]
39
+
40
+Flexible:
41
+[user] -🔒-> [cloudflare] ----> [server]
42
+
43
+Full / Full (strict):
44
+[user] -🔒-> [cloudflare] -🔒-> [server]
45
+```
46
+
47
+Now obviously "Off" isn't really something anyone would use.
48
+
49
+But let's take a look at the other modes and why they're **both** potentially dangerous.
50
+
51
+## "Flexible" SSL
52
+
53
+When you open a website through HTTPS you expect it to be secure.
54
+You carefully watch your browser's address bar until that nice green padlock appears,
55
+and feel an instant sense of security.
56
+
57
+![](https://files.catbox.moe/mkqqtu.png)
58
+
59
+But are you actually using that `Secure Connection` your browser is promising?
60
+
61
+With CDNs like Cloudflare you can't know for sure.
62
+
63
+As you saw above, the connection between Cloudflare and the actual server is
64
+not forcibly encrypted in the "flexible" ssl mode.
65
+Now I hear you ask, "why is that important, the connection is just internal".
66
+And yes, that would be true, if the person who ran this website was hosting inside Cloudflare's datacenters.
67
+
68
+In reality there is an undefined number of intermediate hops.
69
+Data will go through Cloudflare's ISP, straight through the internet, until it
70
+eventually reaches the actual server's ISP, and then finally it's destination.
71
+
72
+This means that there are `1..n` possible intermediate steps between you and the server you're
73
+interacting with, where your data is travelling in plain-text format.
74
+
75
+## "Strict" SSL
76
+
77
+Ok so if `Flexible` and `Off` suck, then this mode should be awesome right?<br>
78
+No, I'm afraid not.
79
+
80
+You see, Cloudflare advertises this mode as "End-to-End Encrypted",
81
+and since the infographic shows padlocks on both connection arrows most admins think "yeah that's privacy".
82
+
83
+Let's recall how an automated CDN works.
84
+It has to intercept every request, determine if that request is cacheable,
85
+and ultimately decide if it forwards it to an edge cache or your server.
86
+
87
+That doesn't work with true End-To-End HTTPS.<br>
88
+HTTPS encrypts the *entire* underlying HTTP data.<br>
89
+URL, query parameters, headers, cookies, you name it.<br>
90
+Everything encrypted except for the bare IP and/or domain that's needed for transmission.
91
+
92
+What Cloudflare does to "fix" this is called "SSL Termination",
93
+and a shocking amount of people I talked to didn't know this.
94
+It means that the `Secure Connection` your browser is promising ends at Cloudflare.
95
+An edge server decrypts the HTTPS request and makes decisions based on the plain HTTP data.
96
+After that, the "Strict" mode causes a re-encryption of your data, which is then
97
+ultimately sent to the actual server.
98
+
99
+Let that sink in.<br>
100
+Cloudflare, an american "cloud" company, has plain-text access to any and all requests
101
+on literally millions of websites, and every day that number is getting bigger.
102
+
103
+Of course they claim that they don't do anything with that data, but as with all
104
+closed services there is no real proof for that. In theory they have access to everything.
105
+Everything you ever did on Discord, Patreon, 4Chan, Curse, you name it.
106
+It all went through their hands, totally unencrypted and just begging to be aggregated and analyzed.
107
+
108
+## Abandon Cloudflare
109
+
110
+TL;DR: With Cloudflare, insecure pages can get a green HTTPS icon,
111
+and even if everything is "secure", a US-based company has access to everything
112
+you do on major sites in plain text.
113
+
114
+If you're a server operator, please think thrice about adding a whole-page CDN.
115
+It's extremely likely that you don't need it, and that just hosting your media assets
116
+on a "manual CDN" is more than enough.
117
+
118
+If you're a user, protect yourself from Cloudflare.<br>
119
+Put their subnets (https://www.cloudflare.com/ips/) in a deny/reject policy of your firewall,
120
+and if you really *have to* access them (eg because your friends won't stop using discord),
121
+use something like [Tor Browser](https://www.torproject.org/) to temporarily bypass your self-imposed blocks.
122
+
123
+Use [decentraleyes](https://git.synz.io/Synzvato/decentraleyes) to unbreak pages that get
124
+their JS libraries from `ajax.cloudflare.com`.
125
+
126
+Thanks for coming to my TED talk.<br>
127
+Stay safe.
128
+
129
+---
130
+
131
+PS: This post focused on Cloudflare but, of course, also applies to other
132
+providers that offer similar services like Fastly or AWS WAF/CloudFront.
133
+I didn't mention them simply because avoiding Cloudflare is the
134
+"most bang for the buck" way of improving your privacy. If you want 100%
135
+protection you'll have to do some additional research on your own.

Loading…
Cancel
Save