Hey server admins: If you're using #Cloudflare, even just their DNS, as far as I can tell they're MITMing everyone on your site!
Which means they see /everything/. Names. Passwords. Kinky DMs.
Not just for people on your instance, but /anything that goes to people on your instance/. Like followers-only posts from people around the fediverse. They may trust you, but do they trust Cloudflare?
UPDATE: Apparently using #Cloudflare /only/ for DNS is just fine MITM-wise. (Still bad for centralization, but that's a separate issue entirely.) Unless you turn on "site acceleration" or use their SSL thing. Sorry about that bit!
@InspectorCaracal I don’t think cloudflare has anything to do with email. There wouldn’t be any point to it anyway.
@fluffy it's not them doing email, it's how i have the redirections etc. set up with mailgun
@InspectorCaracal oh, I’ve not used mailgun so I don’t know anything about their use of HTTP or CDN yeah. Although using mailgun means that email is absolutely being handled by a third party. But most people are just on gmail anyway so that ship has sailed.
@IceWolf it's hard like the author says too because if you really want to stop trusting cloudflare and Amazon and akamai you have to either give up a lot of caching and pay a lot more, or implement your own DoS mitigation infrastructure, or remain exposed to bad actors. It's a super hard balance to strike.
@IceWolf They only MITM if you turn on the site acceleration (clicking the cloud icon by a dns record). Using them for just DNS is fine.
@debugninja Thanks! Yeah, several people have said that. I'll post an update retracting the "for DNS" bit.
@IceWolf ohh sorry I didnt see others replies.
@debugninja No worries! No worries at /all/. I needed the poking, honestly. :3