Follow

Hey server admins: If you're using , even just their DNS, as far as I can tell they're MITMing everyone on your site!

Which means they see /everything/. Names. Passwords. Kinky DMs.

Not just for people on your instance, but /anything that goes to people on your instance/. Like followers-only posts from people around the fediverse. They may trust you, but do they trust Cloudflare?

troyhunt.com/cloudflare-ssl-an

UPDATE: Apparently using /only/ for DNS is just fine MITM-wise. (Still bad for centralization, but that's a separate issue entirely.) Unless you turn on "site acceleration" or use their SSL thing. Sorry about that bit!

LB: If you're curious or concerned, Toot Planet doesn't use any Cloudflare services.

...I think. Now I'm getting nervous because I can't remember how I set up the mail server, ha ha...

@InspectorCaracal I don’t think cloudflare has anything to do with email. There wouldn’t be any point to it anyway.

@fluffy it's not them doing email, it's how i have the redirections etc. set up with mailgun

@InspectorCaracal oh, I’ve not used mailgun so I don’t know anything about their use of HTTP or CDN yeah. Although using mailgun means that email is absolutely being handled by a third party. But most people are just on gmail anyway so that ship has sailed.

@IceWolf @felix we need a directory or instances list that also lists if the instances are using Cloudflare or not. Maybe also implementing it client site to check the URL and displaying something like “⚠️”next to the account.

@IceWolf it's hard like the author says too because if you really want to stop trusting cloudflare and Amazon and akamai you have to either give up a lot of caching and pay a lot more, or implement your own DoS mitigation infrastructure, or remain exposed to bad actors. It's a super hard balance to strike.

@IceWolf They only MITM if you turn on the site acceleration (clicking the cloud icon by a dns record). Using them for just DNS is fine.

@debugninja Thanks! Yeah, several people have said that. I'll post an update retracting the "for DNS" bit.

@debugninja No worries! No worries at /all/. I needed the poking, honestly. :3

Sign in to participate in the conversation
meow.social

This instance is focused around the furry community, and is open to anyone interested in it. It's open to all fluffies and scalies ! If you like meow, consider donating something via paypal or Liberapay