Hey server admins: If you're using , even just their DNS, as far as I can tell they're MITMing everyone on your site!

Which means they see /everything/. Names. Passwords. Kinky DMs.

Not just for people on your instance, but /anything that goes to people on your instance/. Like followers-only posts from people around the fediverse. They may trust you, but do they trust Cloudflare?

UPDATE: Apparently using /only/ for DNS is just fine MITM-wise. (Still bad for centralization, but that's a separate issue entirely.) Unless you turn on "site acceleration" or use their SSL thing. Sorry about that bit!

Show thread

LB: If you're curious or concerned, Toot Planet doesn't use any Cloudflare services.

...I think. Now I'm getting nervous because I can't remember how I set up the mail server, ha ha...

@InspectorCaracal I don’t think cloudflare has anything to do with email. There wouldn’t be any point to it anyway.

@fluffy it's not them doing email, it's how i have the redirections etc. set up with mailgun

@InspectorCaracal oh, I’ve not used mailgun so I don’t know anything about their use of HTTP or CDN yeah. Although using mailgun means that email is absolutely being handled by a third party. But most people are just on gmail anyway so that ship has sailed.

@IceWolf @felix we need a directory or instances list that also lists if the instances are using Cloudflare or not. Maybe also implementing it client site to check the URL and displaying something like “⚠️”next to the account.

@IceWolf it's hard like the author says too because if you really want to stop trusting cloudflare and Amazon and akamai you have to either give up a lot of caching and pay a lot more, or implement your own DoS mitigation infrastructure, or remain exposed to bad actors. It's a super hard balance to strike.

@IceWolf They only MITM if you turn on the site acceleration (clicking the cloud icon by a dns record). Using them for just DNS is fine.

@debugninja Thanks! Yeah, several people have said that. I'll post an update retracting the "for DNS" bit.

@debugninja No worries! No worries at /all/. I needed the poking, honestly. :3

Sign in to participate in the conversation

This instance is focused around the furry community, and is open to anyone interested in it. It's open to all fluffies and scalies ! ⚠️ We do not accept any form of sponsored content on our site. If you like meow, consider donating something via paypal or Liberapay