Cloudflare and tor

Continuing discussion from /e/ (formerly Eelo) first beta is here and it supports FP2!

CloudFlare at least is actively commited to privacy, with periodical log deletions and external audits to ensure those, and designing special usecases for easing the lives of Tor users without destroying their anonymity. You are right, the ability to choose is necessary (and, although clumsy, it’s embedded on any network-aware device, Android included), but with the actual DNS system you need to trust someone from the beginning. Better that someone to be transparent and honest than to be a gobbling figure of individual’s private lives.


Well, my experience with cloudfare up to now while using tor was different than they claim. I always ended in captchas and their hotline was absolutely clueless, in the verge to horrible…
And then it’s a service based in the us, where the 3 letter agencies probably have easier access to. Btw, 9.9.9 9 is uk based, so also 5 eyes. Just if you want to be paranoid :slight_smile:


Mind the article’s date.

I am. Give me an alternative and I’ll switch. Until then, I need to choose the best available (or use Tor, which is unpractical and even counter-productive for the whole OS).

1 Like

Then probably using iptables POSTROUTING for directing DNS queries to a server of your choice and switching off captive portal will help alot


Captive portal checks are already disabled on my machines. My trusted DNS server is CloudFlare’s for the moment. I’ll consider if iptables rules are worth it, thanks.

You do realise Cloudlfare is the company which MITMs SSL/TLS, and who also put up all those annoying captchas for Tor users?

They don’t MitM, it is a CDN service: they are the endpoint.
About the captchas, hope you’ve read the link and my answers before considering (with that tone resembling arrogance) that I don’t have that knowledge. I knew, thus my link.

They do MITM. They have your private TLS/SSL key.

Have Cloudflare finally fixed all their captcha spam for Tor users?

For those interested perhaps a source explaining this would help?

Or simply ask him how a damned CDN service (i.e. multiple servers distributed around the world to serve your page and mitigate overload) could establish a TLS connection for you without your private keys… :man_facepalming: BTW, it’s not a required service. You (as a webadmin) freely choose if you need a CDN to serve and protect your pages, and you can choose between a lot of providers, not only Cloudflare.

A Man-in-the-Middle is a type of attack. They don’t steal your private key, you provide them with it. Therefore, they don’t MitM.
Your internet service provider query servers for you, your phone service provider re-route calls for you, and neither of them MitM: they provide their services. The police or black-hatted hackers (i.e. crackers) hijacking your internet queries or your calls, that’s a MitM attack.

There are various sources available, some pro some con.

What people who defend Cloudflare [1] seem to magically forget is that a secure connection is secure for both parties; not one. Both parties have an interest in such a secure connection. CIA goes both ways, not one way. There is no content from the client that such MITM is authorised, no choice is being made; they’re not even informed about it, akin to a state agency MITMing you. In fact, this makes it all the easier for state agencies to MITM, especially given that Cloudflare is a US company. So, I am for example forced (yes Roboe I am being forced) to use the Cloudflare CDN if I want to use NL government websites. What choice do I have there? Paper? Actually, no. Once you opt out of paper with the NL government they don’t allow you to go back. The choice of not using all those websites which use Cloudflare when it is rolled out so much, is a false one. Moreover, this DDOS protection is akin to getting protected by the mob (it creates a conflict of interest as well) akin to network effect: those who don’t get damned easier. Instead of fixing the internet’s design flaws such as BGP being insecure, amplification attacks being possible due to bloated protocols (hi, DNSSEC), or utilising IPv6, or configuring routers correctly using a CDN as DDOS protection is just a patch on a wound which keeps bleeding. That being said, Cloudlflare does some good things as well such as RPKI and I just find it objectively dishonest that someone is claiming that is “also FVEY” when the choice is basically Cloudflare or IBM; US or US).

[1] “BTW, it’s not a required service. You (as a webadmin) freely choose if you need a CDN to serve and protect your pages, and you can choose between a lot of providers, not only Cloudflare.” <- things like this before.

[2] The police or black-hatted hackers (i.e. crackers) hijacking your internet queries or your calls, that’s a MitM attack.

There’s a choice: your government chose to use Cloudflare. That’s it, I never said each individual had a choice, just the webmaster(s). Sorry, that’s how (Western) life works: as individuals, our power to revert some decisions is limited. And, believe me, my gov in Spain and public Uni do practice similar things that piss me off.

That tone of arrogance is what’s sadly preventing us to agree. For the most part of your last reply, I share your views. But I’m not defending Cloudflare. Don’t put a straw man suit in me. I just:

  1. consider a well-crafted service which cares about privacy by design (and you seem to agree);
  2. celebrate that Cloudflare is aware of Tor users and is actively working to provide us with better experiences; and
  3. have enough knowledge about what a MitM is and how CDN and TLS work to state that the Cloudflare service is not a MitM attack.

If your concern is State-level attacks, then you’re not arguing about Cloudflare or consumer-grade tech, but about threat models and geopolitics. State-level threats are a whole different level and they aren’t mitigable by technical means in almost any country —looking at those gloomy BLOBs in all our smartphones or how the centralized DNS system works. And BTW, remember that USA agencies aren’t the only State actors doing such practices.

1 Like

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.