Most active commenters
  • arianvanp(3)

←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 23 comments | 10 Dec 25 07:06 UTC | HN request time: 1.451s | source | bottom
1. arianvanp ◴[10 Dec 25 09:43 UTC] No.46215864[source]
Complains about TLS inspection, yet fronts their website on the biggest and most widely deployed TLS introspection middle box in the world ...

Why do we all disdain local TLS inspection software yet half the Internet terminates their TLS connection at Cloudflare who are most likely giving direct access to US Intelligence?

It's so much worse as it's infringing on the privacy and security of billions of innocent people whilst inspection software only hurts some annoying enterprise folks.

I wish we all hopped off the Cloudflare bandwagon.

replies(7): >>46216030 #>>46216051 #>>46216089 #>>46217208 #>>46217601 #>>46221412 #>>46226753 #
2. phito ◴[10 Dec 25 10:07 UTC] No.46216030[source]
I wish so too, same for all the self-hosters using tailscale...
replies(3): >>46216106 #>>46216426 #>>46216429 #
3. apexalpha ◴[10 Dec 25 10:10 UTC] No.46216051[source]
I'm not sure if you're serious but in case you are (or other people):

TLS inspection is for EVERYTHING in your network, not just your publicly reachable URLs.

Putting Cloudflare anti-DDoS in front of your website is not the same as breaking all encryption on your internal networks.

Google can already see the content of this site since it's hosted... on the internet.

replies(3): >>46216233 #>>46216504 #>>46216798 #
4. cornonthecobra ◴[10 Dec 25 10:15 UTC] No.46216089[source]
Three of the banks I use have their websites/apps go through CloudFlare. So does the electronic records and messaging system used by my doctor. A lawyer friend uses a secure documents transfer service that is protect by guess who.

Who needs to let CF directly onto their network when they already sit between client and provider for critically-private, privileged communications and records access?

replies(2): >>46216413 #>>46217513 #
5. kreetx ◴[10 Dec 25 10:18 UTC] No.46216106[source]
These are not the same thing, the parent is confused..
6. dns_snek ◴[10 Dec 25 10:40 UTC] No.46216233[source]
> Putting Cloudflare anti-DDoS in front of your website is not the same as breaking all encryption on your internal networks.

You misunderstood, they're complaining about it as a user. If your website uses Cloudflare then our conversation gets terminated by Cloudflare, so they get to see our unencrypted traffic and share it with whomever they want, compromising my privacy.

Which wouldn't be such a problem if it was just an odd website here or there, but Cloudflare is now essentially a TLS middle box for the entire internet with most of the problems that the article complains about, while behind hosted behind Cloudflare.

7. progbits ◴[10 Dec 25 11:05 UTC] No.46216413[source]
NSAaaS and people even pay for it.
8. dns_snek ◴[10 Dec 25 11:07 UTC] No.46216426[source]
Tailscale connections don't get terminated by a middle box, it's just end-to-end encrypted Wireguard under the hood. Cloud-hosted control panel is a risk because they could push malicious configuration changes to your clients (ACLs and new nodes if you're not using the lock feature), but they can't do it without leaving a trace like Cloudflare can.
9. progbits ◴[10 Dec 25 11:07 UTC] No.46216429[source]
Tailscale cannot passively observe traffic.

They could inject malicious keys into your config but would be hard to mask the evidence of that.

replies(1): >>46217158 #
10. arianvanp ◴[10 Dec 25 11:20 UTC] No.46216504[source]
Given that 50-70% of the critical services I use in my daily life (healthcare, government, banking, insurance) all go through Cloudflare this practically means everything that is important to me as an individual is being actively intercepted by a US entity that falls under NSA's control.

So for all intents and purposes it's equivalent.

My point is: it's very hypocritical that we as industry professionals are complaining about poor cooperates being MITM'd whilst we're perfectly fine enabling the enfringement of fundamental human right to privacy of billions of people by all fronting the shit that we build by Cloudflare in the name of "security".

I find the lack of ethical compass in this regard very disturbing personally

replies(1): >>46225007 #
11. ForHackernews ◴[10 Dec 25 12:06 UTC] No.46216798[source]
...do you send private messages using services hosted on publicly reachable URLs?
12. treesknees ◴[10 Dec 25 12:55 UTC] No.46217158{3}[source]
Would it be hard? I thought the point of tailscale was not having to manage or concern yourself with key distribution.
replies(1): >>46218087 #
13. port11 ◴[10 Dec 25 13:01 UTC] No.46217208[source]
Do you have an alternative, potentially one that's less centralised or private or in bed with three-letter agencies? I ask because my last infra was probed for vulnerabilities hundreds of times per day; putting Cloudflare in front with some blocked countries and their captchas brought the attempted attacks down to a few dozen per month.
replies(1): >>46224985 #
14. ◴[10 Dec 25 13:32 UTC] No.46217513[source]
15. aprilnya ◴[10 Dec 25 13:41 UTC] No.46217601[source]
I think it’s misleading to imply hypocrisy considering the reasons listed in the article don’t apply to the scenario of a site being behind Cloudflare.
16. newdee ◴[10 Dec 25 14:29 UTC] No.46218087{4}[source]
Lookup the Tailnet Lock feature.
replies(1): >>46239239 #
17. OptionOfT ◴[10 Dec 25 18:24 UTC] No.46221412[source]
The certificate presented is not a Cloudflare one.

So it might be that they're using a custom one, which I believe is passed through end-to-end.

replies(1): >>46231726 #
18. halJordan ◴[10 Dec 25 22:39 UTC] No.46224985[source]
I mean, is doing your own geo blocking actually a blocker for you?
19. kreetx ◴[10 Dec 25 22:42 UTC] No.46225007{3}[source]
Having an organization install custom root certificates onto your work or personal computer and hosting a public blog on Cloudflare are two entirely different topics.

That your healthcare, government, bank, etc. are using Cloudflare, is a third. In an ideal world I guess I'd agree with you, but asking any of these institutions to deploy proper DDoS protection may just be too much of an ask.

20. tptacek ◴[11 Dec 25 02:01 UTC] No.46226753[source]
The author is not complaining about reverse proxies, which would be a very silly position to take.
21. arianvanp ◴[11 Dec 25 14:22 UTC] No.46231726[source]
Cloudflare doesn't have their own CA. They use a bunch of third party CAs (LetsEncrypt, Google and W2)
22. yencabulator ◴[12 Dec 25 00:11 UTC] No.46239239{5}[source]
A feature in the client software they control, that you run as root, that auto-updates regularly?
replies(1): >>46254084 #
23. ◴[13 Dec 25 12:28 UTC] No.46254084{6}[source]