Nearly every website today seems to be hosted behind Cloudflare which is really concerning for the future of privacy on the internet.

Cloudflare no doubt logs, stores, and correlates network telemetry that can be used for a wide array of deanonymization attacks. Not only that, but Cloudflare acts as a man-in-the-middle for all encrypted traffic which means that not even TLS will prevent Cloudflare from snooping on you. Their position across the internet also lends them the ability to conduct netflow and traffic correlation attacks.

Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare… edit: i was wrong

So what options do we even have? What privacy concerns did I miss, and are there any workaround solutions?

    • tiny_electron
      link
      fedilink
      arrow-up
      5
      ·
      11 months ago

      Cloudflare provides anti ddos protection, aws provides cloud computing for online services

        • hemko@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          From corporate perspective, if the ddos protection is cheaper than potential ddos attack, yes.

          • freedomPusher@sopuli.xyz
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            11 months ago

            Of course it’s important to note that business case relies on users being uninformed. If a billion or more users suddenly became informed about this along with the fact that the business does not disclose it (not even in the fine print of the privacy policy), your business case would need to account for a PR backlash variable.

    • invertedspear@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      From a user side, nothing.

      From a host side: AWS/GCP/Azure, scaling is built in; maybe isn’t cheaper than self hosting, but it eliminates maintenance worries, uptime is their responsibility.

      Cloud front, F5, imperva: protection from: sql injection, basic script attacks, ddos, and man in the middle.

      To avoid them you’d have to stick to small time web sites that self host and handle attacks on their own. Funny enough when I ran small-time sites we never had a successful injection attack, and I handled a ddos attack by just blocking IPs one at a time till they gave up. It’s not hard, but when the company hits a certain size where they hire a cyber security specialist, all the sudden we need these additional protection tools.

    • ultranaut@lemmy.world
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      11 months ago

      A significant percentage of the internet relies on them. There’s basically no avoiding these companies while using the internet as it now exists.

      • El Barto@lemmy.world
        link
        fedilink
        arrow-up
        7
        arrow-down
        4
        ·
        edit-2
        11 months ago

        That’s a circular argument.

        “It’s impossible to avoid this these companies because a lot of sites use them.”

        Ok. Why?

        “Because they provide fundamental services.”

        Ok, what’s so fundamental about them?

        “A lot of sites use them.”

        …ok? WHY?

        • Strykker@programming.dev
          link
          fedilink
          arrow-up
          12
          arrow-down
          1
          ·
          11 months ago

          The service they provide to websites is “better user experience” by acting as a cdn close to the user they get better download speeds and responsiveness. It also is a benefit for the business because they don’t have to worry nearly as much about deploying and maintaining multiple servers around the world.

          That is why it’s impossible to avoid these companies, every sane website engineer is going to want the services they offer.

          And it’s a service that is easiest to offer when you are an already established large cdn.

              • El Barto@lemmy.world
                link
                fedilink
                arrow-up
                1
                arrow-down
                4
                ·
                11 months ago

                User experience?

                Wait, I thought we were talking about more than just user experience.

            • Strykker@programming.dev
              link
              fedilink
              arrow-up
              3
              ·
              11 months ago

              Sure 100% you can build a website without them.

              But anyone expecting to serve millions of users is going to use and need them or the user experience will suffer

              • El Barto@lemmy.world
                link
                fedilink
                arrow-up
                1
                arrow-down
                1
                ·
                11 months ago

                That’s my point. So it’s not fundamental. Just fundamental for big sites.

                And not anyone. Cloudfare and AWS are not the only cloud/CDN services in the world.

                But I understand now.

                • freedomPusher@sopuli.xyz
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  11 months ago

                  The pattern is that big businesses can afford their own infosec experts and have no use for CF (who poses a disclosure risk to their business). It’s the small mom & pop shops that cling to CF. They hire someone cheap who doesn’t have a high infosec proficiency, who just takes the cheap lazy path of deploying the site on CF. They usually don’t even bother to tweak CF’s extra privacy-hostile default settings.

            • freedomPusher@sopuli.xyz
              link
              fedilink
              arrow-up
              2
              ·
              11 months ago

              You say “fundamental” when I think (from context) you mean to say “essential”. But to be clear, Cloudflare is not essential to business or the internet. Consider banking in the US. Big banks are competent enough to not need CF. But credit unions are small and on shoestring budgets. So CUs are increasingly exposing all their customers to Cloudflare to save money. If you are a client of a CU that starts using Cloudflare, I suggest switching to paper statements and quit using the website. Switch to a CU that does not expose you to Cloudflare. So far that’s not difficult but that could change.

        • kelvie@lemmy.ca
          link
          fedilink
          arrow-up
          5
          ·
          11 months ago

          Not sure why people are being so weird about answering your questions, but e.g. CloudFlare does DDoS protection which now basically everything you put on the internet needs some type of , and is far too complicated to do yourself, when you need it.

          Thus CloudFlare (or AWS’s equivalent) is pretty essential. I’m sure there are other reasons too.

          • El Barto@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            5
            ·
            11 months ago

            Thanks. Though I knew all that, I appreciate your response.

            I guess DDoS protection is essential, but the fundamental part is dependant on the seevice provider’s goal. If I just want to host a game over the internet for my friends, Cloudflare is not really fundamental for that. For businesses, though, yeah.

            • freedomPusher@sopuli.xyz
              link
              fedilink
              arrow-up
              2
              ·
              11 months ago

              Admins tend to have an exaggerated degree of self-importance. They think their own service is somehow so important that downtime is just not an option, even at the cost of pawning all their own users/supporters traffic to a tech giant in a country without privacy safeguards. And they do that even when offering a non-profit service like a fedi instance. It’s a total disregard for privacy even when no money is on the line. Part of the problem is not only are they not hiring experts but they can’t be bothered to develop the competency themselves. They don’t factor in or realize the fact that web security is part of the task they are signing up for. Like someone saying they want to sell fries but they don’t want to be bothered with finding a potato supplier. If they want to reject a fundamental component of the activity, perhaps that activity is not for them.

        • ultranaut@lemmy.world
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          11 months ago

          Sorry, I was assuming that people knew what they did or would look it up themselves. The short and non-technical answer is “the cloud” actually means “other people’s computers” and these companies are the “other people”. The why of it is complicated, there are both technical and economic reasons. I think it probably comes down to efficiency and economies of scale.

          • El Barto@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            edit-2
            11 months ago

            Care to elaborate?

            So far it seems like it pertains to big sites. So if these cloudfare et al are “impossible to avoid” for any other scanario, I’ll be happy to be schooled.

            • lud@lemm.ee
              link
              fedilink
              arrow-up
              1
              ·
              11 months ago

              AWS is impossible to avoid because there is an incredible amount of stuff on their services. A large portion of websites are hosted there in full or in part. Their various compute services are used by a lot of companies.

              AWS is so incredibly big that they are basically “the cloud”. There are of course other providers (Microsoft Azure being the second biggest one) but the developed world would be in chaos if they shutdown overnight.

              I am not a huge fan of how big they are, but they are obviously doing a good job.

                • lud@lemm.ee
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  11 months ago

                  That seems very hard and inconvenient and a waste of time with no benefit. But you do you.

                  • El Barto@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    11 months ago

                    Wait. You’re all whining that using cloudflare has serious privacy issues, in a privacy-related community.

                    …and when I mention that I prefer not to use cloudflare, it has no benefits?

                    Then why whine at all?

            • some_guy@lemmy.sdf.org
              link
              fedilink
              arrow-up
              1
              ·
              11 months ago

              A quick web search suggests that AWS (Amazon Web Services, I think) hosts 32% of websites. I don’t have more nuance to provide other than to agree that these companies provide architecture to a huge portion of the modern internet. Most of everything is held by a small number of companies, just like wealth is concentrated in a small percentage of the population with huge companies owning most of the market.

      • freedomPusher@sopuli.xyz
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        11 months ago

        Cloudflare can be avoided so far but this may not hold up for long. There are browser extensions that put a strikethrough on all links to CF sites. There is also a search service (Ombrelo) which tags and down-ranks Cloudflare sites in the results. There is a bot you can follow on Mastodon that will DM you whenever you share a link to a CF website, so you can remove it (documented here).