Hacker News new | ask | show | jobs
by Operyl 2868 days ago
Cloudflare has very specifically owned IPs and a number of tell tales to show that a site is behind it. Why do you have beef when it's practically dead simple to see that a site is protected by cloudflare. There's zero obfuscation.
1 comments
auslander 2868 days ago
Please, how exactly in browser I can see it?
link
Operyl 2868 days ago
https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj... https://addons.mozilla.org/en-US/firefox/addon/cloudflare-cl... Are two ways I found with a very quick Google search.
link
auslander 2868 days ago
Well, thanks, but as I thought, its not that easy. First one is by CF themselves, no source :) Second is not used and not working. And nothing for Safari.
link
Operyl 2868 days ago
Incorrect, the source is freely available, :).

https://github.com/cloudflare/claire

link
auslander 2868 days ago
well done, my bad :)
link
qmarchi 2868 days ago
So some thing you can look for in a request:

  * `server: cloudflare` - Although CloudFlare uses a nginx, they report 
    themselves properly in the server header
  * `Cookie: _cfudid:*` - CloudFlare uses the cookie header to identify 
    users and prevent abuse. If you delete this cookie too many times,
    your IP is flagged by CloudFlare and you may receive an interstitial 
    blocking you from accessing a site.
  * IP Ranges: https://www.cloudflare.com/ips-v4 and 
    https://www.cloudflare.com/ips-v6 - CloudFlare owns the routing 
    to these IP addresses. If you want, setup some Firewall Rules to block 
    access to these ranges.
All in all, CloudFlare is probably the least of your worries. You might want to do some investigation on your ISP, some of which MITM and track any insecure content.
link
horsawlarway 2868 days ago
No joke. CloudFlare is near the bottom of my list of worries. I'm most concerned about my bank. They know goddamn everything about my spending history, and it's a complete treasure trove of data because it actually shows where I spend money.

I'm second most concerned about my ISP. They see every outgoing connection I make, and have no trouble tying it all back to me.

Cloudflare is... just not that big a deal. Are you concerned about Microsoft being able to MITM every connection to a site hosted on Azure? Amazon being able to MITM every connection made to AWS? Google being able to MITM every connection made to GCE?

"Yes" is a fair answer, but it means you're using a minuscule fraction of the available internet. Otherwise I don't really see the need to pick on Cloudflare. They're doing exactly what the company that's using them asked them to do (and getting paid for it too...)

link
lmm 2867 days ago
> Cloudflare is... just not that big a deal. Are you concerned about Microsoft being able to MITM every connection to a site hosted on Azure? Amazon being able to MITM every connection made to AWS? Google being able to MITM every connection made to GCE?

It's not just Cloudflare themselves though. It's everyone else on the open Internet between the Cloudflare edge node and the site I actually wanted to connect to.

I'm not too worried about the parties that the site operator has a direct contractual relationship with, but traffic from Cloudflare could be going unencrypted to literally anyone with an AS number.

link
auslander 2868 days ago
> doing exactly what the company that's using them asked them to do

But how do I, website user, can know it? Given how many sites are served by CF, my private, decrypted, data can be aggregated and I would have no clue.

For ISPs use VPN. And I doubt (seriously) AWS (Azure) has means to do MITM, reading private keys from virtual machines? cmon.

Banking is a real bitch, agree :)

link
kawsper 2868 days ago
> You might want to do some investigation on your ISP

Doesn't most ISPs have to live up to certain laws about protecting the customers? I think those regulations are much more strict than what is required of CloudFlare.

link