Hacker News new | ask | show | jobs
by kromem 2842 days ago
Not in the case of Tor, but also not in the case of almost all/most cloud hosted services.

For example, consider that Cloudflare proxies about 10% of the Internet. Well, if you request a site they proxy, and DNS is in the clear, it's obvious who you are connecting to.

But if you request a site and the DNS is encrypted, you could be visiting any one of 10% of the sites out there.

Similarly, if hosting on AWS or Google Cloud platform, there's a LOT of other services hosted in those IP blocks, and IPs change frequently, so there's a significant degree of ambiguity.

This is all in addition to fixing the threat of DNS leakage for VPN/Tor connections.
2 comments
auslander 2842 days ago
> Cloudflare proxies about 10% of the Internet

... and strips SSL off on their side, so 10% of internet is, in fact, MITMed.

link
ownagefool 2842 days ago
Be fair, this is configurable. So only 9.9% of the internet is probably MITMable.

(:

link
auslander 2842 days ago
What is configurable, apart from not using CF?
link
tialaramex 2842 days ago
CloudFlare's customers can choose whether the backhaul, between CloudFlare and their own web servers, is HTTP, HTTPS with a CloudFlare issued private certicate, or HTTPS using publicly trusted certs from the Web PKI.

If you choose either of the latter two options, bad guys can't MITM you, the middle option has the benefit that they can't even MITM you by subverting a public CA (since only CloudFlare's own certs are trusted) the latter option has the benefit that you can "just" switch off CloudFlare and your site now works as an ordinary HTTPS site with no changes, if you ever want to do that.

link
auslander 2842 days ago
In all those options, CF still terminates (strips) SSL from user traffic to plaintext, on their platform, hence MITM by Cloudflare.
link
detaro 2842 days ago
And other large parts of the internet are "MITMed" by AWS, Heroku, Microsoft Azure or other hosting companies then. For some reason people don't make the same argument in every thread about AWS though.
link
gsich 2842 days ago
Defaults matter. So you are probably right.
link
seabee 2842 days ago
The majority of the Internet is MITMed nowadays.
link
dagenix 2842 days ago
... except that SNI isn't encrypted.
link
kromem 2842 days ago
Good point - I totally forgot about that.

So yeah - it mostly only matters for VPN/Tor traffic.

link
computerfriend 2842 days ago
Not yet, but encrypted SNI is on the way.
link