[smacktoward]

As much as I like the idea of baking better privacy tools into the browser, it's hard for me to get enthusiastic about the idea of making Cloudflare even more of an official man-in-the-middle for all network traffic than they already are.

[sansnomme]

A better question that we should be asking is, how the hell did we get to the point where we need a third party proprietary platform to serve a static file efficiently? I remember a time when mainframes would automatically place orders for their own parts when they broke down and when personal computers empowered people to easily create and remix. Somewhere between then and now we forgot how to make things simple and easy to use. Somehow despite the advances of HTTP/2, WebRTC, the upcoming WebTransport, web hosting is now harder than ever even though things are supposed to be more efficient. Apache and NGINX are far from accessible to your average user. Countless sites depend on proprietary "as a service" oligopolies like Cloudflare and Netlify. Hosting an email server these days are almost an exercise in frustration; what happened to the mythical unikernel? Where is my secure, turnkey email server image? Unikernels were supposed to make ops easier and things more secure. Somehow they never showed up despite all the hype on HN. Zero config self hosting projects like Sandstorm are half dead. It's easy to complain about tech giants, but we are not exactly providing end user alternatives. The world does not need yet another Lisp interpreter, the world needs high quality zero maintenance software that is easy and accessible.

[api]

We are so much better at adding complexity than removing it. There are tons of incentives that drive that: the difficulty of upgrading old stuff, the need for companies to invent reasons to exist, bureaucracy, job safety and creating reasons for employment (the personal version of corporate self promotion), featurism and comparison on features, etc. There are almost no incentives pointing the other way.

[hathawsh]

This is all a sign of growth, most of it for the better.

There are now billions of people accessing the web, so sometimes a web site needs the resources of a company like Cloudflare to handle traffic spikes.

Decentralized email has been a victim of its own success: because there is no central email authority, spammers and bots can easily flood email boxes. If you don't mind the spam, it's actually not hard at all to set up an email server, but most people hate spam, so most people don't want to set up an email server. There is no pure technological solution to spam, so we fall back on companies to help manage it.

Thanks for the reminder about Sandstorm. I intend to try it out sometime. I hope it's not dying.

[edraferi]

Sandstorm kind of still there. They discontinued the free tier for their hosted platform because they ran out of money. The founders went to work elsewhere but maintained the project on the side last time I checked.

I think it’s a shame, it’s a lovely concept. The Capability-based security alone is game-changing.

Details here: https://sandstorm.io/news/2018-08-27-discontinuing-free-plan

[inimino]

It's not a sign of growth. Among other things, it's a sign that we have grown complacent about complexity and are not doing our job of keeping it under control.

[WhiteOwlLion]

HashCash.org anyone? Proof of work e-mail.

[cosmojg]

It's such a shame that Hashcash never took off. It solved many of the problems with decentralized messaging a long time ago.

[zelphirkalt]

I am still not sure how much one can trust Cloudflare as an entitiy. At some point people started putting loads of stuff behind Cloudflare, enabling them to be the perfect MITM, which is concerning. Probably only a question of time until some profit seeking people come around and see opportunity in it and then we are screwed even more, than we are already with Google captchas. Then we will not be able to use many more websites any longer, because someone in their incredible wisdom decided to put everything behind Cloudflare. Scary.

[judge2020]

You could say the same thing about any CDN - Cloudfront, Fastly, Akamai, etc.

Is it right to say that the only reason Cloudflare is the forefront of this concern is because of their business model of offering the CDN for free, while the others have a much more limited free tier or service or none at all?

[zelphirkalt]

I am almost equally worried about other very popular CDNs. However, being the most used CDN makes some people short-circuit and not think about the dangers any longer Just like with captchas from Google. Many people simply put them onto their websites without ever thinking about that, "because everyone does it". If so many people put stuff behind Cloudflare, then at some point the same kind of people, who put captchas without thinking, will put stuff behind Cloudflare without thinking.

Scripts and other stuff from first party usually seem to me at least more trustworthy than something from a third party. It also saves me the mental step of thinking: "Hmmm, why are there scripts loaded from a third party? Is this some kind of ads stuff?"

If a website does not work without unblocking third party scripts, there is some chance, that I will simply abandon it. When a website's purpose is to inform me about something and I do not see the need for any interactivity, I might also abandon it, if it does not show content without unblocking scripts in general, including first party. Web frameworks, which do not take care of at least presenting something when scripts are not unblocked, thus make a website less trustworthy for me.

[mrspeaker]

If you care about privacy then you SHOULD say the same thing about any CDN. Sucks that there's all this awesome infrastructure that we can't use anymore, but that's the trade off.

[martin_a]

Single Point of Failure and Attack Vector, what could possibly go wrong?

[auslander]

This. Many people do not realise that CF can see inside encrypted HTTPS traffic. Your logins, passwords and keys.

[adrusi]

If you don't know who you can trust to provide a trustworthy proxy service, then there's a lot to be said for choosing a provider who can already MITM a good chunk of your traffic even before you turn on their proxy.

[mirimir]

Huh?

As I see it, "[i]f you don't know who you can trust to provide a trustworthy proxy service", you distribute trust among multiple providers, such that they must collaborate to pwn you. That's the basis of Tor. And you can do something similar, albeit far weaker, by using nested chains of VPN services.