[tristador]

The recommendation of Cloudflare here seems poor. Using CF to make an HTTP only site support HTTPS will only prevent MITM between CF and the end user. MITM between my server and CF is not improved as it's still HTTP. Yes, you can add a self signed cert and tell CF not to check the cert validity, but that doesn't prevent MITM.

Worse, Cloudflare can inject JavaScript into your site. The default settings will show Captchas to users if CF thinks they are not trustworthy. So you end up with MITM anyway if you aren't careful. For a static site, does a captcha really make sense? Cloudflare makes the internet worse with insane defaults like this.

https://community.cloudflare.com/t/getting-cloudflare-captch... https://www.techrez.com/remove-cloudflare-challange-page/

[hombre_fatal]

Then again, the defaults of the internet let anyone remove you from it with a $5 booter and your data is in cleartext and your MITM is every ISP + any hop in between instead of just your reverse proxy.

Takes defaults far more insane than Cloudflare to do worse than the internet status quo.

[tristador]

CF is undoubtedly good for DDoS protection, but that doesn't negate the fact that it does other things poorly.

FWIW I've found more websites that prompt for Cloudflare captcha than I've seen websites offline due to DDoS. I've seen lots of websites offline because they get too popular though. Many websites that I've known were currently under DDoS attack stayed online while I used them (like GitHub using Akamai).

At the risk of Troy writing a blog post proving me wrong... does the average static website need DDoS protection? I'd guess they don't.

[wolco]

Can I pay 5 dollars to have the attackers attack my monero powered site? All of those resources generating coins should be worth more than 5 dollars.

[beamatronic]

Sorry, what is a “$5 booter”?

[zzzcpan]

Automated service for issuing DDoS attacks.

[abtinf]

Cloudflare itself has a feature to issue certs to protect CF<->your server.

[symfoniq]

Indeed it does, and I’ve been using this in production for many months.

[GordonS]

Hmm, I haven't seen this - do you know if it's available on the free tier?

[shandor]

It's their "Full Strict" HTTPS setup [1]. It's included on the free tier, I've been using it over a year and counting.

[1] https://support.cloudflare.com/hc/en-us/articles/200170416-E...

[GordonS]

Ah, right, I knew about this, but you still need to setup an SSL cert yourself; I thought you'd meant there was some kind of turn-key solution for E2E I wasn't aware of.

[DarthGhandi]

How would you propose a 3rd party intermediary provide secure end to end encryption without you creating a client side cert?

Takes 30 seconds with letsencrypt to create your own TLS cert.

If you are suggesting CF do it server side then it's nothing more than snakeoil.

[GordonS]

> Takes 30 seconds with letsencrypt to create your own TLS cert

You know very well that's not true, and that kind of exaggeration does Let's Encrypt no favours. I'm sure it doesn't take long when it just works, but when I've used the acme client before on systems with Apache and nginx, it was a complete PITA to get working. I haven't had to use it for a while though, so newer versions of the acme client might well be much better.

> If you are suggesting CF do it server side then it's nothing more than snakeoil

No, I didn't mean that.

What I meant was something simpler than Let's Encrypt, where you didn't need to expose an HTTP endpoint on your server for proof of domain ownership, since Cloudflare already know you control particular domain names and no further validation is needed.

Perhaps they could provide a one-time use GUID, which you'd pass to a simple client on your server, which could then send a CSR containing that GUID to a Cloudflare endpoint, which would in turn sign your CSR.

[otterlicious]

It's called the Origin CA and yes it's available on the free tier.

https://support.cloudflare.com/hc/en-us/articles/11500047950...

[tombrossman]

My primary concern with Cloudflare proxied sites is that I have no way to assess the technical competency of the sites they proxy. I can check most HTTPS sites using an online tool such as SSL Labs or Mozilla's Observatory. For example I discovered a local mobile operator who had not bothered to patch their primary web server against Heartbleed an entire year after the exploit was discovered, which was a real shocker.

Cloudflare are technically competent which is great, but their clients are impossible to assess. I see a lot of formerly insecure local web servers switching over to Cloudflare (and HTTPS), and I know it's the same morons operating the web server. For me the safe default assumption must be that the site behind them is run by people who are not technically competent. I suppose Cloudflare could set a server header indicating the connection between them and the proxied site is HTTPS?

[RKearney]

I put in a support request back in March 2017 asking them to add a header indicating which type of HTTPS setting was used (flexible/full strict/full weak/etc) and this was their response:

Hello Ryan,

This is something we are definitely considering. I will pass your feedback on to our team. Of course, we need to carefully consider the security implications for the millions of sites using Cloudflare before making this change, as it may have unforeseen consequences. Let me know if there's anything else that I can help with at all!

Best Regards,

[oefrha]

Easier for you to assess the technical competency, however nice for you = larger attack surface for the site. Why would anyone in their right mind expose unnecessary info for hackers (whether whitehat or blackhat) to assess whether they’re an easy target? This is like asking people to turn on nginx server_tokens. Also, unnecessary headers -> more bytes transferred -> more bandwidth cost, especially for very short responses (but probably doesn’t matter for Cloudflare.)

[rahuldottech]

Agreed. Cloudflare makes it impossible for people using TOR, proxies and any browser except the most popular ones. I like Troy, but this advice really rubs me the wrong way.

[shakna]

> Cloudflare makes it impossible for people using TOR, proxies and any browser except the most popular ones.

Does it? I know the defaults can be overly sensitive, but I wouldn't call it impossible.

I have my site behind Cloudflare, using it's protections:

> ALPN, server accepted to use h2

> Server certificate:

> subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com

> ...

> GET / HTTP/2

> Host: sixteenmm.org

But you won't find any issues streaming the videos on it under Tor. I, and several others, regularly do.

[hombre_fatal]

That's a feature, though. 99.9% of the time, someone who checks those checkboxes are abusing your service, not some rogue journalist doing research under an oppressive regime like we like to believe (lol). You're better off thanking bad actors than people choosing Cloudflare to get some relief from holavpn/iot botnets which are dirt cheap and getting cheaper every day.

[tristador]

I think you'll find a number of people who have seen issues (myself included). Things like adding Cloudflare on top of an API, breaking clients when CF decides their IP needs verification. Besides, other than DDoS, how do you abuse a static site?

[acdha]

> I think you'll find a number of people who have seen issues (myself included).

Yes, that's the difference between 99.9% and 100%. Cloudflare cited traffic percentages which match what most experienced site operators have seen, with a much higher percentage of malicious activity using Tor than most other networks and no easy way to have per-user reputation (that was the impetus for developing the “Privacy Pass” feature).

Here's what they said at the time, which also has some answers for your question about non-DoS problems:

> On the other hand, anonymity is also something that provides value to online attackers. Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

https://blog.cloudflare.com/the-trouble-with-tor/

[tuxxy]

What does a static site abusing tor user look like?