Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
Because it’s not always about the encryption. I use Cloudflare tunnels because they are a good way of exposing sites to the internet without exposing my IP or opening ports, which means I don’t have to worry as much about DDoS or other attacks and therefore I don’t need to spend as much effort defending against them.
Even Cloudflare decides to inspect my traffic (and seriously why would they care about a tiny hobbyist website) it’s not like it gives them full access to everything, there are other controls you can use depending what your site is for.
Honestly what I don’t understand is why some on this sub have such strong objections to Cloudflare. Like I get they are a terrible company in a lot of ways, but name a tech company that isn’t?
The good old “eh what do i care i dont have anything to hide” approach to security and privacy. Excellent!
“If you have nothing to hide then you dont have to worry!”
I wont respond further in this thread because i already know how these discussions go.
Why would anyone argue that other companies are saints? Are you aware you are in /r/selfhosting here? The whole point is to regain control of your own data, be in charge of who stores what, where and how.
But if you don’t trust Cloudflare, who do you trust, and why? Do you trust your ISP? Do you trust Intel or AMD? The people who manufacture your router or other networking kit? People’s trust boundaries exist at different levels. If you are happy with your own, fine, but you don’t get to tell other people that they are doing it wrong just because their boundaries are different.
As i already replied to you in another comment… that is the definition of selfhosting of this subreddit, which you are now participating in.
And no, i dont trust anyone. I dont trust my ISP. I dont trust Intel or AMD. I dont even own a computer. And my house is powered by a diesel generator only 2 hours per day, while its covered completely in aluminium foil. I am writing these reddit comments on post-it notes and every few minutes i send one of my kids on their bicycle to drive to a random neighbour and they post them for me.
But youre not getting any more post-its from me, dont worry.
You don’t need to use CF tunnels to get DDoS protection and to hide your IP. If you are using CF tunnels without being undee a CG-NAT then you are getting MITM’d for nothing.
If you use CF for DNS and turn on the proxy, they still MITM you.
You have a very narrow view of why certain technologies should or should not be used. I’m not behind CG-NAT but there is still plenty of value to Cloudflare tunnels for me. Even behind my IP I have a fairly complex network environment but CF tunnels make it easy for me to stand up a connection from a cluster, make it resilient and highly available, and automatically handle failure modes to keep the service up to the world. They also give me a transferable configuration that allows me to quickly move my apps to the cloud or to other hosting if I need to.
So no, I’m not “mindlessly” using them, and I’m not using them just for security or just for DDoS protection. I’ve actually put quite a lot of thought into my architecture and why I used certain technologies, thank you very much.
What difference does that make? I only ever heard one realistic reason for hiding your IP, which was a guy living in a suburban neighborhood with static IPs where the IP indicated his house almost exactly.
If you have a dynamic IP it will get recycled. If you get a static IP it will eventually get mapped to your precise location, Google & other big data spend a lot of time doing exactly that.
If your services are accessible from the internet they are accessible… doesn’t matter that you don’t open ports in your local LAN, there’s still an ingress pathway, and encrypting the tunnel doesn’t mean your apps can’t get hacked.
How many DDoS’s have you been through? Lol. CF will drop your tunnel like a hot potato if you were ever targeted by a DDoS. If you think your $0/month plan is getting the same DDoS protection as the paid accounts you’re being super naive. Let me translate this page for you: your DDoS mitigation for $0/mo amounts to “basically nothing”. Any real mitigation starts with the $200/mo plan.
I am concerned about them being a technical SPOF for much of the internet, and there is the possibility that some hitherto unknown long-term persistent data gathering infiltration is able to sweep up a massive amount of information. And maybe they will turn malicious? Who can say? There’s plenty of precedent. How long between when it happens and when we find out?