This part seems pretty pertinent to this site considering its political nature:
Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by browsers by setting itself up as a man in the middle. Cloudflare doesn’t do actual DDoS protection, they just make the request to the origin server for you. Once they have received the data, they decrypt it and re-encrypts it with their own certificate. This means that Cloudflare has access to all requests in plain text and can optionally modify the data you see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care very little.
If we would consider Cloudflare to be a benevolent entity and surely never modify any data ever, this is still an issue. Much data can be mined from the plain text communications between you and the origin server. This data can be used for all kinds of purposes. It is not uncommon for the USA government to request a massive amount of surveillance information from companies without the companies being able to speak up about it due to a gag order. This has become clear once more by the subpoena on Signal. It should be clear to anyone that end-to-end encryption has to be a standard and implemented properly. Cloudflare goes out of its way to break this implementation.
Considering that this site uses Cloudflare, I don’t think it would be great if the feds could intercept all of our passwords and impersonate us.
Cloudflare is awful and all that but do they actually get to see all the data between the user and the site or is it the initial request? Maybe a comrade can shine more light on this
If you go into the network tab of the developer menu (inspect element) of your browser and then click around the site, you will see a bunch of requests pop up. If you click on any one of them and look at its headers, you will see the headers in the response: https://hexbear.net/pictrs/image/4pMZxhYszm.png
If we were connecting directly to the Hexbear servers (which we are not, we are connecting to them through Cloudflare), TLS (the encryption protocol that HTTPS uses) should make it impossible to view or edit any of the contents of the data sent between the servers. Yet here we clearly see that Cloudflare has added some new data in the form of HTTP headers. This must mean that Cloudflare can intercept and edit the contents of the requests and responses. In effect, Cloudflare is MITMing the connection.
If you have ever seen a Cloudflare “checking your browser” screen you would already know this, as it is impossible for Cloudflare to show you that page without intercepting and editing the data in the connection.
In conclusion, yes, Cloudflare can really see all (this includes your passwords in plaintext!) the data between the user and the site, after all, you’re not even connecting to the site: you’re connecting to Cloudflare which then makes requests to the site on your behalf.
No. Because the thing is: you’re not connecting to the Hexbear servers at all; you’re connecting to Cloudflare which then (decrypts your request) makes requests to Hexbear’s servers (and then decrypts the response to send back to you) on your behalf. Since you’re not connecting to Hexbear’s servers at all, the status of its cert is completely irrelevant.
