/tech/ - Technology★

>Cloudflare

botnet

>Google

botnet

Just use your ISP's DNS tbh.

>>893584

That's a funny way to spell OpenNIC

>>893584

Depending on your ISP that's certain doom, compared to the uncertain doom of this one.

Cloudflare would have to be lying very explicitly with the cooperation of a large auditing company to botnet it up. That's not strictly impossible, but I doubt it would be worth it.

According to some tests I have seen it is really the fastest

I wouldn't use myself, but will probably set while configuring someone's computer

I really don't understand how this whole DNS thing works

Why are we dependant on internet-based DNSs instead of each device working as it won DNS server? Having your own DNS server is not simple, needing to setup a Raspberry (Pi-hole), buying a specific router or installing strange software

If the DNS solving is done outside how does DNS-based adblocking works?

>>893592

Think about it for a minute. How would your device know which IP address example.org points to? It needs some other source of information to know, so it would need to defer to another DNS server. It would just be a local cache.

DNS-based adblocking works by modifying the hosts file. It's a local file that's used for domain name resolution first. DNS is used if a domain name can't be found in the hosts file.

>>893588

>A DNS server sitting on the same network as cloudflare, which is used by nearly every website on the Internet is fast

who knew?

>>893594

Yes, that much I know

But why can't modern devices work as it's own DNS server if even Raspberrys and routers are capable?

>>893582 (OP)

>within 24 hours

The fact that it ever hits the disk is bad.

<We are privacy focused so lets use a rolling log instead of disabling logging

>>893642

>The fact that it ever hits the disk

It doesn't.

https://blog.cloudflare.com/announcing-1111/

>We committed to never writing the querying IP addresses to disk

The reason they log at all is that it's part of the deal. They got control of 1.1.1.1 from APNIC under the condition that they perform research on the traffic it receives, with all kinds of precautions taken.

>>893641

How would a client contact them?

DNS servers are contacted by their IP address, your computer / router contacts the DNS server via its IP and asks it which IP belongs to a given URL. This works because the DNS Server's ip is known and can be contacted directly. For every device / website / whatever to be it's own DNS Server, it would

a) have it's ip known to your machine (thus, every client would need a full lookup database)

b) constantly send broadcasts to every client. Aka, to all of the billions of devices connected to the Internet at any given time

Also, what would stop Ivan Hackowski from pretending his phishing site's IP was the one belonging to google.com or whatever? Which of the 572591 servers pretending to be eBay should a client connect to?

>>893587

>>893587

> would have to be lying very explicitly

>be CIA

>fund companies like google

>be NSA

>fund companies like cloudflare

There's nothing positive about all this.

>>893670

>CIA funds google

>NSA funds CF

Interesting. Can you post links to verify this?

>>893673

commonsense.org

>>893754

https://labs.apnic.net/?p=1127

>>893673

Google was built partly on a grant by the Massive Digital Data Systems Project, which was a cooperation between several security agencies, including the CIA. Google probably doesn't need any more grants nowadays, but they still cooperate with intelligence agencies. Don't know about Cloudfare.

http://archive.fo/OzLm8

can't you just use a site's IP address to bypass the need for a DNS server? how would one obtain a site's IP though?

>>893987

Obtaining a site's IP address is easy - just send a request to your DNS server of choice.

>>893989

I typed in the IP address for 8ch.net, and it just gave me a cloudflare error "Direct IP access not allowed"...

>>893992

If it's behind Cloudflare you need to send the appropriate header to indicate which host name you want to visit, which you can do even without having looked up the IP address. Or you can use the real IP address, if you know it and if the server is set up right.

Here's a link to access 8chan directly:

http://206.223.147.214

Here's a way to fetch 8chan's frontpage via Cloudflare without using DNS:

$ curl -k -H 'Host: 8ch.net' https://104.20.43.57/index.html

The -k flag disables the certificate check, because 8chan requires HTTPS but curl doesn't know which domain name to check against.

If you want to do it the boring practical way you can add the IP address to your hosts file as 8ch.net so you can just use 8ch.net as normal without executing DNS queries.

>>893673

what >>893677 said it's too obvious

This is a copy pasta but it resumes the situation correctly:

-cloudflare makes it extremely difficult for Tor users and users who disable javascript. This difficulty was originally just a simple CAPTCHA, that progressed into impossible CAPTCHAs (CAPTCHAs that would reject all answers), and finally outright blocks in the case of archive.is; this effectively bans the most security and privacy-conscious users from your site.

-cloudflare arbitrarily bans whoever they want. Today, it is Tor users who disable javascript. Tomorrow, it could be all Firefox users, Linux users, VPN users, Brazillians, Germans, Snowden supporters, filesharers, anons, children, women, homosexuals, Christians. The exact criteria doesn't matter, because it is completely at the whim of cloudflare.

-cloudflare completely breaks SSL

Standard SSL handshake

User -> website's key -> website

User <- User's key <- website

Only the User and the website can read or write data transferred over the HTTPS connection. Authenticity, integrity, confidentiality guarenteed by cryptography.

cloudflare's SSLmao fuarrrk not

User -> cloudflare's key -> cloudflare -> website's key -> website

User <- User's key <- cloudflare <- cloudflare's key <- website

cloudflare outright decrypts ALL CIPHERTEXT THAT PASSES THROUGH IT. cloudflare has COMPLETE ACCESS TO ALL PLAINTEXT. In other words, cloudflare in a Man-in-the-Middle (MitM) attack.

-cloudflare (untraceably) conducts internet surveillance

-cloudflare (untraceably) steals passwords: online banking, e-voting, internet connected devices, medical implants. If you have used a web frontend for server admin such as PHPMyAdmin, then cloudflare has your server's login password.

-cloudflare (untraceably) steals data: every file uploaded through cloudflare can be read by cloudflare.

-cloudflare can (untraceably) censor content

-cloudflare can implement an Acceptable Content Policy, denying access to any site that does not conform and censor content.

-Word filter

-Copyright detection

-Deep-packet inspection

-Per-user censorship

-cloudflare can (untraceably) tamper with content

-JS exploit injection

-Altering downloaded executables

-Misattributing words

-Framing users for sending data that they did not send.

Untraceably, because unlike a standard MitM, which can always be detected by saving and comparing public keys between sessions, cloudflare is always in the middle and is always either forging a fake public key or even TAKING YOUR PRIVATE KEY.

-cloudflare centralizes the internet, creating a single point of failure. If cloudflare goes down, every server routing through them goes down.

-cloudflare does not actually protect against hacking. They can be bypassed using any proxy other than Tor, let alone nation-state botnets of hundreds of millions of compromised systems.

-cloudflare costs money. You are paying for the privilege of giving away your domain, SSL key and server traffic to a third party.

The rational conclusion to the above would be that cloudflare is attempting to consume the entire internet, like cancer.

As cloudflare is a US corporation, which appeared out of nowhere with more bandwidth and better hardware than most ISPs and has rapidly spread across the internet, it is highly likely they are an NSA front designed to completely take over the internet. Use cloudflare or be DDoS'd, that is the definition of a protection racket. Do not let them succeed, if you value the internet.

>>893582 (OP)

>can it be trusted

Who gives a shit? If you are putting any form of trust into DNS you're a retard. Cuckflare is fucking cancer and the worst thing to happen to the internet in the last decade. Now when we just want to read a paragraph of text extracted from some faggot clickbait site, we have to configure our scraper in all kinds of special snowflake ways to not trigger cuckflare to block us from the site. Why do these retarded faggots have to be mentioned so many times in this board?

>The company has also promised not to sell users’ data, instead to wipe all logs of DNS queries within 24 hours. It's also working with auditors at KPMG to examine its systems and guarantee it's not actually collecting your data.

"not logging data" has been a standard bullet point to put on your marketing list for 10 years now. The problem is retards like you making a thread because you read this bullet point in some small text somewhere.

>>893992

Which proves how fucking retarded cuckflare is. They think (or pretend) that there is some sort of security gain from not routing you to some site by default when you provide no Host header. IIRC (I'm not a web shotter so don't quote me on this) for a site with one IP and one hostname, HTTP 1.0 will just route you to the single site, while HTTP 1.1 and newer require a Host header because the spec says so. There may be some subtle implications (in the vein of CSRF) in not routing somewhere without an explicit Host header, but then the error message "no direct IP access allowed" would still be absurd and indicate that the developers are retarded. Normal HTTP 1.1 + websites will just give you a standard 403 error or something similar.

>>893585

opennic is great in theory but what verification does opennic do on their servers. anyone can add shit on there and just lie about logs. still probably use opennic over cloudflare.

>>893587

>Depending on your ISP that's certain doom, compared to the uncertain doom of this one.

ISP can see it anyway unless your using encrypted dns.

>>894106

>all this spec nonsense

apache is fully capable of routing without host in the header, in fact its the default behavior. unless you explicitly play games it'll route to the first configuration file, or first site if it's one big file, by default if no host is specified.

>>894106

of course (((they))) would love nothing more than to release a spec saying a domain name is required for http and have the browser reject requests by default to straight ip addresses, buy our domains goy, and remember your site better be kosher or we're shutting it down.

>>894152

there's some common configuration people use where you need to send the Host header or it gives 403, unless you use HTTP 1.0. maybe apache, maybe nginx, maybe some way apache is configured with a certain package, etc. tons of sites do this.

I truly believe cloudflare is part of the global plan to truly control the internet. I mean, even their SSL is fake, since they MITM it (and the browser won't tell you about it).

>>894271

>just use the botnet because it is a few ms faster

hello chaim

>>894271

I get 42.632ms to 8.8.8.8 and 42.724ms for 1.1.1.1.

To the nonbotnet dnscrypt resolver I use, I get 47.429ms.

>>894270

SSL is fake to begin with preiod.

>>893641

Run BIND on your machine and set DNS to 127.0.0.1

The name -> IP mappings come from nameservers that are queries by resolvers. Run your own resolver.

>>894106

It's really simple - if you don't send a Host header, Cloudflare doesn't know which website you want. The same IP address handles multiple sites.

>>893582 (OP)

>The company has also promised not to sell users’ data, instead to wipe all logs of DNS queries within 24 hours.

>Not deleting it immediately.

>Having anything to delete in the first place.

>It's also working with auditors at KPMG to examine its systems and guarantee it's not actually collecting your data.

>not just letting anyone from the public audit it.

>It's ok. trust these guys they're (((professionals)))

>Can it be trusted?

>cloudflare

>trusted

No. Regardless of your opinion of sites like stormfront the fact they kick you off their platform at all is reason enough not to trust them. The fact they start talking about security and privacy now that normies suddenly care about it, despite it being 6 YEARS after the snowden leaks, means it's just an attempt to bandwagon.

>>893998

>use cloudflare or be DDoS'd, that is the definition of a protection racket

So you think every time your favorite image board or game site gets DDOSd its because of the nsa / cloudflare? I'm going to go ahead and guess its not the NSA, but random fucks taking advantage of the thousands of open memcached servers that have a 50 thousand X amplification.

So, what's a reasonable way of making website ddos-proof?

Setting up your own constellation of gateways? Cloudflare is cheaper and easier.

>>895401

There is no way you can do it. With this memcached ddos for example getting hundreds of gigabits per second is trivial. You simply have to have enough bandwidth to deal with it. There is no amount of software filtering that can deal with your pipe being filled.

>>893998

>which appeared out of nowhere

Demonstrably untrue.

>>895474

Yeah he must have missed the years of blog posts documenting the slow roll out.

>>895476

You don't know what you've got until it's gone. Or in this case, you don't know what you've got, until it's got you.

>Funding rounds

>In November 2009, Cloudflare raised $2.1 million in a Series A round from Pelion Venture Partners and Venrock.[12]

>In July 2011, Cloudflare raised $20 million in a Series B round from New Enterprise Associates, Pelion Venture Partners, Venrock.[12][13][14]

>In December 2012, Cloudflare raised $50 million in a Series C round from New Enterprise Associates, Pelion Venture Partners, Venrock, Union Square Ventures, and Greenspring Associates.[15][16][17]

>In December 2014, Cloudflare raised $110 million in a Series D round led by Fidelity Investments, with participation from Google Capital, Microsoft, Qualcomm, and Baidu.[18]

>>895477

>He documents a totally normal rollout

>>895507

I was backing up your point.

>>895510

I thought you were implying that this was a sequence of secret CIA / NSA investment

>>895521

That would be completely inane.

>>893994

>Here's a link to access 8chan directly:

>http://206.223.147.214

How the fuck did you get that

I trust CF less than I trust the CIA to anally probe me.

>>895401

turn it off and on again

>>895542

It was leaked once and people just remembered it. Some guy on >>>/n/ used to links to their threads this way.

>>895542

I think it may have been leaked originally, but they later pointed straw-berry.net at it, so it's not secret.

cloudflare has been instrumental in breaking the internet. Along with javashit, the destruction of www is nearly complete. Time to move on to more fundamental protocols and technology I see.

>>895623

And you are going to personally dedicate all your time to writing new unprofitable protocols that are only good for piracy?

>>893582 (OP)

>Can it be trusted?

A MitM service that breaks SSL's purpose, managed by the people who brought you Project Honey Pot.

What do you think?

>>895681

You know every VPS provider has access to your private keys when you run a server right? You know that when you use a colo datacenter with your own servers that the staff can get your keys right? You know that your authoritative DNS provider can negotiate a new key without your permission? None of this SSL shit is unique to cloudflare.

>>895691

They don't just have theoretical access to your private key, they constantly use it. They need to, because caching content is hard if you can't look inside the HTTP stream to see what's being requested.

>>895697

And this is a good thing

>>895691

Sure, but one chooses to use a VPN, and datacenter staff interference is not as practically relevant as what Cloudflare's doing, basically a reverse VPN for a good chunk of all smaller sites people enter information on.

It's not the only way to achieve this by a long shot, but it's a very straightforward way for law enforcement to monitor 'extremist' sites like this one withour explicit cooperation by Philippino pig farmers.

Just DDoS a target and force them to turn to a handful of powerful anti-DDoS services and you have very efficient way to monitor all their users and posts.

It would be a smart thing for the NSA to sponsor, and both the free subscription and this new 1.1.1.1 address must cost a fortune.

>>895703

>and both the free subscription

This is explained easily. Its not unlimited. They say it is, and then will cite "layer 7 attacks" and kick you off while they shill the business tier to you. The larger customers pay more than enough to cover this.

>new 1.1.1.1 address must cost a fortune.

They already run a DNS infrastructure. Its not like they added thousands of extra servers for this. They just add one more service to their current deployments.

>Just DDoS a target

Look these DDoS attacks are real. Its not the fucking NSA attacking rando sites they don't like. Right now you can go download trivial scripts to do memcached attacks.

>>894431

Can you expand on that?

>>895717

Do you mean the issues with certificate authorities?

>>893582 (OP)

Seeing cloudflare blocks some content, I'm not sure I trust them to not use nxdomain or just meddle with unwanted requests.

>>895714

This is what worries me. If you didnt want to use cloudflare to proxy your site, now you're stuck where anyone using their DNS could be proxied without you even knowing.

>>894291

You all should be timing the queries not the pings to the servers.

We know both G and CF have a large anycast network. Seeing CF already handles a lot of DNS, making a public NS only reduces the amplification attacks they get from other NS.

$ dig ebay.com @8.8.8.8 +trace

; <<>> DiG 9.8.3-P1 <<>> ebay.com @8.8.8.8 +trace

;; global options: +cmd

. 257205 IN NS a.root-servers.net.

. 257205 IN NS b.root-servers.net.

. 257205 IN NS c.root-servers.net.

. 257205 IN NS d.root-servers.net.

. 257205 IN NS e.root-servers.net.

. 257205 IN NS f.root-servers.net.

. 257205 IN NS g.root-servers.net.

. 257205 IN NS h.root-servers.net.

. 257205 IN NS i.root-servers.net.

. 257205 IN NS j.root-servers.net.

. 257205 IN NS k.root-servers.net.

. 257205 IN NS l.root-servers.net.

. 257205 IN NS m.root-servers.net.

;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 2078 ms

com. 172800 IN NS a.gtld-servers.net.

com. 172800 IN NS b.gtld-servers.net.

com. 172800 IN NS c.gtld-servers.net.

com. 172800 IN NS d.gtld-servers.net.

com. 172800 IN NS e.gtld-servers.net.

com. 172800 IN NS f.gtld-servers.net.

com. 172800 IN NS g.gtld-servers.net.

com. 172800 IN NS h.gtld-servers.net.

com. 172800 IN NS i.gtld-servers.net.

com. 172800 IN NS j.gtld-servers.net.

com. 172800 IN NS k.gtld-servers.net.

com. 172800 IN NS l.gtld-servers.net.

com. 172800 IN NS m.gtld-servers.net.

;; Received 486 bytes from 198.41.0.4#53(198.41.0.4) in 2103 ms

ebay.com. 172800 IN NS a1.verisigndns.com.

ebay.com. 172800 IN NS a2.verisigndns.com.

ebay.com. 172800 IN NS a3.verisigndns.com.

ebay.com. 172800 IN NS ns1.p47.dynect.net.

ebay.com. 172800 IN NS ns2.p47.dynect.net.

ebay.com. 172800 IN NS ns3.p47.dynect.net.

ebay.com. 172800 IN NS ns4.p47.dynect.net.

;; Received 371 bytes from 192.31.80.30#53(192.31.80.30) in 1135 ms

ebay.com. 3600 IN A 66.211.162.12

ebay.com. 3600 IN A 66.211.185.25

ebay.com. 3600 IN A 66.135.216.190

ebay.com. 3600 IN A 66.211.181.123

ebay.com. 3600 IN A 66.211.160.86

ebay.com. 3600 IN A 66.135.209.52

ebay.com. 172800 IN NS ns2.p47.dynect.net.

ebay.com. 172800 IN NS ns3.p47.dynect.net.

ebay.com. 172800 IN NS a3.verisigndns.com.

ebay.com. 172800 IN NS ns4.p47.dynect.net.

ebay.com. 172800 IN NS ns1.p47.dynect.net.

ebay.com. 172800 IN NS a1.verisigndns.com.

ebay.com. 172800 IN NS a2.verisigndns.com.

;; Received 271 bytes from 204.13.250.47#53(204.13.250.47) in 27 ms

$ dig yahoo.com @1.1.1.1 +trace

; <<>> DiG 9.8.3-P1 <<>> yahoo.com @1.1.1.1 +trace

;; global options: +cmd

. 153 IN NS a.root-servers.net.

. 153 IN NS b.root-servers.net.

. 153 IN NS c.root-servers.net.

. 153 IN NS d.root-servers.net.

. 153 IN NS e.root-servers.net.

. 153 IN NS f.root-servers.net.

. 153 IN NS g.root-servers.net.

. 153 IN NS h.root-servers.net.

. 153 IN NS i.root-servers.net.

. 153 IN NS j.root-servers.net.

. 153 IN NS k.root-servers.net.

. 153 IN NS l.root-servers.net.

. 153 IN NS m.root-servers.net.

;; Received 420 bytes from 1.1.1.1#53(1.1.1.1) in 32 ms

com. 172800 IN NS e.gtld-servers.net.

com. 172800 IN NS g.gtld-servers.net.

com. 172800 IN NS a.gtld-servers.net.

com. 172800 IN NS f.gtld-servers.net.

com. 172800 IN NS l.gtld-servers.net.

com. 172800 IN NS h.gtld-servers.net.

com. 172800 IN NS i.gtld-servers.net.

com. 172800 IN NS b.gtld-servers.net.

com. 172800 IN NS k.gtld-servers.net.

com. 172800 IN NS m.gtld-servers.net.

com. 172800 IN NS j.gtld-servers.net.

com. 172800 IN NS c.gtld-servers.net.

com. 172800 IN NS d.gtld-servers.net.

;; Received 487 bytes from 199.9.14.201#53(199.9.14.201) in 104 ms

yahoo.com. 172800 IN NS ns1.yahoo.com.

yahoo.com. 172800 IN NS ns5.yahoo.com.

yahoo.com. 172800 IN NS ns2.yahoo.com.

yahoo.com. 172800 IN NS ns3.yahoo.com.

yahoo.com. 172800 IN NS ns4.yahoo.com.

;; Received 281 bytes from 192.42.93.30#53(192.42.93.30) in 843 ms

yahoo.com. 1800 IN A 72.30.35.9

yahoo.com. 1800 IN A 72.30.35.10

yahoo.com. 1800 IN A 98.137.246.7

yahoo.com. 1800 IN A 98.137.246.8

yahoo.com. 1800 IN A 98.138.219.231

yahoo.com. 1800 IN A 98.138.219.232

yahoo.com. 172800 IN NS ns4.yahoo.com.

yahoo.com. 172800 IN NS ns2.yahoo.com.

yahoo.com. 172800 IN NS ns3.yahoo.com.

yahoo.com. 172800 IN NS ns5.yahoo.com.

yahoo.com. 172800 IN NS ns1.yahoo.com.

;; Received 377 bytes from 68.142.255.16#53(68.142.255.16) in 18 ms

>>894103

This is why I wished people would be less greedy and use crypto to replace antiquated services like dns, ssl certs, and even arin authorities.

>>895786

And how exactly are you going to verify that the cryptographic key you are using is actually owned by the site you are using? You are either going to say fuck it and get MITMd, or you are going to go to a repository you trust to tell you if its the real key or not. AKA a certificate authority.

>>895789

Right now you're claiming that crypto is secure enough for banking but not for browsing?

Who's your authority for ssl certs and whois queries? Google or some other "trusted" authority?

>>895826

>Right now you're claiming that crypto is secure enough for banking but not for browsing?

What, where the fuck did I say that?

>Google or some other "trusted" authority?

Yes. And if I want to I can replace them as certificate authorities. Any alternative is just going to be different authorities.

>>895789

You can get MITM'd anyway if someone clones a website and poisons your DNS they send you to their non ssl site that looks identical even down to the domain name. the only practical way to mitigate this attack would be to block all non SSL traffic.

>>895897

>what is DNSSEC

>>895902

i would guess DNS SECurity?

seems like noone has it though because shit works like 100% of the time for me

>>895301

>cloudflare implements ddos protection

>no cloudflare, no ddos protection (most likely)

What is so hard to get here?

>>896951

classic protection racket like the JDL

>>896957

>protection racket

Look you idiots its only a protection racket if the threat is not real. The concept of protection is not itself the racket.

>>893582 (OP)

>promised not to sell users’ data

>promised

Sure, why wouldn't you trust them? They promised.

>>897537

are you me? I was about to make that exact comment

and indeed, having a service under "we promise" is a red flag

>Can it be trusted?

Are you suggesting that Cloudflare runs botnets to massively DDoS websites in order to get them to sign up for Cloudflare DDoS protection? That's a spurious claim.

-- Posted from my Cloudflare-trafficked 8chan account

>>894271

>Saving 20ms on DNS query

found the web shotter

>>895717

Yes, encryption requires you to have the key for the person you want to talk to. You can ask some guy who claims to be trustworthy for they key instead, but that's just retarded. Even namecoin is better than X.509.

>>895243

Yes, so they should give a 403 or whatever standard error instead of "le access denied XDDD".

>>897031

look you fucking mongloids, cuckflare has nothing to do with DDoS mitigation. it's a ((("web security"))) provider and CDN. it literally only mitigates DDoS because it has to in order to implement a reverse proxy (required to implement things like anti scraping etc, for example if you're not on a good goy IP the following text will be blocked out because 8ch uses cuckflare: omg@lol.wut ). saying you need cuckflare to mitigate DDoS is like saying you need Myspace or VK to chat on the internet

lol@gmail.com

sheeit it isn't happening now

>>897663

>Saving 20 milliseconds when it has to be combined with many more roundtrips.

yes

>>897920

>not scraping sites and cutting down from 20 round trips to 1

lol

>not using onion routing which adds multiples of RTT anyway

>>895566

Cloudflare will give you the IP address of the origin server if you submit a DMCA request, so the requester can contact the origin host if they wish. Post some OC, assert copyright violation and DMCA it and you have the source IP. Or you could just fake it...

>>895681

The MitM stuff is dreadful, but really it is the fault of browser makers and certificate issuers for not rejecting Cloudflare certs for this.

Also it is not a wholly valid criticism. If you are on a pro (~$20 a month) or above plan you can do end to end HTTPS using you own cert, without them MitMing you traffic. They still proxy your static content on the edge using their own cert though, so that is insecure.

Cloudflare will also threaten customers who use "too much" bandwidth and try to force them onto their ludicrously expensive enterprise plans, they run cheaper plans through garbage tier networks into PoPs in far away cheaper locations, etc. Terrible company.

>>897948

>Lets make already slow connections even slower

>>899879

>Terrible company.

Enjoy getting your site shut down by some skid

>>899885

Preferable to it being shut down by Cloudflare for wrongthink or blackmail upselling.

>>899908

Hummm lets see what are the odds. Well one website was taken down for the wrongthink reason. And uhhhh tens of thousands taken down by skids.

>>899913

If you're talking odds, the odds of them tracking all your users and selling the data on is 100%.

>>899927

>the odds of them tracking all your users

How else do they give me the analytics dashboard that I want? They sure as fuck can't afford to store it all forever.

>selling the data on is 100%.

That's a big claim. Do you have literally any evidence?

>>899913

Those skids are working for cloudflare tbh. ;^)

>>899931

It's literally all over their ToS and privacy policies.

"You acknowledge that Cloudflare may use this data to improve its service or enable other services"

"Cloudflare may aggregate data we acquire about our users and the visitors to their websites. [...] If we assemble this sort of data and provide it to external parties, [...] Please note, data that our users provide to us, such as log files of their sites’ visitors, may be included in the aggregate data, reports, and statistics."

Are they just giving this info away? I think not.

>>899945

>may be included in the aggregate data, reports, and statistics

AKA the reports they do about TLS usage and bullshit like that.

>If we assemble this sort of data and provide it to external parties[...]

nice selective edit

> our users’ personal information will never be attached to or included in such aggregated data.

<aggregated data

again the aggregate reports they publish

>Cloudflare may aggregate data we acquire about our users and the visitors to their websites.

Which is the entire point of the analytics platform.

Do you have any actually evidence of a sale. Or just some vague "huh maybe if you lawyer up this one sentence"

>>899879

What cloudflare certs? I didn't install any of those, and I use only Lynx or Links to post here.

My guess is the site owners gave their ssl certs to cloudflare who installed it on all their proxies.

>>899956

Cloudflare is not a certificate authority. Op just seems to think they are. All the "cloudflare certs" are Comodo.

>>899956

A site on Cloudflare using HTTPS either uses its own cert, or they use a cert issued to Cloudflare which means the traffic is decrypted on Cloudflare's servers, and passed on to the origin (which can be unencrypted). If you look at the certificate for 8ch.net you can see that it is actually issued to Cloudflare, not NT Technologies. I wonder why.

>>899947

The terms permit them to sell anything they like. No company ever put in terms which explicitly admit to it, yet somehow all this data is being made available. Next you'll be telling me Facebook aren't selling user data because nobody has any evidence or admission of them doing it.

You strike me as a naive Cloudflare user rationalising their use of the platform on your site. Unless you are on the enterprise platform, you and your users are the product Cloudflare is selling to its real customers.

The only direct evidence I have is unsolicited contact from advertising networks who knew the geo breakdown of the site in question despite it using no external analytics service. All my other comments on Cloudflare come from personal experience.

>Which is the entire point of the analytics platform.

Congratulations on discovering what Cloudflare is.

>>899965

>The terms permit them to sell anything they like.

Vague terms don't just permit anything. Nowhere in the terms does it say that they sell any information.

>Facebook aren't selling user data

Why the fuck would facebook sell the user data? You know who buys that information? Advertisers. You know what facebook makes their money off of? Running their own advertising network. They would literally be helping their competitors. Zuckerberg literally just testified before congress that they don't sell data.

>Congratulations on discovering what Cloudflare is.

<Points to evidence that cloudflare provides analytics

<THEY MUST BE SELLING IT

>>899965

So you don't actually have any evidence of them selling anything. You are just certain that they are.

>>899968

This is backwards thinking in the botnet age. The default state is companies are fucking you, unless proven otherwise.

>>899972

I'm sure multiple security audits would not be enough proof for you.

>>899980

Who audits the auditors?

>>895703

>this new 1.1.1.1 address must cost a fortune

This. Even Google modestly satisfied themselves with 8.8.8.8.

>>899885

>your system tries connecting to some IP address

>"no problem, let's reverse-DNS it and we'll sure know who it is"

>fuck you, it's some generic """cloud"""-hosted (Akamai/AWS/Cuckflare/1e100(aka Google)/Azure/etc. etc.) CDN generic reverse DNS name, and you still know literally fuck all who it might or might not be

Lol no. Tired of everyone hiding behind some virtual """cloud""" shit these days. Everything is up on its head, private persons are stripped of their privacy while businesses which by nature should be transparent to a certain degree dodge being transparent as much as they can.

>>899967

"Provide" means they can give, barter or sell it. Vague terms do mean they can do anything with it, otherwise they would use very specific terms. They certainly do when limiting what you can do with the service.

What exactly do you think the business model of providing free network services and analytics is going to be?

>Zuckerberg literally just testified before congress that they don't sell data.

You must be one of the "dumb fucks" Zuckerberg mentioned as being willing to trust him. Also the perfect user for Cloudflare as it happens.

>>900004

Did you even read OP?

>>893998

>it is highly likely they are an NSA front designed to completely take over the internet

This guy is correct.

I wish I could find it now, but, years ago, well before cloudflare was even a thing, some government type person was giving an interview to a news channel whereby it was admitted that they (alphabet agencies) wanted exactly what cloudflare does right now. The goal was to have everyone's traffic being effectively proxied by the "government" so as to prevent terrorism and to help combat kid porn, and in the event of an emergency, have control over access to sites at certain times (think major war.)

It just so happens that if you run a successful site without cloudflare you get ddos'd into submission also. Protonmail comes to mind.

>>900003

This one is scary.

>>900118

This one is funny.

>>899980

Audit doesn't mean jack. They can switcharoo the audited version and the real version at any time. Assuming you even trusted the auditors to begin with, or if entire code was made available for all to see. But those audits could also miss things too. No guaratees there.

>>900247

>>900009

So you both have no evidence of them selling data. And not only that, anything to the contrary is a scam. NICE!

>>900170

>It just so happens that if you run a successful site without cloudflare you get ddos'd

Huh its almost like DDOS attacks are a real thing and cloudflare provides a service to easily stop them.

>>900303

>>900303

fuck *by

>>900297

>Huh its almost like DDOS attacks are a real thing and cloudflare provides a service to easily stop them.

Yea, almost like Saddam, Gadaffi and Assad were/are all evil baby-mudering tyrants that had weapons of mass destruction and were the personification of evil that just needed taking out while the (((west))) profits in their downfall.

>>900293

The way you reason after all the botnet and cianigger revelations of the past decade is ample evidence that you're a moron/shill.

>>901058

>implying it's not cuckflare that launches large attacks in the first place

>>901067

>No evidence

>tons of open memcached servers that make ddos attacks trivial at 60 thousand X amplification

>must be cuckflare tho

>>901074

$0.10 have been deposited in your account.

>>901090

I do it for free. Only reason we can even post here is because of cuckflare. Some retard would have taken down the site by now.

>>901091

Because what could possibly go wrong if we depend on the good will of cuckflare

>>901091

Not really, 8ch could have moved to its own distributed solution like nntpchan. Even better, it could be done in such a way that you don't even need a web browser. A simple newsreader could let you post.

>>901095

Nothing worse than getting the site shut down twice a week by DDOS attacks

>>901096

And yet you don't. Turns out you don't actually value the things you talk about very much.

>>901100

I'm not the one who's in charge of 8ch tbh.

>>901112

You are the user that is able to go use nntp chan instead.

>>901242

I do use nntpchan, and also others like endchan (but not 4chan because it requires javascript browser).

Anyway we're not talking about me, we're talking about 8ch. Your premise is that cloudflare is necessary, because it's the only way to defend against DDoS. I pointed out there are other options that already exist. And more could be created as well. Your argument that cloudflare is necessary doesn't stand up to even the most shallow of scrutiny. And instead of responding to the argument, you instead change the subject to me. You, sir, are a fraud.

>>901309

>I pointed out there are other options that already exist

Other options already exist and yet here you are on this centralized cloudflare protected piece of shit. Its almost as if people like centralized software.

>>901313

I'd be on 4chan too if I could post there with Links. That's not what I'm arguying about and I made that clear in my last post.

>>901317

Right so for any service you actually want to use cloudflare is a requirement for them to operate. NICE!

>>899883

No, i explained how I get data much faster than you, it's pretty easy to beat webshit. And even over tor it's still as fast on average as using a plain web browser on clearnet.

>>899879

No you just explained why X.509 is trash. Even without something like cuckflare you still offload your trust to literally tens of thousands of intermediaries.

>>899885

No, you don't need cuckflare to avoid being DDoSed.

>>900170

>if you run a successful site without cloudflare you get ddos'd into submission also.

again nope, not sure why every time cuckflare is mentioned a bunch of non-technical users come flood this board

>>901511

> Even without something like cuckflare you still offload your trust to literally tens of thousands of intermediaries.

It's better if you don't have to trust a single 3rd-party entity like CF. The cianiggers then have a lot more work to do than just subverting that one entity via "SSL added (and removed) here ;^)" type shenanigans.

>>901511

>No, you don't need cuckflare to avoid being DDoSed.

Yes just use that meme IPFS shit that barely works

>>901541

LOL so true

>>901541

I love how people are finally catching up to the fact that (((IPFS))) is a scam and always has been.

>>901541

I never used IPFS so can't comment on its stability, but it's not the only CF alternative that currently exists. The reason people are reluctant to use alternatives is they require a lot of integration work to use protocols other than just web (assuming you already got a website and you're not designing from scratch). And so that's how the cianiggers rope you in. But we're onto them.

>>901568

So what is your magic real world solution then?

>>901600

There's no magic in this world. You just have to choose between the easy highway to hell, or take the more difficult journey to a better place. The easy path being "just keep doing what everyone else is". And the other path being "experimenting with other options".

>>901610

Okay so for everything that does not involve research subjects the answer is cloudflare or run a site expensive enough to take up an extra 100 gigabits of load from time to time.

>>901614

It's not research, unless you just don't like the existing alternatives and want to make something new. Usenet (NNTP) is old as dirt and yet can't be DDoS'd. And there's already libraries for many programming languages to handle NNTP details, and a whole bunch of tools, servers, and clients.

>>901641

>distributed applications cant be DDoSd

LOL

more like they are small as fuck so no one gives a shit

>>901641

Distributed just means a bunch of people with 5megabit home internet get their pipe destroyed instead of 1 $5 server with 1000 megabit.

>>901309

>tripfag didnt respond

>>901541

Or just use one of the 500 traditional DDoS solutions that existed 20 years before cuckflare's developers even graduated their meme college. Or now you can use some other competing webshit, like incapsula or cuckflare knockoffs, instead of pretending cuckflare is the only company that exists and helping them be a monopoly.

Is everyone on this imageboard actually 12 years old and think DDoS is a new concept?

>>901537

If you're depending on X.509, cianiggers are getting full access to your shit period.

>>902062

Ah yes traditional solutions. You mean a 50 thousand dollar traffic scrubber? You mean buying 100x more infrastructure / bandwidth than you actually need? You mean hosting 99% of your content on a CDN which still leaves your service vulnerable? All great options! I'm glad an intelligent person like you was here to point is us in the right direction.

>>902064

>The certificate standard is the same thing as the certificate authority

75IQ

>>902016

Usenet isn't small by any stretch. You would have to DDoS every ISP to take it offline. It scales as big as you want.

>>902038

> tripfag

Are you on drugs? Sure seems like it.

>>902088

>You would have to DDoS every ISP to take it offline

So lets say 1000 people download the file. They have an average bandwidth of 20 megabits. Thats a total of 20 gigabit. AKA a TRIVIAL sized DDoS attack. Assuming they use their entire bandwidth to host the file and don't just say fuck it. Only thing that could not be taken down is popular movies with 100 thousand seeders. Unless you want to make every single person host the same content and waste everyones drives space.

>>902091

Of course it's redundant. That's the point. Drive space is cheap anyway, and nobody's uploading ISOs on this chan.

>>902092

If its replicated literally 1000 times its not enough.

>>902081

fuck off nigger it doesn't cost 10 million dollars to use something that isn't cuckflare

>>902082

how is this distinction even relevant? it doesn't matter who the CAs are, the spec says the system will be shit no matter who runs what

>>902095

We have ourselves a highschool kid who has no idea how much things actually cost and what DDoS prevention actually implies. NICE!

>the spec says the system will be shit no matter who runs what

https://en.wikipedia.org/wiki/Sybil_attack

Good luck solving this one faggot

>>902093

You're assuming the attacker even knows what all the IPs are. In fact, those can change at any time, and chances are there's never a comprehensive list. That's because it's not just distributed, it's also decentralized. So have fun flooding the entire Internet, faggot. Not that it would matter, since the DoS'd nodes will simply catch up later on.

>>902099

>So have fun flooding the entire Internet, faggot.

<He is so retarded he thinks p2p applications are the entire internet instead of shitty weak computers sitting in peoples homes

>>902099

>Start downloading file

>Get list of all the peers via the protocol

WOW THAT WAS HARD

>>902101

>>902105

Hullo newfriends that never posted on Usenet. Not everything works like torrents.

>>902106

>Not everything works like torrents.

No but exactly the same fucking problems apply. You just DDoS the servers instead.

>>902107

There's no requirement anywhere the server IPs get sent beyond the up/downstream nodes. But you could also lie and substitute a government IP, for fun. Then attacker ends up biting off more than he can chew.

>>902108

So how exactly are users connecting to these servers when the IP is not being published? You just gonna keep it ultra secret? LOL.

>>902109

Obviously some have to be well-known. Traditionally, every ISP/company/group/whatever has their own news server, and they only need to know that one, and the local admin needs to know peered nodes. But they don't know wtf is going on in other places around the world.

Usenet does have headers though, and if you scanned every message you could maybe make a list. But it's not guaranteed to be complete or accurate, since nodes can be added/removed any time.

Anyway in this scenario, you just simply don't publish that header, or you publish a lie.

>>902111

So your solution is have a whole bunch of ISPs all proxy to a secret back bone of servers that store the worlds content while still being kept secret

>>902113

ISPs traditionally did/do (mine still does) admin local news servers for USENET. But in this scenario, they're just carriers. Your ISP doesn't know about anything besides what peers you're connecting to. You can even route through Tor, if you like.

>>902114

They have this secret index of the addresses of all the servers that store anything

>>902115

How does some random ISP in USA know wtf is going on in China or Australia, if you're not even connecting to any systems there?

>>902117

Oh so the directory of servers storing data actually is public now? Great. Now the DDOS threat is easy again.

>>902119

No, but there are likely to be nodes in other countries or areas that your ISP doesn't cover.

Whether you widely publish your IP or not is up to you. Only your peers really need to know it.

>>902124

Look man its really fucking simple. The file is stored on X places. If those X places are secret then users wont be able to download files. If X places are not secret then they are an easy DDoS target. There is nothing magical about distributed storage. Its on some server on on someones laptop. A file stored in 100 places only has the bandwidth of the 100 places.

>>902125

The data is replicated on all the servers, and you only need to know one of them. The server itself only needs to know its peers.

>>902128

Which part of that do you think solves the problem.

>>902132

What problem? You can't DoS an entire network if you don't know all of its components.

>>902133

>ENTIRE NETWORK

again ffs thats not how it works

>using clearnet DNS

just web browse with TorBrowser, DNS requests are being done on Tor network

>>895402

>There is no way you can do it. With this memcached ddos for example getting hundreds of gigabits per second is trivial. You simply have to have enough bandwidth to deal with it. There is no amount of software filtering that can deal with your pipe being filled.

So internet is broken

rich jews and corporations can order ddos on your anti jewish website and keep it shut down

it should be made that to make a network request you need some proof of work or even some small payment

>>902602

It's not like some have literally millions of times as much money as others and so the rich could still DOS anything they dislike but there would also be a lot of energy wasted.

>>902606

>Being this retarded

DDOS attacks are only happen in 99% of cases because there are billions of insecure internet connected shit devices.

>>902602

>just web browse with TorBrowser, DNS requests are being done on Tor network

Barring onion addresses, note that it is trivial for exit nodes to send back fake DNS entries.

This means that you can not trust that the domain name is being resolved to the correct server and need to use something like https to verify that the domain is owned by the server you are talking to.

>>902758

Connecting to things like email through tor is probably worse than not using it.

>O look Joe Blow uses tor for all his shit. Lets pay EXTRA attention to him

>>902758

Actually barring .onion, .gnu for gnunet, ipfs:// adresses, and possible freenet. There's more then one way to send html stuffs.

>>902815

Tor does not offer DNS resolution for .gnu nor ipfs, though correct me if I'm wrong.

>>902827

I am talking about alternatives to DNS so you don't have to use DNS at all. Use GNUNET with .gnu, use ipfs with ipfs:// , use tor hidden services with .onion , and use freenet somehow I am unaware of.

>>902828

It does not matter the exit nodes can route you to a wrong server regardless of DNS resolution method.

>>902846

You tell the exit node to send you to X IP and it sends you to Y IP. I guess you don't know how this works.

>>902850

>.onion

>exit nodes

did you learn onion routing from Mr Robot?

>>902883

Thought you were:

>>902827

>Tor does not offer DNS resolution for

Resolve ipfs, freenet and gnu addresses within their own network encapsulated in Tor. That way Tor exits will only know you're using ipfs or freenet, but won't be able to hijack and spoof your data.

>>893582 (OP)

So how can Cloudfare compromise you if you use their DNS other than selling off IPs and information before the 24 hour limit is up in the event that KPMG is false? There isn't a lot of personal identifying information that you send them other than ip and the domain name.

>>903888

They send you to an identical copy of a site without https.

>>893582 (OP)

With the same functionality and content? With a domain name that has UTF in it? If the latter, there is a Firefox setting to get the real characters of a domain name instead of the UTF one.

>>902827

It does not, but the DNS requests are tunned through the network, so your exit node can respond with whatever it wants, thus allowing you to support any made up DNS you want. For example lots of sites give you blockpages because the node decided facebook is gay, or the exit node is in Russia and its ISP blocks the site (and I assume most of these blocks are DNS based instead of IP address).

>>902758

Correct but you still get the most anonymity on the clearnet by accessing it through tor, and you shouldn't be accessing anything that requires security over HTTP (let alone HTTPS) anyway regardless of proxy or no proxy.

>>902776

No, because millions of people already use VPN and tor, and the way you tell if someone is worth paying attention to is by what content they're accessing and what they are talking about.

>>903888

Oh yeah, telling someone a list of every site you visit bundled with your home address is fine.