Instances behind #CloudFlare aren't listed, because there are already hundreds, and this centralises a lot of #fediverse network traffic in #AS13335. (nemobis@mamot.fr)
I no longer vote in elections because it’s impossible to register to vote in my state w/out #Cloudflare being a MitM to the reg. process & seeing all my personal details. Pre-Cloudflare, that leak was not a security risk. That is, I am willing to trust the state secretary w/the info but not a private profit-driven corp who offers gratis cloud services. (koherecoWatchdog)
Yikes.. Even CloudFlare is now supporting this uh.... "stuff". Crap3 (stux@mstdn.social)
@info_activism An article that criticizes CAPTCHA is probably not best served from a Cloudflare website. (koherecoWatchdog)
In das Portal für die Volkszählung war die US-Firma Cloudflare eingebunden. Personenbezogene Daten gingen nicht in die USA, sagt der Datenschutzbeauftragte. Zensus 2022: "Zu keinem Zeitpunkt Gefahr" durch Einbindung von Cloudflare (heiseonline@squeet.me)
@bfdi Ok, danke für den Einsatz. Jedoch stellt sich mir die Frage, warum einerseits zB. im Bildungssektor die DSGVO derart durchgesetzt wird, dass US-Unternehmen überhaupt nicht mehr verpflichtet Verwendung finden sollen, hier aber mit statistischen Daten einer Volkszählungs ähnlichen Veranstaltung diese auf Servern der USA abgelegt werden. Ob das über ein Formular geschieht, welches nun in DE oder USA aufgerufen wird ist ja hier echt egal. Zensus2022 Cloudflare (amaz1ng@social.anon-groups.de)
In news unrelated to... well, anything really, I've been moving my domains away from Cloudflare (fucking finally). I wasn't really using their CDN to begin with, but I was using them as nameservers for lack of a decent alternative. I had a slightly excessive amount of records, and the services offered by my multiple registrars kinda sucked (plus they would've made moving hard). So two things happened to change that - firstly, @ben_zen told me Hurricane Electric offers a free DNS service, solving the "I don't want to start spending money just to pay another giant cloud provider" issue, and secondlym I finally bit the bullet and properly codified my DNS mess using DNSControl. I'm still in the process of completely moving delegations around, and I've had some issues with a few wildcard records, but HE has been very helpful so far and I'm hoping they'll prove to be stable and fast enough I feel comfortable sticking with them for my DNS needs :) (jonas@evilcyberhacker.net)
EIn haX0r Forum das per Cloudflare "abgesichert" ist und das dich hindert über den Tor Browser zu betreten - Ja ne alles klar, alles Profis und was weiß ich schon... 🙄 hacker forum cloudflare tor onion sicherheit it EinMalMitProfis (kubikpixel@chaos.social)
The policies of the SustainableAustraliaParty really do speak to the tenants of DickSmith's FairGo. They're not only holistically environmentalist, but seek to end how immigration has been abused by corporations. They also identify problems in the media landscape that require attention, and much more. Its a shame they are using NationBuilder/CloudFlare. However, we do find ourselves wanting a focus on…1/3 (dsfgs@activism.openworlds.info)
@jonas There is a big difference between web3 and internet3p0 — in our view at least. cloudFlareDown cloudFlareIsTheMalware (dsfgs@activism.openworlds.info)
Zensus 2022 ist heute ins Haus geflattert: "Gebäude- und Wohnungszählung". Dem Onlinefragebogen trauen wir nach einem kurzen Sicherheits- und Privacy-Checkup so ganz und gar nicht. Wieso greifen Behörden immer noch auf nicht vertrauenswürdige US-Clouddienste (Cloudflare oder aber auch AWS) zurück? Sind wir denn in diesem "hochentwickelten" Ländle nicht in der Lage eine eigene vertrauenswürdige digitale Infrastruktur zu schaffen? privacy digitaleshinterland digital digitalisierung (muennecke_vollmers)
@itsfoss Hi and welcome to Fedi, Assuming this is a genuine acct of ItsFOSS and not an impersonator, your website is Cloudflare (last we checked) tell us if/when you fix the problem and no longer use a CAGEFAM dotCon. We'll be more likely to subscribe and use your site when good faith is shown. Cheers. (dsfgs@activism.openworlds.info)
@kuketzblog Wichtige Info in der Datenschutzerklärung: "Die Datenverarbeitung durch Cloudflare betrifft nicht die Befragungsdaten der Auskunftspflichtigen zum Zensus, sondern lediglich die allgemein zugänglichen Informationen auf der Website www.zensus2022.de. Nach erfolgreichem Einloggen werden Sie auf die Seite fragebogen.zensus2022.de weitergeleitet.“ Zensus Zensus2022 Cloudflare Datenschutz (MBrandtner@gruene.social)
thepiratebay is hosted on cloudflare ? wtf!? (ruffni@mstdn.io)
Online ist "billiger und besser für alle Beteiligten" heißt es in der ersten Folge vom Podcast zum Zensus2022. Heute habe ich aber auch schon mitbekommen, dass Cloudflare mittendrin und auch dabei ist. Wie gut, dass alles billiger und besser ist 🤦♀️ DNS-Abfrage 21:40: www.zensus2022.de. 201 IN CNAME www.zensus2022.de.cdn.cloudflare.net. Zensus (funqr@chaos.social)
@benjaminhollon I was getting a reCaptcha challenge. This is likely not a misconfiguration on your end. It’s just cloudflare that doesn’t like tor users… seewitheyesclosed.com worked fine. Thanks! (ilyess@mastodon.online)
Über die Website zensus2022.de erfasst Destatis sensible Bürgerdaten. Nun stellt sich heraus, dass ausgerechnet der US-Dienst Cloudflare eingebunden ist. Zensus 2022: Datenschutz-Probleme beim Online-Portal (heiseonline@squeet.me)
@kuketzblog Es war das gleiche bei der Corona-Covid-Impfung in Berlin. Wer einen Termin im Impfzentrum wollte, mußte sich über Doctolib anmelden, d.h. es ging alles über Cloudflare (und die Daten sind in einem französischen Amazon AWS gespeichert). Telefonische Anmeldung bedeutete nur, daß jemand anderes die Daten bei Doctolib/Cloudflare/Amazon eingab 😠 SenGPG (debacle@framapiaf.org)
@kuketzblog@dbx Laut den IP-Adressen stehen zumindest die Cloudflare Server in Europa: --- inetnum: 141.101.88.0 - 141.101.95.255 netname: CLOUDFLARE-EU descr: CloudFlare CDN network country: EU --- Aber eine amerikanische Firma muss ja nun wirklich nicht für die Bereitstellung des Zensus 2022 sein... (Flingeraner@nrw.social)
@pluralistic That's what makes a UBI so unappealing to these billionaire influencer-types. They will not be able to wield their billions to pervert the natural laws of society and the environment. By the way, we were at your craphound.com website recently. Wondering if you would like to selfhost a few scripts rather than use cloudflare? (dsfgs@activism.openworlds.info)
@2T2 Interesting, but if it is not FOSS then it's effectively malware. We have long been critics of how Mozilla implemented ()DNSOverHTTPS by only using one DNS — a CloudFlare(!) one. Their algorithm is broken by design, it should employ an array of Resolvers. We find there are plenty of FOSS browsers like LibreWolf, IceCat and more, that one can use and if one routes all their DNS Requests to Tor via a TransparentProxy. Then you can start to have a bit of basic privacy. alohaBrowser web3 (dsfgs@activism.openworlds.info)
@lebronjames75 We don't even bother with pleasantries like 'liberal' (in 'neoliberal'). We prescribe by ChrisHedges thought that one should be more direct and call them what they are — 'corporatists'. Or at this stage of oligarchy, the term 'fascist' is actually totally valid given the fact these transNational corporate monoliths are so heavily fused with govt they are completely indistinguishable. (ChrisHedges is no longer on RT and is feeding CloudFlare, now) @lain@ratanon (dsfgs@activism.openworlds.info)
@bojkotiMalbona I'm frustrated by this too, for additional reasons (MitM and CAPTCHA paywall), but I'd like to have a friendly open discussion about this to hopefully get those numbers down. I'm sure there are various reasons why instance admins let Cloudflare front their service, like out of habit, not thinking of the implications or weighing them in another way, having actually experienced DDoS or other attacks that Cloudflare can actually mitigate and not knowing of or having resources for other recourse. I'm also sure that an even larger portion of the fediverse instances are hosted on major cloud provider infrastructure, many of them masked by being fronted by Cloudflare or other. There are similar concerns there. (omni@hackers.town)
If Mozilla actually tried to make an implementation of DNSOverHttps that was even a little bit ethical the browser would be more usable. Currently a user can only use one DNSResolver at a time, and would need to manually change it away from the default, CloudFlare. Its a bad implementation of (DoH) and it only serves CloudFlare. technoFascists bigData (dsfgs@activism.openworlds.info)
@ScottMortimer Uh, not sure how to parse your question. “Crimeflare” was a bad name for what is now called “deCloudflare”. They are indeed the ones who produced that fediverse.md file. (bojkotiMalbona@infosec.exchange)
@ScottMortimer Why am I blocked? Because Cloudflare objects to my IP address, browser, or combination thereof. So reading statuses that originate from a CFd host end up being a time waster for me. It would be useful to be able to just browse msgs that exist in the free and open world, not walled gardens. (bojkotiMalbona@infosec.exchange)
@ScottMortimer It’s unclear why you bring up security, when the issue is about decentralization. Some people come to the fedi for decentralization. But that’s not what they get when Cloudflare centralizes ~19% of the nodes. (bojkotiMalbona@infosec.exchange)
@ScottMortimer But among the general public, some are streetwise and capable and choose not to pawn themselves to Cloudflare. Thus they do not connect to Cloudflare services. Apart from the security problem, it’s also a practical problem. That is, as I read fedi posts from a text-based client, sometimes I need to open a status in a full-blown GUI browser but find I’m the one being blocked. (bojkotiMalbona@infosec.exchange)
@ScottMortimer If a fedi admin thinks Cloudflare can improve their security, that’s not my problem and I won’t let their security problem become my problem more than necessary. Using the fediverse.md file to separate the free world from the walled garden is one way to address the problem. (bojkotiMalbona@infosec.exchange)
Neben der Arbeit an plattformübergreifenden Schnittstellen stellt Cloudflare die JS-Runtime der Entwicklungsplattform Cloud Workers als Open Source bereit. Open Source: Cloudflare arbeitet mit Deno und Node.js an gemeinsamen APIs (heiseonline@squeet.me)
@kolektiva Are users of kolektiva.social made aware the the instance let Cloudflare intercept the traffic? I mean, the content/communication is basically public (and DMs are not really private, just not public), but things like who connects when from where and their authentication... (omni)
Everywhere I go, I see his face: Please wait, We are checking your browser... Please turn Javascript on and reload the page. cloudflare (redstarfish@social.linux.pizza)
Cloudflare Workers 及其子域名 (..workers.dev) 在中国大陆(至少)部分地区被 DNS 污染。 thread: /3574 Cloudflare Workers China GFW Poisoning Telegram 原文 (cascading@misskey.io)
> Listens to LeeCamp speak fervently about his distaste for censorship and how that is a big reason why he's leaving (CloudFlare) Patreon. Presses Ctrl+Shift+E in TorBrowser to see that he is moving to a site hosted by Amazon. HAS ANYONE told him about Fediverse? parlerHadACommunityToo closedSilo jumpingFromFrypanIntoFire (dsfgs@activism.openworlds.info)
Cloudflare Pages (*.pages.dev) 子域名上的站点可能于近期在中国大陆开始无法访问,主要的阻断方式包括连接重置和 DNS 污染等。 Cloudflare Pages China GFW Telegram 原文 (cascading@misskey.io)
@jeffcliff Pretty sure the sane folk have left Turdsite. Let the drones get in at the price they deserve — a discount after the CloudFlare attack. :/ (dsfgs@activism.openworlds.info)
Cloudflare is not just MitM, their CAPTCHA is a paywall (omni@hackers.town)
@dch What's really ironic is that that site, allegedly reporting on ClownFlare, is ClownFlare. :/ If anyone finds an accessible version of the article please share. If we get time, we may. cloudFlareIsTheMalware assetNoteIo (dsfgs@activism.openworlds.info)
@lupyuen Its actually not a Russian cyberattack but Cloudflare… now where's our reward money? disinfo russiaGateWasFake cloudFlareIsTheMalware akamaiReuters reuters (dsfgs@activism.openworlds.info)
At one point I came across an organization where you can report breaches, and they handle it from there. But then that org eventually put their website on Cloudflare, so I lost confidence in them. (bojkotiMalbona@infosec.exchange)
And I also believe there is no non-public way to send a msg to a Gitlab.com user even if the Cloudflare & CAPTCHA barriers were not in play. (bojkotiMalbona@infosec.exchange)
@bojkotiMalbona Its super-difficult to know whether something is AstroTurf (blackHats), or just a pack of useful idiots. Also cloudflare seem to just swallow up and takeover entire ISPs and countries at a time. So even that is a loose indicator. On I2P there's some sites where you can discuss stuff. Is there a ConsumerAffairs or ScamWatch in your country. Then there's WikiLeaks, TheGrayZone, Telesur, RT, SouthFront, sites that accept Bitcoin or Monero tend to be good. (dsfgs@activism.openworlds.info)
Can someone hack electronicBillboards in Australia and maybe Google and Cloudflare so billboards say: > Hi <NAME_PHOTO_OF_DRIVER>, CloudFlare learned you like <SEXUAL_FETISH>, and you have <AMOUNT> at <BANK_NAME>. Visit hCaptcha and train militaryDrones for your chance to keep your password private and maybe remove this message. Because Australia's small banks are almost all watched and controlled at CloudFlare now. workFromCar neoFeudalism cloudflareIsTheMalware billboards (dsfgs@activism.openworlds.info)
Some lofty types in the UK now want to block RT from theInternet. Given that they are planning to extraDie Julian Assange to the thirdWorld and to his ultimate death, this makes perfect sense, but memo says esteemed journalist, publisher and politicalPrisoner will extraDie in their own prison. (RT is also not a CloudFlare, Google, Murdoch, Amazon, nor Fakebook-controlled newsService) It has to go. incapacitatedScreaming rtBan rThAStogO pUtInhAStogO USAThirdWorld eNglANd (dsfgs@activism.openworlds.info)
@teledyn We very much need more ppl getting fired for asking questions, thanks for bringing that up. Its the only way to get to convivialSufficiency. Its sounds like its absolutely an ecology issue. Maybe they have plans to destroyTheComputers on their way out? We might take a look at that (cloudFlare) site article, but yes, its pretty rich to hate on bitcoin/monero when AI is arguably a lot worse. getFired gotFired askQuestions killDrones (dsfgs@activism.openworlds.info)
We really love that the Block CloudFlare MITM Attack (BCMA) Add-on for Firefox (and TorBrowser) is finally offered by Mozilla. Its not perfect, but it is version 1.0.0. 😃 We are concerned that the "Block request immediately" option could be used to fingerprint a person as a BCMA user. We are supportive of blocklisting for min 6 months (currently it only stores the last 500 MITM'd domains, but sites could get dropped from the list in a matter of weeks, given the preponderance of CF sites). (dsfgs@activism.openworlds.info)
Scrabble quest.. GAFAM FAANG GMAFIA What words will we be able to create from the biggest monopolistic tech dominators in 5 years from now? Also do parent entities such as Alphabet and Meta stay conveniently under the radar? Here&39;s some candidates on the rise: Cloudflare Stripe TikTok Whaz da word, folks? The winner will become CIO of the Fediverse (humanetech)
@miklo@MitchellYeager6 I will rank them from most evil (w.r.t social & environmental harm) to least, but all these are well into the boycott-worthy level of evil: Amazon Cloudflare Facebook Microsoft PayPal Google HewlettPackard ATT Comcast Charter1communications TimeWarner Sony Motorola Apple (gerry@mastodon.pirateparty.be)
@hackernews Nerds tend to underestimate the importance of defaults. They’ll claim “Cloudflare isn’t blocking Tor - that’s the user’s choice”, neglecting that 95+% are just braindead pawns using CF’s defaults. Why? Because nerds override defaults but they can’t step outside themselves to see that that’s statistically unusual. (koherecoWatchdog@freeradical.zone)
@Coffee Interesting… I wasn’t aware of those studies, thanks for sharing. This begs the question: if blocking tor traffic actually hurts cloudflare’s customers due to missed conversions, why are they still doing it? Specifically if the ratio of malicious to genuine traffic is somewhat similar between Tor and non-Tor. (ilyess@mastodon.online)
Imagine being unable to access 33% of the top 10k websites because CloudFlare doesn't like you. (Coffee@toot.cafe)
FIRST AFRICAN NATION adopts bitcoin as legal tender. Lawmakers in the CentralAfricanRepublic have unanimously voted to adopt Bitcoin alongside the CFAFranc. The law makes cryptocurrency exchanges excempt from tax for some strange reason. Maybe because they'll be CloudFlare so want to surviel all the traffic and users' passwords etc. Good news for uncensorable currency, bad news for govt revenue and everyday workers at this stage. (dsfgs@activism.openworlds.info)
POLL: DO YOU pin the NoScript button to the top of your TorBrowser (like it used to be)? b) Do you imitate TailOS and install UBlockOrigin add-on into Tor Browser? c) If there was an add-on that warned you that you were visiting a CloudFlare, Amazon or Akamai website, how quickly would you drop everything, including balls that are not even yours, to check it out? addOns uBlock deleteAmazon amazon (dsfgs@activism.openworlds.info)
Der Infrastruktur- und DNS-Anbieter Cloudflare hat eine DDoS-Attacke gestoppt, die zu Spitzenzeiten bis zu 15,3 Millionen Anfragen pro Sekunde verschickte. Cloudflare: Botnet-Angriff mit mehr als 15 Millionen HTTPS-Anfragen/s abgewehrt (itsecnews@anonsys.net)
@com@jerry So I wonder if using Cloudflare actually eased their effort in passing an audit, because they can probably tick a bunch of boxes that say “not our problem… that’s on Cloudflare’s side of the fence”. (bojkotiMalbona@infosec.exchange)
Someone who sees DeepL’s security statement would be convinced that they are in good hands if they knew nothing about Cloudflare -- which likely describes a majority of those who encounter DeepL. (bojkotiMalbona@infosec.exchange)
I can understand why DeepL is so driven to mislead users about their security -- it’s a profit-driven corporation. But why does the LibreTranslate.com admin mislead users about security? They don’t even have a donation link. They have no reason to be malicious & harm the “libre” brand. It would cost them nothing to warn users that all queries are shared with Cloudflare. (bojkotiMalbona@infosec.exchange)
DeepL’s use of Cloudflare whilst showcasing ISO 27001 compliance really demonstrates well the insufficiency of iso27001. DeepL shows how well a Cloudflare website can decorate the security disclosures of a service while sharing every bit of everyone’s data with a MitM. (bojkotiMalbona@infosec.exchange)
@MarcoMeer@davidoclubb@Blort Yes I have. DeepL chose their words carefully. Their “state of the art TLS” is compromized when another org holds the keys & performs the decryption. Their e2e crypto terminates at Cloudflare’s data center not their own. They say they delete you text immediately have translation, but it’s too late b/c they’ve already shown it to an untrustworthy tech giant. (koherecoWatchdog@freeradical.zone)
Mastodon Pro-tip: if you&39;re struggling to get your website verified on your profile and your website is behind Cloudflare, you have to disable "Bot Fight Mode" under Security => Bots. Then you have to modify something in your Mastodon "Bio" and save to re-trigger the verification attempt. (andryou)
The lesson here, I guess: check the WAF logs in detail before assuming anything's not a CloudFlare issue! More specifically, if anyone else has weird federation issues and uses CloudFlare in front of their site - you need to disable "Bot Fight Mode" under "Security -> Bots" in the dashboard - else federation won't work properly. I have sent CloudFlare a request to fix this on their end too! (curtispf@mashed.cloud)
Want to sign into your matrix account using tor? cloudflare says no. 😿 @matrix (uniq@chaos.social)
Want to sign into your matrix account using tor? cloudflare says no. 😿 @matrix doesn't this also imply cloudflare can see user passwords and e2e recovery keys? After all, they usually mitm HTTPS. (uniq@chaos.social)
Finde den Fehler Microsoft Edge bekommt „Sicheres Netzwerk“ (VPN) verpasst. Das Microsoft Edge Secure Network ist ein Dienst, der in Zusammenarbeit mit Cloudflare bereitgestellt wird. Cloudflare setzt sich für den Datenschutz ein und sammelt eine begrenzte Menge an Diagnose- und Unterstützungsdaten als Microsofts Daten-Subprozessor, um die Dienste bereitzustellen. Voraussetzung hier ist, dass man mit einem Microsoft-Account im Browser angemeldet ist. 😜 (snip@social.tchncs.de)
@nielsa Fascism is the melding of govt with big business, the rest are symptoms, things that manifest as a by-product of such fascism. Our sources are reliable re banks censoring and unpersoning. If you have TorBrowser hit Ctrl+Shift+E before loading a website. Quickly you'll learn why CloudFlare is not what it seems. (dsfgs@activism.openworlds.info)
@nielsa So Facebook and Twitter are in the advertising, data broking and Public Relations industry. They are bad enough but… They are better than CloudFlare for sovereignty (mostly because everyone knows about what they are doing). When Fbook tried to be a bank we went into overdrive. CloudFlare (and akamai, lesser Amazon and Azure) control/block almost all Australian banks and payment rails, and by proxy and stealth. Its infinately worse, there is no comparison here. Its an attack. (dsfgs@activism.openworlds.info)
@nielsa Saying efforts to avoid Cloudflare (and Azure, Amazon and Akamai) is "entirely ridiculous" flys in the face of people, who have jumped ship when we talk to them. Every 'one' person who learns of the centralisation and NetNeutering-nature of the fascist CDN networks is priceless. We don't need to friend, follow people on Cf servers because their takes are, let's just say, low-octane, funnily enough. Stay on CloudFlare if you dare. (dsfgs@activism.openworlds.info)
WARNING: The mas.to instance is now CloudFlare. Start dropping packets — and by packet's we mean followers. deleteCloudFlare masTo masDotTo PSA fediverseInstances fediBlock (dsfgs@activism.openworlds.info)
> "Scraping your website" One 'p'. Means to copy the website, usually into some kind of static text based format, sometimes for processing in some way. > "Scrapping your website." Two 'p' Means to purge the website. > Site is CloudFlare In order to fix your website we take the computer serving the content and "pee" on it. Clear? urine piss infoSec p oneP twoP learnTheDifference (dsfgs@activism.openworlds.info)
NOOOOO DON'T USE CLOUDFLARE THEY ARE MITM YOUR TRAFFIC AND THEY CAN SEE YOUR PASSWORDS :soyjak: :soyjak2: :soy_left: :soy_right: :soyjak_gun: SSV: turns ln cloudflare caching wtf my 1:43:48 long video of "THE IDOLM@STER CINDERELLA GIRLS 7thLIVE TOUR Special 3chord♪ Glowing Rock ! @KYOCERA DOME OSAKA - Day 1 Part 1" doesn't load guess I'm not using cloudflare then. (splitshockvirus@mstdn.starnix.network)
@Blort@davidoclubb (update) DeepL is a no-go from a privacy standpoint -- just found out they share your sensitive translations with Cloudflare, thus privacy is in the shitter. I suggest installing ArgosTranslate and running it locally. (koherecoWatchdog@freeradical.zone)
The FBI are saying "ransomware actors" are apparently going after agricultural cooperatives" and "may (…) negatively impact the food supply chain". Wow, that almost sounds like it might be a threat. We of course, blame fedi. cloudFlareIsTheMalware supplyChains agriculture farming (dsfgs@activism.openworlds.info)
TIL Pixelfed is protected by Cloudflare. Ouch. (ru@fosstodon.org)
@icedquinn Sustainable Australia Party used to call these "de facto standards" "naturalMonopolies". They used to argue that such natural monopolies must be made public. They may still do, but we can no longer access their site as cloudFlare blocks access to it. Cloudflare serve a number of other minorParty websites, all of which are inaccessible. Keep in mind, Australia is IN AN ELECTION, right now. auspol privacy electionMeddling electionRigging USA democracyDoesNotExist (dsfgs@activism.openworlds.info)
Behördenwebsites mit Cloudflare "we are checking your browser" (quincy@chaos.social)
If you want to opt-out of Visa’s information sharing, you must give your card to Visa’s Cloudflare website. Is this catch22 legal, considering Visa is legally obligated to offer the opt-out? (koherecoWatchdog@freeradical.zone)
Hahaha. Now even CloudFlare'd sites are dropping initial connection attempts. Just die, CloudFlare. cloudFuckd cloudFucked dieCloudFlare (dsfgs@activism.openworlds.info)
@fedithom@fdroidorg You need to separate the facts from the judgment. The irrefutable fact is that Cloudflare sees all data going to CF-hosted Fdroid servers incl. ssl. What Cloudflare harvests from the F-droid mirrors is anyone’s guess b/c those facts are concealed from the public. Even if Cloudflare were to claim not to, they’ve been caught making false statements before, thus untrustworthy. (bojkotiMalbona@infosec.exchange)
@fdroidorg@iska The answer is the website, for now. Experts & streetwise users are being driven off the Fdroid app but the fdroid website is still easy to detect Cloudflare on (there are a number of tools to do this) and then sideload the apps. (bojkotiMalbona@infosec.exchange)
@fdroidorg@iska There is a project dedicated to finding Cloudflare websites. It’s such a huge undertaking that the project struggles to keep up with it. This is nothing that you could reasonably expect each Fdroid user to undertake on their own. (bojkotiMalbona@infosec.exchange)
@iska@fdroidorg What’s a specific firewall implementation that gives users the option of using a custom filter? BTW, you’re not just blocking one IP address. Cloudflare has around ~10-15% of all websites in the world. That’s a lot of IPs stemming from a lot of ASNs, and the ASN lookups are non-trivial because some CF websites are not tagged in the ASN info as belonging to CF. (bojkotiMalbona@infosec.exchange)
Fdroid is getting dicey for privacy now that are allowing a tech giant to snoop on who fetches which app. Many users choose @fdroidorg for security, but security is compromized when Cloudflare is given reconnaisance data on the apps and versions various users are running. This info opens up Fdroid users to attacks that exploit known bugs. (bojkotiMalbona@infosec.exchange)
@fdroidorg I suggest not trusting the Fdroid app itself anymore. By default it enables ~6 mirrors, any of which can become Cloudflared w/out notice. There is no toggle to automatically block or disable Cloudflare hosts. It’s thus more secure to fetch f-droid apps from the web over Tor, after checking whether a host is CF’d. (bojkotiMalbona@infosec.exchange)
