music group IFPI complained that while Cloudflare discloses the hosting locations of pirate sites in response to abuse reports, it doesn’t voluntarily share the identity of these pirate customers with rightsholders.
“Where IFPI needs to obtain the customer’s contact information, Cloudflare will only disclose these details following a subpoena or court order – i.e. these disclosures are mandated by law and are not an example of the service’s goodwill or a policy or measures intended to assist IP rights holders,” IFPI wrote.
So the corporations enjoying enormous profits from other people's work are unhappy that Cloudflare doesn't make it easy for them to circumvent due process. What a surprise.
(I'm generally not a fan of Cloudflare, because its man-in-the-middle position between users and services has grown to an unhealthy scale, making it ripe for dragnet surveillance and other abuses. But it would be even worse if it was actively helping these greedy, predatory corporations dodge the law.)
It bugs me when people say Cloudflare is a MitM, because that is a disingenuous representation the situation. Mainly that a MitM is done without either party's knowledge or consent. It even describes that in the very first sentence of the wiki page you linked. A better description would be a "middleman", but that's not scary so people don't call it that. It's just a proxy and you opt into it.
If you are signing up for Cloudflare to use their proxy services then you are opting into having a middleman, which then means it cannot be a MitM because both sides of the connection are aware of this layer. They are not trying to hide the fact there is a Cloudflare connection layer to either side. If Cloudflare is a MitM then any networking layer for any hosting service would be considered a MitM as well.
The arguments that Cloudflare is ripe for abuse and the scale of their systems are separate arguments that should also be applied to many other providers but that is never mentioned when people bring this up. It just seems like the MitM claim is just a tactic to leverage fear in an attempt to add weight to arguments that should be perfectly valid on their own.
It bugs me when people say Cloudflare is a MitM, because that is a disingenuous representation the situation.
No, it is a clear description of what is happening: Instead of https keeping the traffic encrypted from user to service, it runs only from user to Cloudflare (and then in some cases from Cloudflare to service, although that's irrelevant here). The result is that a third party (Cloudflare) is able to read and/or modify the traffic between the two endpoints. This is exactly what we in mean in cryptography discussions by man-in-the-middle.
You can decide that you don't mind it because it's not a secret, or because they haven't been caught abusing it yet, but to say it's not a man-in-the-middle is utter nonsense.
and you opt into it.
No, the service operator opts in to it, without consulting the user, and usually without informing them. The user has no choice in the matter, and typically no knowledge of it when they send and receive potentially sensitive information. They only way they find out that Cloudflare is involved is if Cloudflare happens to generate an error page, or if they are technically inclined enough to manually resolve the domain name of the service and look up the owner of the net block. The vast majority of users don't even know how to do this, of course, and so are completely unaware.
All the while, the user's browser shows "https" and a lock icon, assuring the user that their communication is protected.
And even if they were aware, most users would still have no idea what Cloudflare's position as a middleman means with respect to their privacy, especially with how many widely used services operate with it.
To be clear, this lack of disclosure is not what makes it a man in the middle. It is an additional problem.
it cannot be a MitM because both sides of the connection are aware of this layer.
This is false. Being aware of a man in the middle and/or willingly accepting it does not mean it ceases to exist. It just means it's not a man-in-the-middle attack.
You're conflating MitM, which is specifically defined as an attack, with the concept of a middleman. You acknowledge that it's not an attack, even:
It just means it's not a man-in-the-middle attack.
The other things you're describing are also framed specifically in a way that makes Cloudflare seem like some sort of bad actor out of the norm.
You say users have no choice in using Cloudflare. Yeah, the party that runs the service/website/whatever decides what services they use to serve their content. Nothing special there. If you are against Amazon then users have no choice but to use them when the other side chooses to use their services, or any other service provider which includes the ones you like. Similarly, users would have to resolve DNS records to determine what services they are connecting to.
You also don't have to use Cloudflare's proxy. You can just use them for DNS record management. You can use different SSL settings that allow an unencrypted connection between Cloudflare and the server, or you can enforce strict SSL policies where it is encrypted end-to-end.
You're going to have to prove any of your claims, or else I am just going to assume you're talking out of your ass. Particularly because you're clearly misunderstanding what a MitM is, or you're intentionally misusing it.
-edited formatting-
You’re conflating MitM,
Heh... It's safe to assume I'm well versed in this topic.
You’re going to have to prove any of your claims, or else I am just going to assume you’re talking out of your ass.
I am not, however, inclined to indulge rudeness. Bye bye.
Oookay. I wasn't actually claiming you were talking out of your ass. I was explaining that without backing up your claims with information, then that would be the conclusion.
Since you are refusing to do so, and since you seemed to identify with that, along with clearly conflating the two terms to suit your narrative. I can now say it's safe to assume that you are talking out of your ass. Especially considering the first part of your response reeks of arrogance.
Except the absolutely valid (I don't not necessarily agree but it's fair) criticism about mitm and other similar stuff, cloudflare actually does a lot of good stuff.
In general they stand their ground against companies who try to force them to do stuff like this.
They are also seemingly involved in developing and finding ways to make the internet a more secure place, like with encrypted client hello. And encrypted DNS.
Seeing these clowns spazz about piracy tells me we are going the right way folks. Squeeze the "owner" clowns until they provide a proper service.
Get fucked rent seekers
Cloudflare is a joke.
Did you even look at the article or did you see "Cloud flare" in the title and immediately grabbed your pitchfork?
The article is outlining a situation where Cloudflare is advocating to maintain privacy.
...but why? What do they gain from it?
Business, the core of their business model over any other CDN is that steadfast privacy that they will only give information when it's mandated by a court order
But do they have "canaries" that allow the user to verify they are indeed doing that?
Yes they have a canary entry on their transparency reports.
This haves nothing to do with the article. Cloudflare overall haves too much power on the Internet. On August 31st 2022, Matthew Prince (Cloudflare's CEO) released a statement defending his role as a service provider and not a regulatory body. But 3 days later, Cloudflare blocks a website called Kiwifarms. You maybe thinking, "Wait, that goes against his first statement he made.". You're right. I ask you, do you want a company like that to have so much power over the Internet?
So the corporations enjoying enormous profits from other people's work are unhappy that Cloudflare doesn't make it easy for them to circumvent due process. What a surprise.
(I'm generally not a fan of Cloudflare, because its man-in-the-middle position between users and services has grown to an unhealthy scale, making it ripe for dragnet surveillance and other abuses. But it would be even worse if it was actively helping these greedy, predatory corporations dodge the law.)
It bugs me when people say Cloudflare is a MitM, because that is a disingenuous representation the situation. Mainly that a MitM is done without either party's knowledge or consent. It even describes that in the very first sentence of the wiki page you linked. A better description would be a "middleman", but that's not scary so people don't call it that. It's just a proxy and you opt into it.
If you are signing up for Cloudflare to use their proxy services then you are opting into having a middleman, which then means it cannot be a MitM because both sides of the connection are aware of this layer. They are not trying to hide the fact there is a Cloudflare connection layer to either side. If Cloudflare is a MitM then any networking layer for any hosting service would be considered a MitM as well.
The arguments that Cloudflare is ripe for abuse and the scale of their systems are separate arguments that should also be applied to many other providers but that is never mentioned when people bring this up. It just seems like the MitM claim is just a tactic to leverage fear in an attempt to add weight to arguments that should be perfectly valid on their own.
No, it is a clear description of what is happening: Instead of https keeping the traffic encrypted from user to service, it runs only from user to Cloudflare (and then in some cases from Cloudflare to service, although that's irrelevant here). The result is that a third party (Cloudflare) is able to read and/or modify the traffic between the two endpoints. This is exactly what we in mean in cryptography discussions by man-in-the-middle.
You can decide that you don't mind it because it's not a secret, or because they haven't been caught abusing it yet, but to say it's not a man-in-the-middle is utter nonsense.
No, the service operator opts in to it, without consulting the user, and usually without informing them. The user has no choice in the matter, and typically no knowledge of it when they send and receive potentially sensitive information. They only way they find out that Cloudflare is involved is if Cloudflare happens to generate an error page, or if they are technically inclined enough to manually resolve the domain name of the service and look up the owner of the net block. The vast majority of users don't even know how to do this, of course, and so are completely unaware.
All the while, the user's browser shows "https" and a lock icon, assuring the user that their communication is protected.
And even if they were aware, most users would still have no idea what Cloudflare's position as a middleman means with respect to their privacy, especially with how many widely used services operate with it.
To be clear, this lack of disclosure is not what makes it a man in the middle. It is an additional problem.
This is false. Being aware of a man in the middle and/or willingly accepting it does not mean it ceases to exist. It just means it's not a man-in-the-middle attack.
You're conflating MitM, which is specifically defined as an attack, with the concept of a middleman. You acknowledge that it's not an attack, even:
The other things you're describing are also framed specifically in a way that makes Cloudflare seem like some sort of bad actor out of the norm.
You say users have no choice in using Cloudflare. Yeah, the party that runs the service/website/whatever decides what services they use to serve their content. Nothing special there. If you are against Amazon then users have no choice but to use them when the other side chooses to use their services, or any other service provider which includes the ones you like. Similarly, users would have to resolve DNS records to determine what services they are connecting to.
You also don't have to use Cloudflare's proxy. You can just use them for DNS record management. You can use different SSL settings that allow an unencrypted connection between Cloudflare and the server, or you can enforce strict SSL policies where it is encrypted end-to-end.
You're going to have to prove any of your claims, or else I am just going to assume you're talking out of your ass. Particularly because you're clearly misunderstanding what a MitM is, or you're intentionally misusing it.
-edited formatting-
Heh... It's safe to assume I'm well versed in this topic.
I am not, however, inclined to indulge rudeness. Bye bye.
Oookay. I wasn't actually claiming you were talking out of your ass. I was explaining that without backing up your claims with information, then that would be the conclusion.
Since you are refusing to do so, and since you seemed to identify with that, along with clearly conflating the two terms to suit your narrative. I can now say it's safe to assume that you are talking out of your ass. Especially considering the first part of your response reeks of arrogance.
Except the absolutely valid (I don't not necessarily agree but it's fair) criticism about mitm and other similar stuff, cloudflare actually does a lot of good stuff.
In general they stand their ground against companies who try to force them to do stuff like this.
They are also seemingly involved in developing and finding ways to make the internet a more secure place, like with encrypted client hello. And encrypted DNS.
Seeing these clowns spazz about piracy tells me we are going the right way folks. Squeeze the "owner" clowns until they provide a proper service.
Get fucked rent seekers
Cloudflare is a joke.
Did you even look at the article or did you see "Cloud flare" in the title and immediately grabbed your pitchfork?
The article is outlining a situation where Cloudflare is advocating to maintain privacy.
...but why? What do they gain from it?
Business, the core of their business model over any other CDN is that steadfast privacy that they will only give information when it's mandated by a court order
But do they have "canaries" that allow the user to verify they are indeed doing that?
Yes they have a canary entry on their transparency reports.
This haves nothing to do with the article. Cloudflare overall haves too much power on the Internet. On August 31st 2022, Matthew Prince (Cloudflare's CEO) released a statement defending his role as a service provider and not a regulatory body. But 3 days later, Cloudflare blocks a website called Kiwifarms. You maybe thinking, "Wait, that goes against his first statement he made.". You're right. I ask you, do you want a company like that to have so much power over the Internet?