IDK what you mean by “domain host” but the thing about cloudflare ('s most prominent service) is that it’s essentially a voluntary MITM between you and your clients. They see ALL traffic going between your server and your clients. This is not normal. Normally traffic between server and client is encrypted with HTTPS. By using cloudflare’s proxy your are adding a backdoor to that encryption. Your registrar cannot normally see this traffic. Your certificate authority cannot normally see this traffic without issuing a malicious cert. But cloudflare can. And, if they wanted to, they could even inject malware to deanonymize users, spy on journalists, steal data, etc. As a matter of fact, they already do, but instead of calling it “malware” they call it “analytics”, so it’s okay 👍
Right, the middleware is the issue. You can bake all of what Cloudflare does yourself as far as hardening goes and utilities like Anubis and Pangolin, buuut you’re not getting that DDOS protection.
To Lemmy’s benefit, DDOSing one of us isn’t DDOSing all of us, buuut there’s a bit to be said about Lemmy mostly centralizing around .world.
If one had a botfarm and a grudge…
There are proxies and selfhosted middleware out there that can be set up across arrays of vpses who’ll then redirect based on health and load, but once they know all of them, I guess you’re done running.
What stops any domain host from selling us out tomorrow? Why single out cloudflare?
IDK what you mean by “domain host” but the thing about cloudflare ('s most prominent service) is that it’s essentially a voluntary MITM between you and your clients. They see ALL traffic going between your server and your clients. This is not normal. Normally traffic between server and client is encrypted with HTTPS. By using cloudflare’s proxy your are adding a backdoor to that encryption. Your registrar cannot normally see this traffic. Your certificate authority cannot normally see this traffic without issuing a malicious cert. But cloudflare can. And, if they wanted to, they could even inject malware to deanonymize users, spy on journalists, steal data, etc. As a matter of fact, they already do, but instead of calling it “malware” they call it “analytics”, so it’s okay 👍
Holding your own certs and constantly reviewing your and your users threat models. Cloudflare’s excessive control comes from them being a proxy.
Right, the middleware is the issue. You can bake all of what Cloudflare does yourself as far as hardening goes and utilities like Anubis and Pangolin, buuut you’re not getting that DDOS protection.
To Lemmy’s benefit, DDOSing one of us isn’t DDOSing all of us, buuut there’s a bit to be said about Lemmy mostly centralizing around .world.
If one had a botfarm and a grudge…
There are proxies and selfhosted middleware out there that can be set up across arrays of vpses who’ll then redirect based on health and load, but once they know all of them, I guess you’re done running.