• mox@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    8
    ·
    edit-2
    23 hours ago

    It bugs me when people say Cloudflare is a MitM, because that is a disingenuous representation the situation.

    No, it is a clear description of what is happening: Instead of https keeping the traffic encrypted from user to service, it runs only from user to Cloudflare (and then in some cases from Cloudflare to service, although that’s irrelevant here). The result is that a third party (Cloudflare) is able to read and/or modify the traffic between the two endpoints. This is exactly what we in mean in cryptography discussions by man-in-the-middle.

    You can decide that you don’t mind it because it’s not a secret, or because they haven’t been caught abusing it yet, but to say it’s not a man-in-the-middle is utter nonsense.

    and you opt into it.

    No, the service operator opts in to it, without consulting the user, and usually without informing them. The user has no choice in the matter, and typically no knowledge of it when they send and receive potentially sensitive information. They only way they find out that Cloudflare is involved is if Cloudflare happens to generate an error page, or if they are technically inclined enough to manually resolve the domain name of the service and look up the owner of the net block. The vast majority of users don’t even know how to do this, of course, and so are completely unaware.

    All the while, the user’s browser shows “https” and a lock icon, assuring the user that their communication is protected.

    And even if they were aware, most users would still have no idea what Cloudflare’s position as a middleman means with respect to their privacy, especially with how many widely used services operate with it.

    To be clear, this lack of disclosure is not what makes it a man in the middle. It is an additional problem.

    it cannot be a MitM because both sides of the connection are aware of this layer.

    This is false. Being aware of a man in the middle and/or willingly accepting it does not mean it ceases to exist. It just means it’s not a man-in-the-middle attack.

    • Phoenixz@lemmy.ca
      link
      fedilink
      English
      arrow-up
      5
      ·
      11 hours ago

      The point is that Cloudflare is a provider that you can choose to have as a part of your own infrastructure.

      It is NOT a man in the middle as man in the middle implies “attack”

      If Cloudflare is a man in the middle, i can make similar evil claims about anyone using Google Drive or Microsoft crapware. Loads of governments store sensitive documents on Microsoft services and Microsoft actually actively breaks contracts by messing with said data.

      At least, as far as we know, Cloudflare has no I’ll will.

      Yet

      • mox@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        3
        ·
        edit-2
        8 hours ago

        Cloudflare is a provider that you can choose to have as a part of your own infrastructure.

        Indeed.

        man in the middle implies “attack”

        That can be a convenient shorthand if the parties in a discussion agree to use it as such in context. For example, in a taxonomy of cryptographic attacks, it would make sense. It is not the general meaning, though, at least not a universally accepted one. Similarly, “counter” does not imply “counter attack”, unless we happen to be discussing attack strategy.

        More to the point, nothing that I wrote misrepresents the situation as was claimed by that other person. If I had meant attack, I would have said attack. Rather, they made a leap of logic because I (like most of my colleagues) don’t happen to follow a convention that they like, and picked a fight over it. No thanks.

        • go $fsck yourself@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          6 hours ago

          Since you’re going to childishly talk about me and infer something that is entirely false, I’m going to step in here.

          First, you claim it’s “a convenient shorthand”, except “middleman” is far shorter than “man-in-the-middle”. So that argument is entirely false.

          Next, “nothing that I wrote misrepresents the situation”? You literally linked the Wikipedia article for “Man in the middle attack”, but conveniently left out the word “attack” both when referring to it and in the link itself which redirected to the actual Wiki page https://en.wikipedia.org/wiki/Man-in-the-middle_attack.

          You are clearly intentionally misrepresenting the subject in order to frame things to suit your narrative. That’s not just a claim out of nowhere, I provided evidence to support this.

          And get out of here with your pathetic “like most of my colleagues” pretentious attitude.

    • go $fsck yourself@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      20 hours ago

      You’re conflating MitM, which is specifically defined as an attack, with the concept of a middleman. You acknowledge that it’s not an attack, even:

      It just means it’s not a man-in-the-middle attack.

      The other things you’re describing are also framed specifically in a way that makes Cloudflare seem like some sort of bad actor out of the norm.

      You say users have no choice in using Cloudflare. Yeah, the party that runs the service/website/whatever decides what services they use to serve their content. Nothing special there. If you are against Amazon then users have no choice but to use them when the other side chooses to use their services, or any other service provider which includes the ones you like. Similarly, users would have to resolve DNS records to determine what services they are connecting to.

      You also don’t have to use Cloudflare’s proxy. You can just use them for DNS record management. You can use different SSL settings that allow an unencrypted connection between Cloudflare and the server, or you can enforce strict SSL policies where it is encrypted end-to-end.

      You’re going to have to prove any of your claims, or else I am just going to assume you’re talking out of your ass. Particularly because you’re clearly misunderstanding what a MitM is, or you’re intentionally misusing it.

      -edited formatting-

      • mox@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        9
        ·
        21 hours ago

        You’re conflating MitM,

        Heh… It’s safe to assume I’m well versed in this topic.

        You’re going to have to prove any of your claims, or else I am just going to assume you’re talking out of your ass.

        I am not, however, inclined to indulge rudeness. Bye bye.

        • go $fsck yourself@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          21 hours ago

          Oookay. I wasn’t actually claiming you were talking out of your ass. I was explaining that without backing up your claims with information, then that would be the conclusion.

          Since you are refusing to do so, and since you seemed to identify with that, along with clearly conflating the two terms to suit your narrative. I can now say it’s safe to assume that you are talking out of your ass. Especially considering the first part of your response reeks of arrogance.