they must first comply with the Patriot Act, the FISA amendment Act, and the Cloud Act, because they are in the same jurisdiction as them… then, maybe the EU GDPR. in that order. always.
well it’s standard “hierarchy of norms” theory of the law, when regulations of different nature piling up…
Also Patriot, FISA-A, and Cloud acts all pretend to be justified by “national security” which times and times again has been considered in the US be a higher imperative in the hierarchy of the norms (in many cases justifying to even bypass the constitution when it comes to spying on US citizens, etc.).
Whichever way you look at it: the NSA and the CIA (and countless other agencies) who have been granted unlimited, unregulated, untraceable access to all data processed by any US company are not subjected to the EU GDPR.
A lot of personal indie web uses CF because it’s free and manages usage spikes and your home server going offline for whatever reason.
ScoffingLizard@lemmy.dbzer0.com
on 27 Apr 02:01
collapse
It’s a pain in the ass for sure. There are many things I can’t see. It’s worth it to not fund fascism.
onlinepersona@programming.dev
on 25 Apr 10:42
collapse
The “Alt+F4 is a cheatcode” of our times.
undefinedTruth@lemmy.zip
on 25 Apr 07:22
nextcollapse
If you are actively blocking Cloudflare and you are still able to use the web services you rely on then I am genuinely jealous of you.
ScoffingLizard@lemmy.dbzer0.com
on 05 May 05:26
collapse
So, it was the subdomains for challenges, CDN, and what I think is something to do with JavaScript. I just moved it back because it’s aggravating to block them.
RodgeGrabTheCat@sh.itjust.works
on 25 Apr 07:24
nextcollapse
Doesn’t Lemmy go down when Cloudflare goes down? Are you currently blocking CF?
bjoern_tantau@swg-empire.de
on 25 Apr 21:35
nextcollapse
Depends on the Lemmy server. So not all of Lemmy goes down.
RodgeGrabTheCat@sh.itjust.works
on 25 Apr 22:02
collapse
I know the server I’m on went offline during the last cf outage. Never occurred to me this wouldn’t be the case for all of Lemmy.
Edit: early morning comment always ends with me making spelling mistakes.
bjoern_tantau@swg-empire.de
on 26 Apr 13:14
collapse
That was a great time. My little server never felt snappier because all the big instances had stopped sending their content. And I could laugh at them because I wasn’t affected.
ScoffingLizard@lemmy.dbzer0.com
on 27 Apr 05:50
collapse
So it looks like I’m only blocking subdomains for the challenges, ajax, and some other CDN stuff. I could try blocking the whole domain for a while and see what happens. It will probably result in the same access since I blocked challenges.
I think I’d rather practice other anti-tracking or anti-fingerprinting measures rather than blocking one of the largest CDN’s in the world. But yes, they do track.
Reminds me of when my stepmother turned off the router because she didn’t want incoming radiation and then couldn’t figure why her emails were not arriving.
chicken@lemmy.dbzer0.com
on 25 Apr 09:41
nextcollapse
If you set up a website with cloudflare, their user interface has a lot of tracking stuff on by default to be injected into it. It also encourages you to use their https service where the traffic is not actually encrypted from the user to your server, but man-in-the-middle’d by cloudflare. But the interface makes it super easy to do and refers to it like a good and normal default option.
So yeah I think they really want your data.
bjoern_tantau@swg-empire.de
on 25 Apr 21:34
nextcollapse
Even if you don’t use Cloudflare’s https they still need the private keys to work. So they can read all traffic either way.
I’ll be more specific: if you set up a website on your own server, and use Cloudflare as a reverse proxy. If you do SSL yourself, on your own server, then the traffic is encrypted between the client and your server, and therefore Cloudflare cannot read it, they do not have the encryption keys, even though the traffic is passing through them. If you use Cloudflare’s https solution, Cloudflare provides the keys and decrypts the traffic before passing it on.
The former is the more secure way to do it, but they encourage you to do it the way where they get to read all the traffic, which is pretty shady of them, because if a website has https people assume that means it is end to end encrypted to the website itself, but that assumption is being violated here and a user has no way to know.
bjoern_tantau@swg-empire.de
on 26 Apr 00:09
nextcollapse
How can they act as a proxy if they can’t terminate the connection? Or what service does that offer?
I guess they could filter out some connections based on IP addresses. But is that enough for some customers? Or am I overlooking something?
How can they act as a proxy if they can’t terminate the connection?
Why wouldn’t they be able to? The DNS record points to Cloudflare’s IP, they forward the traffic to your server’s IP. This is a common choice for self hosting setups because it’s a free service and it is a way to avoid pointing a DNS record at your home IP, which you may not want everyone to know. That doesn’t require decrypting the traffic.
How this squares with the ddos protection and caching stuff, I’m not sure, but I know I set up SSL locally, did not give Cloudflare the keys, turned off all the options for them to handle it, and everything seems to work.
bjoern_tantau@swg-empire.de
on 26 Apr 09:30
nextcollapse
Thanks! I hadn’t considered just wanting to hide your own IP.
You should check the certificate shown to clients when accessing your domain. I think you’ll find that it is not the certificate that you created outside of Cloudflare. Cloudflare doesn’t need your private key as they issue a certificate for your domain to themselves and use that for the connection with the client. The certificate you created is used between Cloudflare and your server. The only option I’m aware to route traffic through Cloudflare where they don’t terminate SSL is an enterprise only feature.
I checked just to be sure (and debugged some problems while I was at it like the certificate having been expired), the certificate is from Let’s Encrypt via certbot.
Here is how to configure Cloudflare for this (I am using the free version):
In the settings under SSL/TLS Overview, in “Configure encryption mode”, select “Custom SSL/TLS” instead of “Automatic SSL/TLS (default)”, and under that select Full:
Full
Enable encryption end-to-end. Use this mode when your origin server supports SSL certification but does not use a valid, publicly trusted certificate.
Edit: looking into it more, might have been mistaken about how this works
Please actually compare the certificate when connecting to your server directly (bypassing Cloudflare) and connecting via Cloudflare. An easy way to do this is with openssl CLI:
Replace your-domain-here.org with your domain and your-ip-here with your actual server IP, but also do it with the Cloudflare IP.
The section about the “Full (strict)” / “Full” is referring to how Cloudflare verifies the certificate (or not in the case of Flexible and off) between your origin server and Cloudflare – this is not with respect to the client and Cloudflare. The Custom origin certificates are also with respect to Cloudflare and your server (has no impact on certificate used between the client and Cloudflare). Cloudflare still uses a separate certificate that they have issued to themselves and hold the private key to use for the client.
If you pay extra for their “Advanced Certificate Manager”, this allows you to upload a custom certificate to be used between the client and Cloudflare, but you have to provide the private key to Cloudflare because they still terminate SSL/TLS at their servers. Even their “Total TLS” service (part of ACM and the word “Total” could be mistaken to be “total” as in from client all the way to your origin server) does not provide E2EE.
I may be unaware of a newer service offering, but the only way that I’m aware of to get true E2EE is on their Enterprise plan (Keyless TLS). I have a lot of experience with Cloudflare for both personal and Enterprise plan (I was the technical person in charge of the account and configuring and such). Granted, I’ve not been dealing with CF enterprise for a few years now and they may have a new service offering outside of enterprise that I’m not familiar with, but my quick look around still looks like everything aside from Keyless TLS requires either giving them the key (in the case of ACM custom certificates) or they use their own certificate for client <-> Cloudflare. When I did manage the enterprise plan, we actually didn’t use Keyless TLS because we used features that required them to terminate TLS anyway, so I can’t speak to the specifics of it.
I hope I’m wrong though. I’d love to have true E2EE while still getting the DDoS protection on my personal stuff.
Yeah, I did ultimately realize this, maybe I should have written a bit more in my edit earlier but it’s a bit embarrassing tbh, I had come to some wrong conclusions. I think what I’m going to do is simply stop using Cloudflare for anything that does not have an extra layer of encryption on top of https, or that isn’t just a static, public webpage with no interactivity.
ComradePenguin@lemmy.ml
on 26 Apr 13:09
nextcollapse
Thanks for the info about HTTPS. I have used it a lot in the past, since its so incredibly easy and reliable
cryptix@discuss.tchncs.de
on 27 Apr 03:09
collapse
I accedently turned on the orange cloud and mitm myself accedently. It was later some day when I checked my SSL cert that I found google certificate instead of let’s encrypt that I realized the traffic is not terminating at my server.
lukstru@piefed.social
on 25 Apr 14:14
nextcollapse
bjoern_tantau@swg-empire.de
on 25 Apr 21:37
nextcollapse
Just blocking the domain won’t do you any good. Half the internet is behind Cloudflare. Even some Lemmy servers use it.
ParlimentOfDoom@piefed.zip
on 25 Apr 21:50
nextcollapse
This is just turning off your router with extra steps
HubertManne@piefed.social
on 26 Apr 00:25
nextcollapse
As others have mentioned you are going to have a tough time seeing much on the web without it but I guess it would be a good way to see the web with like zero corpo stuff.
for that reason i block it via uBlock origin because it is an operational reality that i need to see that shit sometimes. the only uBlock origin origin that never gets toggled is wix. that shit can stay the fuck off my screen
HubertManne@piefed.social
on 26 Apr 15:08
collapse
this is one reason I have not been very motivated to block ads. its kinda something I want to know about because holy trump they are just lowest common denominator at this point. There is just a whole cesspool that people who have not seen adds since before covid are unaware of.
oh for sure. it’s horrifying. people are just existing with overt fascist propaganda around them all the time, and Google has been pushing it hard since 2019
yes it is, they manage dns using cloudflare, but not provide any dtata to them
kazerniel@lemmy.world
on 26 Apr 12:20
nextcollapse
You won’t be able to access 22% of websites, among them many of the largest ones.
Skankhunt420@sh.itjust.works
on 26 Apr 18:39
nextcollapse
Yupp it sucks.
But it does kind of reaffirm that it most likely is collecting just as much data as google. I hate cloudflare and don’t understand why the rest of the world wants to be so dependent on a US ran technology firm after
waves armsall this
I agree - there definitely would need to be many more reverse proxy services, because the current dominance of just a handful is making the internet brittle in ways it wasn’t before.
Is this even the privacy forum? A lot of people here implying OP should consent to the spying for better service. Cloudflare absolutely does gather as much as Google, and with much deeper access. If you can go without those websites, then block Cloudflare.
swelter_spark@reddthat.com
on 29 Apr 01:05
collapse
That seems typical of this community, IMO. It constantly confuses me.
threaded - newest
www.cloudflare.com/privacypolicy/
Privacy policies doesnt mean anything, if it’s a US based company. Doesnt matter if the servers are in the EU. They steal it anyway.
Look US Cloud Act.
.
Do you honestly believe the US follows the GDPR?
.
They are also legally required to hand over the data. Do you honestly believe they go against the orange dictator and NSA?
they must first comply with the Patriot Act, the FISA amendment Act, and the Cloud Act, because they are in the same jurisdiction as them… then, maybe the EU GDPR. in that order. always.
.
well it’s standard “hierarchy of norms” theory of the law, when regulations of different nature piling up…
Also Patriot, FISA-A, and Cloud acts all pretend to be justified by “national security” which times and times again has been considered in the US be a higher imperative in the hierarchy of the norms (in many cases justifying to even bypass the constitution when it comes to spying on US citizens, etc.).
Whichever way you look at it: the NSA and the CIA (and countless other agencies) who have been granted unlimited, unregulated, untraceable access to all data processed by any US company are not subjected to the EU GDPR.
https://www.forbes.com/sites/emmawoollacott/2025/07/22/microsoft-cant-keep-eu-data-safe-from-us-authorities/ iirc, this was about EU servers that were not supposed to forward data to the US by contract
Good luck reaching websites 😂
I suggest you also block anyone using AWS.
I don’t think OP would be able to use the modern internet lol
If they still can then goddam please write a tutorial
Well you can use the modern internet. Just not most of it. You would be only looking at the personal indie web at that point.
A lot of personal indie web uses CF because it’s free and manages usage spikes and your home server going offline for whatever reason.
It’s a pain in the ass for sure. There are many things I can’t see. It’s worth it to not fund fascism.
The “Alt+F4 is a cheatcode” of our times.
If you are actively blocking Cloudflare and you are still able to use the web services you rely on then I am genuinely jealous of you.
So, it was the subdomains for challenges, CDN, and what I think is something to do with JavaScript. I just moved it back because it’s aggravating to block them.
Doesn’t Lemmy go down when Cloudflare goes down? Are you currently blocking CF?
Depends on your provider.
Depends on the Lemmy server. So not all of Lemmy goes down.
I know the server I’m on went offline during the last cf outage. Never occurred to me this wouldn’t be the case for all of Lemmy.
Edit: early morning comment always ends with me making spelling mistakes.
That was a great time. My little server never felt snappier because all the big instances had stopped sending their content. And I could laugh at them because I wasn’t affected.
So it looks like I’m only blocking subdomains for the challenges, ajax, and some other CDN stuff. I could try blocking the whole domain for a while and see what happens. It will probably result in the same access since I blocked challenges.
I think I’d rather practice other anti-tracking or anti-fingerprinting measures rather than blocking one of the largest CDN’s in the world. But yes, they do track.
Reminds me of when my stepmother turned off the router because she didn’t want incoming radiation and then couldn’t figure why her emails were not arriving.
If you set up a website with cloudflare, their user interface has a lot of tracking stuff on by default to be injected into it. It also encourages you to use their https service where the traffic is not actually encrypted from the user to your server, but man-in-the-middle’d by cloudflare. But the interface makes it super easy to do and refers to it like a good and normal default option.
So yeah I think they really want your data.
Even if you don’t use Cloudflare’s https they still need the private keys to work. So they can read all traffic either way.
That’s true if you’re proxying your traffic for DDoS protection, but you don’t need to do that to use them as a DNS, if you must.
I’ll be more specific: if you set up a website on your own server, and use Cloudflare as a reverse proxy. If you do SSL yourself, on your own server, then the traffic is encrypted between the client and your server, and therefore Cloudflare cannot read it, they do not have the encryption keys, even though the traffic is passing through them. If you use Cloudflare’s https solution, Cloudflare provides the keys and decrypts the traffic before passing it on.
The former is the more secure way to do it, but they encourage you to do it the way where they get to read all the traffic, which is pretty shady of them, because if a website has https people assume that means it is end to end encrypted to the website itself, but that assumption is being violated here and a user has no way to know.
How can they act as a proxy if they can’t terminate the connection? Or what service does that offer?
I guess they could filter out some connections based on IP addresses. But is that enough for some customers? Or am I overlooking something?
Why wouldn’t they be able to? The DNS record points to Cloudflare’s IP, they forward the traffic to your server’s IP. This is a common choice for self hosting setups because it’s a free service and it is a way to avoid pointing a DNS record at your home IP, which you may not want everyone to know. That doesn’t require decrypting the traffic.
How this squares with the ddos protection and caching stuff, I’m not sure, but I know I set up SSL locally, did not give Cloudflare the keys, turned off all the options for them to handle it, and everything seems to work.
Thanks! I hadn’t considered just wanting to hide your own IP.
.
You should check the certificate shown to clients when accessing your domain. I think you’ll find that it is not the certificate that you created outside of Cloudflare. Cloudflare doesn’t need your private key as they issue a certificate for your domain to themselves and use that for the connection with the client. The certificate you created is used between Cloudflare and your server. The only option I’m aware to route traffic through Cloudflare where they don’t terminate SSL is an enterprise only feature.
I checked just to be sure (and debugged some problems while I was at it like the certificate having been expired), the certificate is from Let’s Encrypt via certbot.
Here is how to configure Cloudflare for this (I am using the free version):
In the settings under SSL/TLS Overview, in “Configure encryption mode”, select “Custom SSL/TLS” instead of “Automatic SSL/TLS (default)”, and under that select Full:
Edit: looking into it more, might have been mistaken about how this works
Please actually compare the certificate when connecting to your server directly (bypassing Cloudflare) and connecting via Cloudflare. An easy way to do this is with openssl CLI:
Replace
your-domain-here.orgwith your domain andyour-ip-herewith your actual server IP, but also do it with the Cloudflare IP.The section about the “Full (strict)” / “Full” is referring to how Cloudflare verifies the certificate (or not in the case of Flexible and off) between your origin server and Cloudflare – this is not with respect to the client and Cloudflare. The Custom origin certificates are also with respect to Cloudflare and your server (has no impact on certificate used between the client and Cloudflare). Cloudflare still uses a separate certificate that they have issued to themselves and hold the private key to use for the client.
If you pay extra for their “Advanced Certificate Manager”, this allows you to upload a custom certificate to be used between the client and Cloudflare, but you have to provide the private key to Cloudflare because they still terminate SSL/TLS at their servers. Even their “Total TLS” service (part of ACM and the word “Total” could be mistaken to be “total” as in from client all the way to your origin server) does not provide E2EE.
I may be unaware of a newer service offering, but the only way that I’m aware of to get true E2EE is on their Enterprise plan (Keyless TLS). I have a lot of experience with Cloudflare for both personal and Enterprise plan (I was the technical person in charge of the account and configuring and such). Granted, I’ve not been dealing with CF enterprise for a few years now and they may have a new service offering outside of enterprise that I’m not familiar with, but my quick look around still looks like everything aside from Keyless TLS requires either giving them the key (in the case of ACM custom certificates) or they use their own certificate for client <-> Cloudflare. When I did manage the enterprise plan, we actually didn’t use Keyless TLS because we used features that required them to terminate TLS anyway, so I can’t speak to the specifics of it.
I hope I’m wrong though. I’d love to have true E2EE while still getting the DDoS protection on my personal stuff.
Yeah, I did ultimately realize this, maybe I should have written a bit more in my edit earlier but it’s a bit embarrassing tbh, I had come to some wrong conclusions. I think what I’m going to do is simply stop using Cloudflare for anything that does not have an extra layer of encryption on top of https, or that isn’t just a static, public webpage with no interactivity.
Thanks for the info about HTTPS. I have used it a lot in the past, since its so incredibly easy and reliable
I accedently turned on the orange cloud and mitm myself accedently. It was later some day when I checked my SSL cert that I found google certificate instead of let’s encrypt that I realized the traffic is not terminating at my server.
https://www.forbes.com/sites/emmawoollacott/2025/07/22/microsoft-cant-keep-eu-data-safe-from-us-authorities/ iirc, this was about EU servers that were not supposed to forward data to the US by contract
Lots of stuff breaks when you block cloudflare so a better way to avoid its data collection is to use a vpn and clear your browsing data.
I have the detect cloudlflare firefox extension. I avoid sites that use it. Haven’t tried blocking it completely yet but I could probably manage.
Can you link that extension please? That way I’m getting the right one. Hope its open source too
https://addons.mozilla.org/en-US/firefox/addon/detect-cloudflare/
You can block cloudflare, amazon, etc. with this one: https://addons.mozilla.org/en-US/firefox/addon/cloud-firewall/
Just blocking the domain won’t do you any good. Half the internet is behind Cloudflare. Even some Lemmy servers use it.
This is just turning off your router with extra steps
As others have mentioned you are going to have a tough time seeing much on the web without it but I guess it would be a good way to see the web with like zero corpo stuff.
for that reason i block it via uBlock origin because it is an operational reality that i need to see that shit sometimes. the only uBlock origin origin that never gets toggled is wix. that shit can stay the fuck off my screen
this is one reason I have not been very motivated to block ads. its kinda something I want to know about because holy trump they are just lowest common denominator at this point. There is just a whole cesspool that people who have not seen adds since before covid are unaware of.
oh for sure. it’s horrifying. people are just existing with overt fascist propaganda around them all the time, and Google has been pushing it hard since 2019
for my server i use porkbun this cheap but relaible and my raspberry pi3b for small cloud servers, xmpp, wireguard, works nicely
Porkbun uses cloudflare name servers.
yes it is, they manage dns using cloudflare, but not provide any dtata to them
You won’t be able to access 22% of websites, among them many of the largest ones.
Yupp it sucks.
But it does kind of reaffirm that it most likely is collecting just as much data as google. I hate cloudflare and don’t understand why the rest of the world wants to be so dependent on a US ran technology firm after waves arms all this
I agree - there definitely would need to be many more reverse proxy services, because the current dominance of just a handful is making the internet brittle in ways it wasn’t before.
Including .world lol
And nothing of value would be lost.
Hahaha.
Is this even the privacy forum? A lot of people here implying OP should consent to the spying for better service. Cloudflare absolutely does gather as much as Google, and with much deeper access. If you can go without those websites, then block Cloudflare.
That seems typical of this community, IMO. It constantly confuses me.
I block cloudflareinsights.com which my lemmy instance seems to be using lol.
I have not had that one come up on my logs yet.
I am of the habit that I block it globally on the browser. Until perhaps a website that I have to use needs it.