DEV Community

[Comment from a deleted post]
 
luc45 profile image
Random Dev

I don't think they use Let's Encrypt, but this should be irrelevant. What certificate do you see on your browser when connecting to your domain that is protected by Cloudflare?

 
luc45 profile image
Random Dev

They might have permission to issue a certificate on your behalf as they control the DNS, but that's not the core of the issue

 
samjakob profile image
Sam (NBTX)

A Let’s Encrypt certificate. That’s why I’m asking.

 
luc45 profile image
Random Dev

Is the DNS entry you're hitting for this domain being proxied to Cloudflare? (Orange cloud on the Cloudflare dashboard) If yes, it should be protected from bots, etc

 
samjakob profile image
Sam (NBTX)

Yeah, again I’m familiar with that. Some yes, some no. I checked one that is but regardless if they issue them with Let’s Encrypt, which it seems they do, it would be identical anyway.

 
samjakob profile image
Sam (NBTX)

If it’s issued by the DNS level that’s actually a bigger problem because DNSSEC adoption is worse than SSL adoption before free SSL.

 
luc45 profile image
Random Dev

I understand the point of they being able to issue the certificate, but's not the main point. For DNS entries that are proxied to Cloudflare, you should see a Cloudflare certificate on your browser. When you ping your site using the domain, you should see the requests passing through Cloudflare, as it is a man-in-the-middle by definition, and should encrypt the browser connection to cloudflare, and the encrypt the connection from cloudflare to your server and back again, making them the only tool capable of mass breaking SSL encryption on the internet

 
luc45 profile image
Random Dev

If it’s issued by the DNS level that’s actually a bigger problem because DNSSEC adoption is worse than SSL adoption before free SSL.

Okay, I'm totally unfamiliar with it. I'm surprised you're not getting a Cloudflare certificate on your browser when accessing a DNS entry that is proxied through them

 
luc45 profile image
Random Dev

Take your company website for instance

dev-to-uploads.s3.amazonaws.com/up...

Sorry, I peeked your profile looking for this information

 
luc45 profile image
Random Dev

Let it sink that Cloudflare has access to unencrypted data from 10% of the internet, and that it was created after an acquisition by the Department of Homeland Security, making it the only tool capable of mass breaking SSL communications for the data acquired through traffic-sniffing such as NSA

 
samjakob profile image
Sam (NBTX)

All good. There we actually do use Full (strict) - I explicitly chose to use CloudFlare for that SSL as it’s more or less purely presentational and the data is not sensitive.

I’d rather not give public details about the nature of all our security measures, etc. but that is not the case for all our domains.

 
luc45 profile image
Random Dev

How did they got 10% of the internet? By making it free. Well, at this point just re-read the thread VERY carefully if you agree with my claim above

 
samjakob profile image
Sam (NBTX)

Actually putting this aside for a second - let’s consider Let’s Encrypt, who no doubt have far more control

 
Sloan, the sloth mascot
Comment deleted
 
luc45 profile image
Random Dev

So, what do you think, after all?

 
samjakob profile image
Sam (NBTX)

I’ll agree with you now that CloudFlare has the ability, for the most part, to break SSL on many websites. But even without them specifically, I believe there would still be that risk with services or organizations such as Let’s Encrypt so I think if this is something that matters to you, you should really consider your suppliers.

I don’t know how much of that is useful data - e.g. I don’t at all use CloudFlare or third party SSL for API domains for example.

Finally, I don’t believe there is enough evidence to suggest that CloudFlare was created or is/was owned by the DHS.

 
luc45 profile image
Random Dev • Edited

I understand the DHS claim might be weak, but the founder of Cloudflare, Matthew Prince, said to a BBC reporter that Cloudflare started after DHS got really interested in the data he had built up with the Honeypot project, and DHS acquired it for the price that Matthew asked: 20k.

Five years later Mr Prince was doing a Master of Business Administration (MBA) at Harvard Business School, and the project was far from his mind, when he got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks.

Mr Prince recalls: "They said 'do you have any idea how valuable the data you have is? Is there any way you would sell us that data?'.

"I added up the cost of running it, multiplied it by ten, and said 'how about $20,000 (£15,000)?'.

"It felt like a lot of money. That cheque showed up so fast."

Fast forward 1 and a half year from that call, and Cloudflare was a fully-fledged application integrated with tech giants such as Hostgator. They were tremendously efficient to develop the tool and commercialize it so fast. I think they got help.

All of those claims isolated don't tell much, but when you put everything together, a very clear picture appears. It's a picture that makes sense, based on observable facts, but yes, I'm fully aware it's a theory, that's one of the reasons why I asked those questions, to validate crucial aspects of this theory, such as the decryption power of Cloudflare.