upvote

points

by tanh6 hours ago |
comments
upvoteby sph6 hours ago|
next
[-]
That’s been my pet theory from day 1, and not because of DDoS. Simply because they are the SSL terminator for most of the internet and can see anything going on in cleartext (and I’ve seen them protecting some shady stuff)

I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)”

If NSA aren’t installed at Cloudflare, I wonder what they are even doing.

reply
upvoteby sph2 hours ago|
parent|
next
[-]
To add: apparently that PRISM slide got its own Knowyourmeme entry: https://knowyourmeme.com/memes/ssl-added-and-removed-here
reply
upvoteby nottorp1 hours ago|
parent|
prev|
next
[-]
> I’ve seen them protecting some shady stuff

Hmm do we want them to decide what stuff is shady and what isn't?

We're already allowing payment processors to do that and it's not good.

reply
upvoteby tanh5 hours ago|
parent|
prev|
next
[-]
DDoS is just one of the impetuses for a service provider be MiTM'd
reply
upvoteby linkregister5 hours ago|
parent|
prev|
next
[-]
It's within the realm of possibility that NSA is collecting data with Cloudflare's consent. It seems unlikely that Cloudflare would jeopardize their entire business model over it. Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers. Their entire value proposition is being an unobtrusive traffic intermediary.
reply
upvoteby fph5 hours ago|
parent|
next
[-]
Within the realm of possibility? Let's be honest, if you are a top NSA executive and you couldn't find a way to get your hands on Cloudflare's private keys (bribing or threatening the right person), you are not getting your Christmas bonus.
reply
upvoteby nly4 hours ago|
parent|
next
[-]
It is of course inconceivable that the NSA do not have the private keys for dozens of browser trusted certificate authorities

That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare.

reply
upvoteby RealityVoid4 hours ago|
parent|
[-]
My understanding is that they tapped communication nodes before. I would be surprised if they can't tap the pipes to cloudflare.
reply
upvoteby fragmede49 minutes ago|
parent|
[-]
I mean, it is the CIA, but if you encrypt it before it leaves the box, and you're decent good with the key material, how are they going to get at it? Tapping the fiber then gets them encrypted flows, which isn't nothing, but, well, it would be surprising if they had access to the clear text.
reply
upvoteby linkregister4 hours ago|
parent|
prev|
next
[-]
Is this information derived from Enemy of the State starring Will Smith and Gene Hackman? It was a great movie and the first DVD I ever bought.
reply
upvoteby philipallstar2 hours ago|
parent|
prev|
[-]
Do people in government get bonuses linked to performance?
reply
upvoteby sph1 hours ago|
parent|
[-]
Government agencies get budgets linked to performance.
reply
upvoteby philipallstar49 minutes ago|
parent|
[-]
Well - do they? In my experience they get budgets for spending their current budget.
reply
upvoteby sph5 hours ago|
parent|
prev|
next
[-]
> Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers

People didn’t care when they learned about PRISM, why would they care now when it’s a known fact? The sane stance would be to assume Cloudflare is in cahoots with NSA.

reply
upvoteby linkregister5 hours ago|
parent|
[-]
All the companies involved in PRISM made public statements saying they ceased participation. Google undertook a costly initiative to add encrypted connections over their datacenter circuits. The NSA leaks were a forcing function that led to a massive uptake of encryption. Up until that point it was common for websites to support only HTTP.

The NSA leaks dominated news cycles for the entirety of 2013.

reply
upvoteby netdevphoenix3 hours ago|
parent|
next
[-]
> All the companies involved in PRISM made public statements saying they ceased participation. Google undertook a costly initiative to add encrypted connections over their datacenter circuits

This is as helpful as Whatsapp's so called E2E encryption comms (that just happens to not be applicable by default in certain situations).

reply
upvoteby lukewarm7075 hours ago|
parent|
prev|
[-]
my llm api traffic terminates tcp at cloudflare in lovely plain text :/

it does give better peering. reduces latency a bit for me.

reply
upvoteby my-next-account4 hours ago|
parent|
[-]
I had no idea that this was a thing. How can you figure out where SSL turns into plain text on its route to the destination?
reply
upvoteby lukewarm7071 hours ago|
parent|
[-]
in this case it's my design to use cloudflare.

but you can also see from curl or traceroute, that the endpoint you talked to was a cloudflare ip and your ssl ended there. after that you can't see inside cloudflare.

reply
upvoteby netdevphoenix3 hours ago|
parent|
prev|
[-]
> Cloudflare would face a near-total loss of customer

I think more people than you would expect would be happy to accept that as the price for protection against malicious actors

reply
upvoteby breppp6 hours ago|
parent|
prev|
[-]
That slide was about the NSA sitting inside Google data centers without Google's knowledge.

That doesn't mean collusion

reply
upvoteby xorcist4 hours ago|
parent|
[-]
That's the thing though: We can't know that.
reply
upvoteby DaSHacka3 hours ago|
parent|
[-]
Well, we kind of can, given that "SSL added and removed here :-)" was a pretty explicit workaround to the issue of encrypted communications in Google's infrastructure, just not between sites (IIRC).

Either way, if they were directly colluding with Google, they would have had a much simpler time siphoning off that data.

reply
upvoteby hammock6 hours ago|
prev|
next
[-]
I don’t see how they couldn’t be. Either on purpose, secretly my coercion, or secretly without their own knowledge. It’s so valuable
reply
upvoteby kdheiwns6 hours ago|
prev|
next
[-]
Yeah, their origin is a story of absolute incredible luck. Cloudflare came out of nowhere and suddenly massive sites with huge user bases around the world, including places like 4chan, were getting DDoSed. Then they immediately announce that they transitioned to Cloudflare. Hell of a lucky time to make a company that the entire internet suddenly became absolutely dependent on.

The funny thing about that era is you knew they started using Cloudflare because they went from stable with constant uptime to going down and showing a Cloudflare banner randomly all the time for a good year or so. They ran worse with Cloudflare than they did while they were allegedly getting DDoSed. The whole company glows, as the late great HN commenter Terry Davis would've said.

reply
upvoteby UqWBcuFx6NV4r5 hours ago|
parent|
next
[-]
Am i the only one that actually remembers this time period? It wasn’t that long ago. The confidence of your assertion is completely misplaced. I remember exactly where i was when I first read about CF, on launch day. DDoS attacks were CERTAINLY a big issue before Cloudflare came along. A whole lot of script kiddie energy was poured into them. LHC? Slowloris? IRC C2? This wasn’t niche stuff. That’s why I remember the CF launch, because I and everyone else knew that it was a big deal, given what the landscape had been for quite some time. Sorry if you personally didn’t have your finger on the pulse for whatever reason, but this was far from a niche issue, even for big sites / usual targets like 4chan.
reply
upvoteby kdheiwns5 hours ago|
parent|
[-]
I was there and recalled there being occasional script kiddy DDoS attacks here and there. But the uptime when being attacked was still much, much better than the first 1-2 years of actually using Cloudflare.
reply
upvoteby Imustaskforhelp1 hours ago|
parent|
prev|
[-]
> as the late great HN commenter Terry Davis would've said.

Oh my god, this is how & when I realize that Terry Davis (Rest in peace) used to use Hackernews too: https://news.ycombinator.com/threads?id=TerryADavis

https://news.ycombinator.com/item?id=10061171 (From this comment written by terry):

"I wrote all the code from scratch, including a 20,000 line of code compiler that makes x86_64 machine code from HolyC or Asm and operates AOT and JIT.

My JIT mode is not interpreted. It optimizes and compiles to x86_64 machine code.

I was chosen by God because I am the best programmer on the planet and God boosted my IQ with divine intellect." -Terry A Davis.

reply
upvoteby dewey6 hours ago|
prev|
[-]
> Wonder who can do those sudden attacks?

Anyone with a few crypto currencies in their wallet that can click a button on any of the booter services with botnets for hire.

reply
upvoteby overfeed6 hours ago|
parent|
[-]
You are right, they don't have to do it themselves, but guess who's protecting the booters from other booters?
reply
upvoteby l23k45 hours ago|
parent|
next
[-]
Primarily specialist bulletproof ddos protection services like ddos-guard.ru, not "Cloudflare" as is the popular meme among clueless commenters.
reply
upvoteby linkregister5 hours ago|
parent|
prev|
[-]
Most modern booters are not maintaining public websites that could be the object of DDoS attacks. They're renting residential IP addresses from free VPN users.
reply