As I said last time we can agree to disagree, but it's obvious that either you don't understand how our system works, or you have other reasons for continuing this discussion and trying to spin the argument your way. No matter which one it is, you debunked your statements yourself so my 'job' is done and I won't reply to any further messages from you unless they contain suggestions or any sort of valid criticism.
Of course. To check that cloudfare sends your website the same way to various IP address, you (or someone who you trust) need to have either physical access to that requesting IP address, or remote one. This is not my assumption, misunderstanding, or misinterpretation, this is just how internet works. Speaking of particular ways of checking remote access, the three I mentioned were the most obvious examples (and they often can be checked even without being cloudfare and without controlling the outgoing traffic from your various IP addresses), but cloudfare definitely had more time to think about this detection as well as much more data to analyze, including the outgoing traffic. This way they can check the computer knowledge level of the users at that IP as well.
They can check whatever they want, it's not enough. Also as I said before remote access is irrelevant to the discussion so there is no reason to bring it up. The only scenario in which you were right and we were wrong is if Cloudflare managed to discover a magical 100% accuracy prediction model, and I think anyone with a bit of common sense would agree that this is impossible.
Again, this is wrong. The price of a "false negative" result of a check by cloudfare (they think you are checking them for spoofing, while this was a third-party user trying to mix his or her bitcoins) is just that they miss the tracking of this particular user and will not be able to reprt him or her to the authoriries in the future. This will not prevent cloudfare from tracing and reporting other users.
And the price of "false positive" (you are checking, but cloudfare doesn't recognize you) is not too bad for cloudfare either. At worst, they will lose your webiste if you decide not to use their "ddos-protection" ever again (and even this you don't say, you just say "automatically shut down the clearnet version", but you don't say how long you are going to keep it down). As for the other webistes they MITM/"ddos-protect", your observation of spoofing will not really have much effects with cloudfare's already-terrible reputation. And for your users who already mixed their bitcoins, it will already be too late.
'false negative' percentage is irrelevant in this discussion, there is no reason to mention it
'false positive' is what matters and the scope of this discussion, since that's what we are checking. While Cloudflare may have a terrible reputation already, I have not heard of any
proven cases where they spoofed a website, and I seriously doubt they'd risk this being the first time it happens while we are such a small platform, not to mention we would have undeniable proof of it all. This paired with the fact that if it happens once we would quit using Cloudflare immediately makes the 'price of a false positive' the complete opposite of 'not too bad' for Cloudflare. You are free to think otherwise of course.
So, 100% accuracy is not necessary for cloudfare. Even 30% false negative with 0% false positive does not contradict the observations you say here, in this thread.
So you say they don't need 100% accuracy, but then proceed to give the only example where an attack would be possible while completely ignoring the fact that even in this case they would still need 100% accuracy
.
Thank you for confirming our theory is right nonetheless, even though it certainly wasn't your intention. Just to be clear for everyone:
0% false positive means 100% accuracy needed from Cloudflare. Even 1 false positive means over 0% false positive or under 100% accuracy, however you want to count it. Once is all we need to have undeniable proof of it all and at that point we obviously would never use Cloudflare or any other 'DDoS protection' ever again. Simple as that
Also don't forget about this:
4.There are multiples of times more requests made by us than from real users so statistically speaking their chance to be successful for even a day is incredibly small, let alone for a long period of time.
Where did you say it's temporary? If it's temporary, then: as long as you collaborate with cloudfare, this continues to be a battle of shield and spear at best, for all of the period you use cloudfare.
Correct, and considering that as soon as Whirlwind gains more popularity and we confirm that it's a viable business model we will switch back to our own proprietary solution we do not consider this to be an issue.
TLDR: A large scale attack is not possible in the way you described.
It is possible to organize an attack that will allow cloudfare to know the connection between a certain percentage of incoming and outgoing mixing transactions, even if not all of them.
Again, a large scale attack is not possible in the way you described, our previous response was entirely accurate as long as cloudflare didn't discover the only 100% accuracy prediction model that ever existed which IMO is safe to assume didn't happen.