Author

Topic: Bitcointalk Hosting - MITM (man-in-the-middle) Attack - Paying Cash To Cloudfare (Read 218 times)

legendary
Activity: 1526
Merit: 1359
Theoretically, there is a risk of an MITM attack but till now there hasn't been any report of such attacks targeting Cloudflare. However, the original website still be vulnerable if they bypass the security layer of Cloudflare and do not correctly secure their server.

In short, if the website follows all the security parameters it must have, the risk of this type of attack is at the same level whether you use Cloudfare or any other service.

Now, I ask: why change something that is working well and fulfills its objective?

That is why I called this a baseless rant.

Bitcointalk.org has been using CloudFlare security functions for nearly six years now, and as far as I know, there haven't been any issues or complaints about MITM attacks or data leaks during that time. People have talked this over extensively, and all the details are out there if you take a moment to search for them. (It took me less than five minutes to find theymos' thread on this).

But apparently, some members feel that the OP made a good point and should even be congratulated for it, even though he didn't provide any useful information or suggestion, and most of his post is based on pure speculation and half-truths.

Yes, CF is a MITM. Anyone who has used their services and read the terms already knows it. That is the only truthful part in the OP's statement. Everything else is just nonsense.
full member
Activity: 504
Merit: 212
Theoretically, there is a risk of an MITM attack but till now there hasn't been any report of such attacks targeting Cloudflare. However, the original website still be vulnerable if they bypass the security layer of Cloudflare and do not correctly secure their server.

In short, if the website follows all the security parameters it must have, the risk of this type of attack is at the same level whether you use Cloudfare or any other service.

Now, I ask: why change something that is working well and fulfills its objective?

There is still a chance for a potential attack, but the OP didn't suggest any better options that can overcome this threat. So the best option till now is to keep the current system that is working fine until the OP comes up with a better solution.
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
Theoretically, there is a risk of an MITM attack but till now there hasn't been any report of such attacks targeting Cloudflare. However, the original website still be vulnerable if they bypass the security layer of Cloudflare and do not correctly secure their server.

In short, if the website follows all the security parameters it must have, the risk of this type of attack is at the same level whether you use Cloudfare or any other service.

Now, I ask: why change something that is working well and fulfills its objective?
full member
Activity: 504
Merit: 212
The question I pose is: Is there another service, similar to Cloudflare, where the MITM danger does not exist? If so, is it really better than Cloudflare against DDOS attacks?

Cloudflare is the MITM between users and the original server. They provide a security layer infrastructure to do server protection and optimize data for end users. There are similar services like Cloudflare and they all use the same methods The only difference between them only in features. So a potential threat of MITM attack will always exist.


Another thing I would like to know was: are there reports of cases in which Cloudflare connections suffered MITM attacks? I searched and didn't find it, but maybe it wasn't a deep search.

If the original server is not properly secured then there will always be a chance of being compromised even it uses Cloudflare. I have tried to find any incident regarding that and found this. Only some ransom note HTTP DDoS attacks

Are we just talking about a possibility, or something that has already happened?

Theoretically, there is a risk of an MITM attack but till now there hasn't been any report of such attacks targeting Cloudflare. However, the original website still be vulnerable if they bypass the security layer of Cloudflare and do not correctly secure their server.


legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
The question I pose is: Is there another service, similar to Cloudflare, where the MITM danger does not exist? If so, is it really better than Cloudflare against DDOS attacks?

Another thing I would like to know was: are there reports of cases in which Cloudflare connections suffered MITM attacks? I searched and didn't find it, but maybe it wasn't a deep search.

Are we just talking about a possibility, or something that has already happened?

legendary
Activity: 2366
Merit: 1272
Heisenberg
eXch.cc, could you please explain why you felt that this baseless rant deserves so much merit?
Maybe because they felt OP has a good point and admin himself admitted about the danger posed by using Cloudflare as other members have already quoted, so I perfectly understand why they sent OP that much merit. I have seen useless posts receive high amounts of unnecessary merits.

There is no need to crucify the "meriter"  Grin
legendary
Activity: 3612
Merit: 5297
https://merel.mobi => buy facemasks with BTC/LTC
I was coming here with about the same info tranthidung and ETFbitcoin already gave, with the possible extra info that wasn't explicitly posted by tranthidung, but was already discussed previously: so it's clear to everybody: yes, the OP is right, cloudflare IS a MITM... Packages get encrypted by a symetric key between your workstation and cloudflare, cloudflare decrypts and checks it's cache, if no cache hit, cloudflare sets up a new symetric key for communication between their servers and (in this case) the server running bitcointalk. There isn't even any 100% proof there is a symetric key used for the connection between CF and bitcointalk's host, but i'm willing to take Theymos on his word, since he has no incentive not to set this up on his site. This means no network operator will be able to capture and read your traffic (since it's encrypted), but cloudflare will be able to access (and store) every unencrypted package you send to bitcointalk.

I've actually spent a lot of time on this subject in this post: https://bitcointalksearch.org/topic/mixers-using-cloudflares-ssl-certificates-5247838 (EDIT: link was already posted by ETFbitcoin) and even tough the images no longer work, the theory can still be applied to bitcointalk aswell... But like i said: back when CF was implemented, this was discussed by a lot of members (including Theymos), and the usage of cloudflare was more or less accepted by most users at that time (eventough we all knew the obvious MITM attack vector that was introduced at that time).

In the past, there was a discussion of also setting up bitcointalk as a hidden service for people that wanted to mitigate cloudflare, but the proposal also had it's downsides and it didn't gain any traction.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
theymos knew about it but still not find better alternatives.

Thoughts on Cloudflare and denial of service attacks and eventually he decided to use it.

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. I considered several alternatives to Cloudflare, but the smaller ones (eg. Stackpath and OVH) didn't strike me as reputable/competent enough, and the enterprise-targeted ones like Incapsula and Akamai are around $3500/month. Even though $3500/month seems absolutely ridiculous to me, I was seriously considering Incapsula due to its pretty good reputation, but then they were having all sorts of technical issues while I was trying to set it up. So I gave up for now and went with Cloudflare.

Your mental model should always be that the forum logs everything, especially since it is behind Cloudflare, which is almost certainly an NSA-backed operation.

member
Activity: 112
Merit: 37
Even if Bitcointalk is not hosted in Cloudfare, the MITM (man-in-the-middle) problem is the same - after the Cloudfare server the connection can simply be clear text.

Where did you get the information that the traffic between CF and the bitcointalk hosting server is unencrypted? There is no evidence to support that claim.
Just because something "can be" does not mean it is.


 You need evidence - here it is, author of the article about CloudFare -  "I spent about 10 years of my life providing support for Microsoft Windows and other Microsoft related products, both on the desktop and on the server market." - https://unixsheikh.com/faq.html
legendary
Activity: 1526
Merit: 1359
Even if Bitcointalk is not hosted in Cloudfare, the MITM (man-in-the-middle) problem is the same - after the Cloudfare server the connection can simply be clear text.

Where did you get the information that the traffic between CF and the bitcointalk hosting server is unencrypted? There is no evidence to support that claim.
Just because something "can be" does not mean it is.
member
Activity: 112
Merit: 37
As far as I know, bitcointalk is not hosted by CloudFlare, but CF is used to prevent DDoS attacks.

To answer to your question:




eXch.cc, could you please explain why you felt that this baseless rant deserves so much merit?


Even if Bitcointalk is not hosted in Cloudfare, the MITM (man-in-the-middle) problem is the same - after the Cloudfare server the connection can simply be clear text.
legendary
Activity: 1526
Merit: 1359
As far as I know, bitcointalk is not hosted by CloudFlare, but CF is used to prevent DDoS attacks.

To answer to your question:





eXch.cc, could you please explain why you felt that this baseless rant deserves so much merit?
member
Activity: 112
Merit: 37
So nice forum, like, bitcointalk, can have serious security problem with hosting - CloudFlare, which act as a MITM (man-in-the-middle) with their CDN (content delivery network) service. Members connection, who surfing the forum are only really encrypted up until the CloudFlare servers, after that the connection can simply be clear text. Interested members can find info here https://unixsheikh.com/articles/stay-away-from-cloudflare.html. ( There are also link to Firefox plug-in, which detects CloudFlare and lets you know ).
And I also think, that forum admin could pay about hosting with BTC, and not by cash to Cloudfare. There are many hosting companies, which accept BTC. For example, this nice hosting company in Iceland - https://www.orangewebsite.com/.
Jump to: