Author

Topic: Data privacy and this forum (cloudflare) (Read 258 times)

full member
Activity: 574
Merit: 152
September 20, 2018, 09:00:28 AM
#18
Right. This is still a problem.

So, with cloudflare doing the TLS termination, every PM can be logged by that third-party entity. Not only can they read, but they can also modify messages in transmission.

Theymos can edit what your PMs say and send new PMs. He can't do as much as cloudflare in getting username and passord combinations, however he can do quite a bit on that front.

If you have something significant to say, stake your address somewhere on this forum and sign your message so people can verify it's you (you can also use a PGP key for this).

Theymos is a trusted source. He could easily get our passwords by adding two to three lines of code to the login function (just log the passwords to plain-text file).

Valid point on the securing communication; I was thinking moving entirely to GPG for communications and signing messages to ensure the integrity. However, just because they can't read my message doesn't mean it's secured. They'd still have the metadata available (bluefirecorp sent message to jackg at this time, on this date).
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
September 19, 2018, 03:31:57 AM
#17
Right. This is still a problem.

So, with cloudflare doing the TLS termination, every PM can be logged by that third-party entity. Not only can they read, but they can also modify messages in transmission.

Theymos can edit what your PMs say and send new PMs. He can't do as much as cloudflare in getting username and passord combinations, however he can do quite a bit on that front.

If you have something significant to say, stake your address somewhere on this forum and sign your message so people can verify it's you (you can also use a PGP key for this).
full member
Activity: 574
Merit: 152
September 18, 2018, 08:11:47 PM
#16
To clarify, do cloudflare hold the certificate for this site or does the actual site's server posess that? If cloudflare hold it then that's a great issue for anyone in the US (for people outside, it's an issue but not as big as a problem) though the US intelligence agencies seem even worse than places like the UK for keeping their secrets secret.

Cloudflare generated and holds the SSL certificate for Bitcointalk. I believe all protection through Cloudflare requires the certificate.

Right. This is still a problem.

So, with cloudflare doing the TLS termination, every PM can be logged by that third-party entity. Not only can they read, but they can also modify messages in transmission.
legendary
Activity: 2772
Merit: 3284
To clarify, do cloudflare hold the certificate for this site or does the actual site's server posess that? If cloudflare hold it then that's a great issue for anyone in the US (for people outside, it's an issue but not as big as a problem) though the US intelligence agencies seem even worse than places like the UK for keeping their secrets secret.

Cloudflare generated and holds the SSL certificate for Bitcointalk. I believe all protection through Cloudflare requires the certificate.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
To clarify, do cloudflare hold the certificate for this site or does the actual site's server posess that? If cloudflare hold it then that's a great issue for anyone in the US (for people outside, it's an issue but not as big as a problem) though the US intelligence agencies seem even worse than places like the UK for keeping their secrets secret.

It could result in private information about you, such as your IP address being released to the government. It could also result in your PMs being released to the government.

The lack of needing a warrant means the process is ripe for abuse by the government. If for example, you are speaking out against the sheriff, the sheriff could go on a phishing expedition to look for illegal activity and then arrest you on a small technical violation of the law. 

You could always switch to a service like tor but that is immensely slow at loading (not sure if there are any good fast and free services that you can use for a vpn/proxy).

It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.

There's a London based cloudflare and other cloudflare offices in mainland EU I think those could be used (not London though due to the IP act).

A direct connection to the server is also a good idea but I don't think theymos would particularly like that idea as it has a likelihood of being abused and the Bitcointalk server isn't a powerful as the ProtonMail datacentre.
It's a shame none of the admins/moderators don't have a mining pool that we could hide behind (gigabytes of data being transmitted per second would be a nice thing to hide behind as no one is going to want to screen all of that just to pull out the packets for this server).



There have been multiple suggestions of having paid-for direct access to the servers which I wouldn't be apposed to paying say 0.01BTC a month to access the server directly from my own private socket into the server (possibly make it so that transmission has to be encrypted with a sort of private key/public key pair that each user randomely generates every month - unless that's too much of an advanced thing to try to incorporate).
hero member
Activity: 2254
Merit: 960
100% Deposit Match UP TO €5000!
What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?

Our emails and passwords are not public, nor are our IPs (unless we embed a pixel size image in a post to track that info) our shipping Info that we send via PM or privote are not public either.

What is the big issue with privacy? Isn't that one of the reasons why bitcoin was created in order for a fast and private way to send bitcoins?
copper member
Activity: 2996
Merit: 2374
What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?
It could result in private information about you, such as your IP address being released to the government. It could also result in your PMs being released to the government.

The lack of needing a warrant means the process is ripe for abuse by the government. If for example, you are speaking out against the sheriff, the sheriff could go on a phishing expedition to look for illegal activity and then arrest you on a small technical violation of the law. 
legendary
Activity: 2814
Merit: 2472
https://JetCash.com
It seems to me that the real issues aren't privacy, but the the lack of information available on the activities of the puppet masters who are controlling the governments. We should remove the privacy from their communications and actions.
full member
Activity: 574
Merit: 152
What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?

https://en.wikipedia.org/wiki/Nothing_to_hide_argument

The idea is we're giving up data privacy for "security" while in reality it's just giving up our rights with due process.

The fact that any govt can now request records from sites without warrants is scary. Remember when China hacked the Gmail accounts of political activists? Now they just need to submit a formal request and the data is there.
legendary
Activity: 2814
Merit: 2472
https://JetCash.com
March 25, 2018, 05:01:01 AM
#9
What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?
sud
sr. member
Activity: 826
Merit: 301
March 25, 2018, 04:23:09 AM
#8
Wouldn't blockchain be perfect for DDoS prevention system? Seriously, by now we should have at least few projects with cheap, crypto-based solutions for such problems. I only know Gladius is working on something like this.
copper member
Activity: 2996
Merit: 2374
March 24, 2018, 11:20:30 PM
#7


Any idea of their pricing or services?
DDoS protection services are generally very expensive. Large companies/providers enjoy great advantages via economies of scale.

I agree that additional steps should be taken to ensure privacy, although this may be a lost cause at this point. A better use of resources might be to fund the cost of fighting the acceptance of evidence obtained via this law.

So, donate to the ACLU? Seems like a monetary, non-technical solution to the problem at hand.
That might not even be necessary. Theymos can simply be on the lookout for a bitcoin related case in which the law was used and fund the appeal of a ruling allowing the use of the law to obtain information.

The alternative would be to setup your own DDoS protection, which theymos previously tried, without a lot of success. Even with cloudflare, the forum still appears to be under DDoS attack.
full member
Activity: 574
Merit: 152
March 24, 2018, 11:15:15 PM
#6


Any idea of their pricing or services?
DDoS protection services are generally very expensive. Large companies/providers enjoy great advantages via economies of scale.

I agree that additional steps should be taken to ensure privacy, although this may be a lost cause at this point. A better use of resources might be to fund the cost of fighting the acceptance of evidence obtained via this law.

So, donate to the ACLU? Seems like a monetary, non-technical solution to the problem at hand.
copper member
Activity: 2996
Merit: 2374
March 24, 2018, 11:13:53 PM
#5


Any idea of their pricing or services?
DDoS protection services are generally very expensive. Large companies/providers enjoy great advantages via economies of scale.

I agree that additional steps should be taken to ensure privacy, although this may be a lost cause at this point. A better use of resources might be to fund the cost of fighting the acceptance of evidence obtained via this law.
legendary
Activity: 2772
Merit: 3284
March 24, 2018, 11:12:38 PM
#4
It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.

Any idea of their pricing or services? Cause that sounds like a reasonable solution, even more so if there's a way to post "this data may be monitored" when DDoS attacks are happening?

It's with Radware. I'm not sure about the specific plan/set up, but ProtonMail said it was cheaper than the other companies who offered to help. You can read a bit about it here, though it doesn't go into much detail: https://protonmail.com/blog/ddos-protection-guide/

Not sure if it would be possible for this forum as ProtonMail set up their own ISP which certainly would give them more freedom. They do say that the SSL keys don't need to be handed over though, which is the way that Cloudflare gets our data.

I've never dealt with much DDoS protection, but it should be reasonable to have a warning if it's enabled.
full member
Activity: 574
Merit: 152
March 24, 2018, 10:43:51 PM
#3
It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.

Any idea of their pricing or services? Cause that sounds like a reasonable solution, even more so if there's a way to post "this data may be monitored" when DDoS attacks are happening?
legendary
Activity: 2772
Merit: 3284
March 24, 2018, 10:39:50 PM
#2
It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.
full member
Activity: 574
Merit: 152
March 24, 2018, 10:19:09 PM
#1
Alright, we understand the need to coware behind cloudflare against the mighty DDoS's of today. No sysadmin can single-handly build a mitigation system (it takes a team and piles of burning cash).

With the fact the US will pass the Cloud Act, cloudflare won't have any rights to defend our privacy, I guess no cloud provider really will.

Does anyone have any technical solutions (because politics aint gonna work) in mind for this problem?
Jump to: