Pages:
Author

Topic: Moving to Cloudflare - page 2. (Read 13652 times)

copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
March 04, 2018, 12:57:32 PM
#69

Through Tor—and this is not the first time I’ve had this problem:

[...403 error...]

For the downloads problem, if the downloads do not require you to be logged in, accessing the BCT server by its direct IP address and/or a DNS record that resolves to the IP should make it accessible, provided BCT hasn't blacklisted all non-CF IPs.

For the website issue, how about 2FA, that could help the situation?  As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.

You could also make a login URL that is not routed through CF.  I don't know how much hacking of SMF it would take to implement that.  Actually, cloudflare might have a way to direct certain URLs to directly point to the backend (BCT) servers.  I haven't messed with them in a while, since before they started doing their shared SSL service, so I'm not positive about this.

On the other hand, this might not address the problem that putting in a CDN was designed to prevent.  If the DDOS attacks were directed to the login URL it would then be vulnerable again.

Thanks for the suggestions, Ben.

Unfortunately, to the best of my knowledge, all of your suggestions would require action by theymos; there’s nothing there which I could do myself, as a workaround to obtain downloads right now.  If there’s a legitimate public means to find a direct IP address, I’d appreciate being corrected here.  But I rather suspect that theymos wishes to keep his real IP addresses unknown to DDoSers; and if I could find it, so could they.

I have an inherent distrust of infrastructure services that I don't control, which is why I try to avoid CDNs.  However, I have no website with as much traffic as BCT, so have never had to deal with that situation.

Same here.  Specifically as to Cloudflare, in addition to how they sometimes cavity-search you with Javascript while still failing to keep the site reliably available, see e.g.:

https://trac.torproject.org/24351

As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.

Cloudflare intercepts all traffic (and modifies at least HTTP response headers), as a matter of course!

My biggest complaint is that Cloudflare is a MITM attack against TLS on a substantial portion of the whole Internet.  From the user end of things, I generally boycott Cloudflared sites insofar as practical.  But I support the Bitcoin Forum, out of my respect for how theymos was honest with people when he was effectually forced behind Cloudflare by Internet arsonists:

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. [...]

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, [...]

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. [...]

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

To get a gauge on what independent, no-MITM DDoS protection can require for a(n extremely) high-profile target, I found Protonmail’s experience interesting:

https://protonmail.com/blog/ddos-protection-guide/

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
Is there an official .onion proxy of BitcoinTalk that bypass Cloudflare? We do sometimes get support request PMs.

How about BitcoinTalk Pro accounts with monthly payments, private proxy without Cloudflare and captchas, bot access?

Though I would be concerned about the affordability of an ongoing subscription, an official .onion proxy would solve many problems.  I may even offer to help with such a project, depending on what would be required of me.  See my reply to ChipMixer upthread.


Why no bitcointalk forum coin with ICO
You earn coins by posting, and devs & sysadmins are paid with it?

Everything is creating tokens and ICOs... Even without value...
This place here is valuable!

Decentralise the Forums!

That would mad, the whole point of this forum is to have the public have a balanced or neutral stance in the cryptocurrency community.

Creating a token or ICO for BTCtalk is effectively the same as losing net neutrality in the CC industry.

And congratulations, Phash2k reinvented Steem.  This sort of nonsense reminds me of one of the earliest posts to which I awarded merit.  It spoke of how DHTs...

...get invoked in ignorance to every distributed systems problem because they're the first distributed systems tool people have heard of (sadly, "blockchain" is seems to be stealing this role), much as "neural network" has infested lay understanding of machine learning, or perhaps in other times "XML" was treated as a magical solution for inter-working serialization in places where it made little sense.

No, the problem will not be fixed by sprinkling some magical blockchain pixie dust on it.
member
Activity: 140
Merit: 10
Merit me or don't.
March 04, 2018, 12:08:22 PM
#68
Why no bitcointalk forum coin with ICO
You earn coins by posting, and devs & sysadmins are paid with it?

Everything is creating tokens and ICOs... Even without value...
This place here is valuable!

Decentralise the Forums!

That would mad, the whole point of this forum is to have the public have a balanced or neutral stance in the cryptocurrency community.

Creating a token or ICO for BTCtalk is effectively the same as losing net neutrality in the CC industry.
member
Activity: 208
Merit: 84
🌐 www.btric.org 🌐
March 04, 2018, 12:04:40 PM
#67
Quoting from another thread:

Here you go: https://bitcointalk.org/merit.txt.xz

Similar to trust.txt.xz, it'll be updated weekly. It will show only the last 120 days of data; someone else should archive the old ones if you want them.

Through Tor—and this is not the first time I’ve had this problem:

Code:
$ wget -S https://bitcointalk.org/merit.txt.xz
--2018-03-04 14:59:20--  https://bitcointalk.org/merit.txt.xz
Resolving bitcointalk.org (bitcointalk.org)... 104.20.208.69
Connecting to bitcointalk.org (bitcointalk.org)|104.20.208.69|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 403 Forbidden
  Date: Sun, 04 Mar 2018 14:59:41 GMT
  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked
  Connection: close
  Set-Cookie: __cfduid=d96a5721469bb369ae9866953b833f0d91520175581; expires=Mon, 04-Mar-19 14:59:41 GMT; path=/; domain=.bitcointalk.org; HttpOnly; Secure
  CF-Chl-Bypass: 1
  Cache-Control: max-age=2
  Expires: Sun, 04 Mar 2018 14:59:43 GMT
  X-Frame-Options: SAMEORIGIN
  Strict-Transport-Security: max-age=2592000
  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
  Server: cloudflare
  CF-RAY: 3f65354a2c56729b-AMS
2018-03-04 14:59:23 ERROR 403: Forbidden.

I have had the same problem with PGP keys and the trust database.  Even right-clicking to save images from within a browsing session oft (inconsistently) results in a Cloudflare 403 HTML file, apparently due to some weird quirks in how Tor Browser interacts with Cloudflare’s control-freakiness.

I request a workaround or solution for this general problem.  (Note: “VPN” is a non-answer.)

For the downloads problem, if the downloads do not require you to be logged in, accessing the BCT server by its direct IP address and/or a DNS record that resolves to the IP should make it accessible, provided BCT hasn't blacklisted all non-CF IPs.

For the website issue, how about 2FA, that could help the situation?  As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.

You could also make a login URL that is not routed through CF.  I don't know how much hacking of SMF it would take to implement that.  Actually, cloudflare might have a way to direct certain URLs to directly point to the backend (BCT) servers.  I haven't messed with them in a while, since before they started doing their shared SSL service, so I'm not positive about this.

On the other hand, this might not address the problem that putting in a CDN was designed to prevent.  If the DDOS attacks were directed to the login URL it would then be vulnerable again.

I have an inherent distrust of infrastructure services that I don't control, which is why I try to avoid CDNs.  However, I have no website with as much traffic as BCT, so have never had to deal with that situation.

Best regards,
Ben
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
March 04, 2018, 10:14:59 AM
#66
Quoting from another thread:

Here you go: https://bitcointalk.org/merit.txt.xz

Similar to trust.txt.xz, it'll be updated weekly. It will show only the last 120 days of data; someone else should archive the old ones if you want them.

Through Tor—and this is not the first time I’ve had this problem:

Code:
$ wget -S https://bitcointalk.org/merit.txt.xz
--2018-03-04 14:59:20--  https://bitcointalk.org/merit.txt.xz
Resolving bitcointalk.org (bitcointalk.org)... 104.20.208.69
Connecting to bitcointalk.org (bitcointalk.org)|104.20.208.69|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 403 Forbidden
  Date: Sun, 04 Mar 2018 14:59:41 GMT
  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked
  Connection: close
  Set-Cookie: __cfduid=d96a5721469bb369ae9866953b833f0d91520175581; expires=Mon, 04-Mar-19 14:59:41 GMT; path=/; domain=.bitcointalk.org; HttpOnly; Secure
  CF-Chl-Bypass: 1
  Cache-Control: max-age=2
  Expires: Sun, 04 Mar 2018 14:59:43 GMT
  X-Frame-Options: SAMEORIGIN
  Strict-Transport-Security: max-age=2592000
  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
  Server: cloudflare
  CF-RAY: 3f65354a2c56729b-AMS
2018-03-04 14:59:23 ERROR 403: Forbidden.

I have had the same problem with PGP keys and the trust database.  Even right-clicking to save images from within a browsing session oft (inconsistently) results in a Cloudflare 403 HTML file, apparently due to some weird quirks in how Tor Browser interacts with Cloudflare’s control-freakiness.

I request a workaround or solution for this general problem.  (Note: “VPN” is a non-answer.)
hero member
Activity: 1308
Merit: 508
January 25, 2018, 04:31:53 PM
#65

What I meant is that Cloudflare can see your unencrypted password when you log in.


How dumb can someone be?

I will not use this forum anymore because of that.

Bye
full member
Activity: 532
Merit: 102
January 03, 2018, 05:25:40 AM
#64
Why no bitcointalk forum coin with ICO
You earn coins by posting, and devs & sysadmins are paid with it?

Everything is creating tokens and ICOs... Even without value...
This place here is valuable!

Decentralise the Forums!
sr. member
Activity: 532
Merit: 297
January 03, 2018, 03:55:23 AM
#63
what about a solution like Protonmail using it?
https://protonmail.com/blog/ddos-protection-guide/

Radware’s technology does not require our SSL keys to operate effectively, meaning both layers of encryption that ProtonMail offers (SSL and OpenPGP) can be kept intact. Thus, there is no compromise in the privacy of our secure email service.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
January 02, 2018, 10:42:36 PM
#62
[Edit again:  Raize, that was the post of the thread.  I’d intended to reply before, to simply say:  Well said.]

This blocked a post.  I will try again, and edit if it’s still blocked.

Edit:  This is persistently blocking a particular post.  It is a very long post, which I spent much time writing in a text editor.  It contains a modest snippet of C code in BBcode code tags.  Other than that, I cannot imagine what trigger this is hitting.

donator
Activity: 1419
Merit: 1015
December 14, 2017, 03:33:09 PM
#61
I assume some of those attacks come through Tor and VPN users.

This does happen, but it's a whole lot more rare in practice. In reality, most attacks come from thousands of compromised IPs [botnets] run by people or organizations looking to blackmail operators into paying a fee or doing something like giving up user data. It has long been rumored that these entities with blackmailing power are often state-run themselves, in order to bully providers into sharing their data with "a trusted anti-DDoS company" that the governments can force to give up plain-text info about their customers more easily. Why bother even trying to get an operative in a position to run the site when you can sniff all the data and who is writing what via an anti-DDoS provider?

Cloudflare regularly provides the US gov't data on its customers. I'm not sure I'd go so far as theymos and say they are basically CIA-run, but I do think they are forced to work with three-letter agencies all the time. If there are any people with principles that work for Cloudflare, it doesn't matter, they have to comply in order to keep their job, and I doubt they are allowed to talk about it even after they have left. Cloudflare itself might have state contracts, or do contracts for other DoD-like agencies and groups, all of which have the specific purpose of cataloging citizens for the government in clear violation of the fourth amendment and chilling the free speech guarantees of the first amendment.

I’ve oftentimes wondered how Cloudflare can afford to offer “free” DDoS protection.

For the same reason that OpenDNS sold to Cisco for a whopping $635 million. DoD contracts are phat loot and the CIA/NSA need the data routed in about who is doing what.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
December 13, 2017, 05:08:43 PM
#60
Well, it’s not only Cloudflare.  It’s that and/or something else:


Admins may e-mail me for details, if that would be useful.  (I doubt it; that’s all I saw.)  PM seems not so useful right now.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
December 13, 2017, 03:43:40 PM
#59
@theymos, this isn’t what you signed up for!  Not the downtime, and not the following—as seen through Tor.  Not changed by rotating circuits.  I can’t dump cookies, because I need to stay logged in; and once Cloudflare decided to demand from me an Internet cavity search, they locked me out of bitcointalk.org with a demand that I let them run their executable code on my machine.  I waited it out, and they eventually let me pass.


Cloudflare also repeatedly tried to Google-CAPTCHA me on their error pages.  No, thanks; I can do without seeing the holy secret errors.

This interrupted my repeated attempts to post the following.  (Anybody awaiting a reply from me elsewhere, please understand if it may be slow in coming.)



I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies.

it isn't working

Yeah, I'm not sure it even works very well because every other website that uses it seems to have a lot of downtime and cloudflare errors. There's seemingly no difference between when we had theymos' own version and it's been especially bad today. Barely been able to use the site at all, so not sure how effective the service really is if the forum is still going to be unusable.

I’ve oftentimes wondered how Cloudflare can afford to offer “free” DDoS protection.  Their product requires serious network bandwidth, hardware, sysadmin, and engineering.  Those cost money—lots of money.

Usually, “free” products which cost big money to offer can be explained with the aphorism, “You are not the customer; you are the product.”  That raises the question, who pays?

In practice, who pays? is isomorphic to the ancient idiom:  Cui bono?

“You are the product.”  Bitcointalk.org is now a product.  For whom?  And does the customer truly wish for Bitcointalk.org to succeed?

At that, does Cloudflare itself like customers who “especially dislike Cloudflare”?  One of the great benefits of dependence on “huge centralized anti-DDoS companies” is that you can’t bite the hand which feeds you—at least, not more than that hand will deign to tolerate.  Too bad.  Even if this is only some generalized Cloudflare failure, I doubt that theymos stands at the front of their support queue.

Connectivity has sucked all day. NSA must have finally implemented their traffic analyzer  Grin  Angry  Sad

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

Cloudflare is seriously flawed if your homemade DDoS protection works better than theirs.
legendary
Activity: 1789
Merit: 2535
Goonies never say die.
December 13, 2017, 01:34:54 PM
#58
Connectivity has sucked all day. NSA must have finally implemented their traffic analyzer  Grin  Angry  Sad

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

Cloudflare is seriously flawed if your homemade DDoS protection works better than theirs.
legendary
Activity: 2968
Merit: 3061
Join the world-leading crypto sportsbook NOW!
December 13, 2017, 12:25:59 PM
#57
Seemingly nothing at the moment.
legendary
Activity: 2142
Merit: 1065
✋(▀Ĺ̯ ▀-͠ )
December 13, 2017, 12:24:08 PM
#56
I can hardly connect to bitcointalk.org and read the topics without many errors / downtime.
Another DDOS attack?
What's the difference between having cloudflare and not?

Edit : more than 3 minutes to pass this post (and i think the same time to pass this edit). Agree totally with hilarious.
legendary
Activity: 2968
Merit: 3061
Join the world-leading crypto sportsbook NOW!
December 13, 2017, 12:22:29 PM
#55
it isn't working

Yeah, I'm not sure it even works very well because every other website that uses it seems to have a lot of downtime and cloudflare errors. There's seemingly no difference between when we had theymos' own version and it's been especially bad today. Barely been able to use the site at all, so not sure how effective the service really is if the forum is still going to be unusable.
legendary
Activity: 3374
Merit: 4738
diamond-handed zealot
December 13, 2017, 11:59:30 AM
#54
it isn't working
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
December 12, 2017, 02:57:54 PM
#53
can you (theymos) suppress the automated filtered ip.bitcointalk.org picture recreation ... if we are on cloudflare, now ?

How is Cloudflare thus relevant?  The purpose of the image proxy is to “improve privacy and eliminate mixed content warnings”.  (I also speculate that it might filter some evil, though that’s only an idle guess.)  It has nothing to do with DDoS protection, other than needing it.



On a related note, I am now working to spearhead the development of a browser add-on to block Cloudflare.  Bitcointalk.org is discussed in Issue 4.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...
legendary
Activity: 1512
Merit: 1012
December 12, 2017, 08:12:08 AM
#52
can you (theymos) suppress the automated filtered ip.bitcointalk.org picture recreation ... if we are on cloudflare, now ?

many pictures are not recreate now (on popular thread : the Wall Observer).
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
December 11, 2017, 10:22:02 AM
#51
Hot off the presses, a Cloudflare-blocking browser add-on!  a.m.o. currently says it was last updated “an hour ago (Dec 11, 2017)”:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

I have not yet examined the code.  Use at your own risk, pending review.

Referred by:

https://trac.torproject.org/projects/tor/ticket/24351#comment:25

Cheers to whomever did this.  “Cypherpunks write code.”
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
December 11, 2017, 08:37:09 AM
#50
A Bitcointalk .onion was on my mind all week, together with other anti-DDoS mitigation ideas about which I hope to write up suggestions.  It is also something I may perhaps, maybe, perhaps be willing to not only talk about (hint, hint).

.onion sites already have less exposure to DDoS than sites on the open Internet. 

There have been plenty of .onion sites that have been DDoS'ed over the years. I know that Silk Road had a decent number of DDoS issues, and Ulbright apparently spent a decent amount of money fighting it. I am not sure if he implemented any of what you suggested though.

I was careful not to suggest that .onions be DDoS-proof.  Of course, they’re not.  But they do radically change the attack surface, largely for the better (at least against DDoS).

In practice, I would suppose that probably, the best means to deny access to a .onion would be to DDoS its introduction points.  Those have publicly known IP addresses; and I doubt many Tor node operators are prepared to handle even something so commonplace as an amplified flood of UDP packets in response to forged DNS requests.  The .onion will become available again as it changes introduction points; but meanwhile, users will have an awful time getting through.  I am not saying anything which is not already well-known and widely discussed amongst Tor devs.

On another note, I would not deem Ulbricht competent to admin the website for a hot-dog cart.  Let alone to run a site under a threat model far beyond my abilities, and likely beyond the capability of the Tor network.  He couldn’t even keep PHP (!) errors from spilling his servers’ guts.  I guess he must have been high on drugs.  I would not take any lessons from his experience, other than mining it for examples of what not to do.  Whereas .onions run by competent sysadmins have survived extreme DDoS attempts.
Pages:
Jump to: