If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.
If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP:
curl http://www.digiboy.ir/boobs.jpg -v
mort96 68 days ago [-]
Ah, Cloudflare. The world's most widely deployed encryption remover.
* Is it insecure by default or you have to be intentionally insecure?
* Why would anyone pick the flexible/potentially-insecure option?
penteract 68 days ago [-]
> Why would anyone pick the flexible/potentially-insecure option?
Because having a connection that's encrypted between a user and Cloudflare, then unencrypted between Cloudflare and your server is often better than unencrypted all the way. Sketchy ISPs could insert/replace ads, and anyone hosting a free wifi hotspot could learn things your users wouldn't want them to know (e.g. their address if they order a delivery).
Setting up TLS properly on your server is harder than using Cloudflare (disclaimer: I have not used Cloudflare, though I have sorted out a certificate for an https server).
The problem is that users can't tell if their connection is encrypted all the way to your server. Visiting an https url might lead someone to assume that no-one can eavesdrop on their connection by tapping a cross-ocean cable (TLS can deliver this property). Cloudflare breaks that assumption.
Cloudflare's marketing on this is deceptive: https://www.cloudflare.com/application-services/products/ssl... says "TLS ensures data passing between users and servers is encrypted". This is true, but the servers it's talking about are Cloudflare's, not the website owner's.
Going through to "compare plans", the description of "Universal SSL Certificate" says "If you do not currently use SSL, Cloudflare can provide you with SSL capabilities — no configuration required." This could mislead users and server operators into thinking that they are more secure than they actually are. You cannot get the full benefits of TLS without a private key on your web server.
Despite this, I would guess that Cloudflare's "encryption remover" improves security compared to a world where Cloudflare did not offer this. I might feel differently about this if I knew more about people who interact with traffic between Cloudflare's servers and the servers of Cloudflare's customers.
mort96 68 days ago [-]
> Setting up TLS properly on your server is harder than using Cloudflare
This is probably technically true, but setting up TLS properly on your server is really ridiculously simple.
tracker1 68 days ago [-]
These days, absolutely... I usually use Caddy for reverse proxy chores and it's been a great option to deal with. Traefic hasn't been bad either.
ffsm8 68 days ago [-]
...in 2025
Let's encrypt and ACME hasn't always been available. Lots of companies also use appliances for the reverse proxy/Ingress.
If they don't support ACME, it's actually quite the chore to do - at least it was the last time I had to before acme was a thing (which is admittedly over 10 yrs ago)
wavesquid 68 days ago [-]
Historically?
1. Because TLS certificates were not free
2. Because firewall was "enough" in most people's minds
3. Because TLS was the most CPU intensive part of serving a static site
4. Because some people were using cheap shared hosting providers that upcharged for TLS
KomoD 68 days ago [-]
> * Why would anyone pick the flexible/potentially-insecure option?
I pick it whenever I don't want to setup HTTPS on my origin but still want HTTPS. Just for projects where I really don't care.
bawolff 68 days ago [-]
Is it really that different than AWS? You either trust your service provider or you don't.
lmm 68 days ago [-]
AWS doesn't route requests from their load balancer to your server across the public internet. Cloudflare does.
akdev1l 68 days ago [-]
You can do that with AWS if you really want to.
It will cost you a ton.
p0w3n3d 68 days ago [-]
EU should simply do the global surveillance quietly on cloudflare, instead of asking all the countries for the law
</Irony>
spoiler 68 days ago [-]
To be fair, Cloudflare is also the reason why most sites even have TLS at all, because it offered free certs (through letsencrypt I think?) in a fairly easy to set up way.
Certs used to be expensive, and had way more operational overhead and quirks (even setting up ACME/LE)
estimator7292 68 days ago [-]
Absolutely not, no. That is all thanks to Let's Encrypt.
DoctorOW 68 days ago [-]
This was true before Let's Encrypt existed, they'd buy massive 500 domain wildcard SSL certs that free users would split.
koakuma-chan 67 days ago [-]
Let's Encrypt is unusable for me because they want you to install that certbot thing. I don't know what that is or what it does. I don't want some magical auto update thing. Is it so hard to just make a generate button that gives you cert.pem and pkey.pem? Cloudflare managed to do it.
anticrymactic 66 days ago [-]
Let's encrypt supports ACME. Here are hundreds of ways to obtain a certificate:
Right, DoctorOW correct me; I have limited memory about the state of affairs from a decade ago. They offered free certs for a long time regardless of LE integration
thayne 68 days ago [-]
Cloudflare has native integration with Let's encrypt, which makes using TLS with a CDN much easier than if you had to acquire the ACME cert and deploy it to the CDN yourself.
Granted, most CDNs these days have some form of free certicate system, but that wasn't always the case.
Bratmon 68 days ago [-]
People on this website will just type any wild lie. I kinda love it.
The sky is purple! Charlie Brown had hoes! Cloudflare invented Let's Encrypt! Just say anything you want! We live in a post-truth world- there's no need for anything you say to correspond to any external reality!
tracker1 68 days ago [-]
I'm pretty sure Lincoln said that first...
balamatom 68 days ago [-]
Congrats! You get it!
ranger_danger 68 days ago [-]
> this website
you must be new to the internet...
spoiler 67 days ago [-]
I never said Cloudflare was behind Let's Encrypt… Did I? Probably just a misunderstanding.
Someone l pointed out I mixed up my timeline a bit because this was over a decade ago, but it turns out CF offered free certs even earlier than LE :)
So, while i got the details wrong, I still stand behind what I say: most sites on the web even have TLS enabled because CF offers it for free. I'm not talking about the reverse proxy aspect, but from the UA's perspective
Tostino 68 days ago [-]
I'm not going to give them credit for the work that Lets Encrypt did.
master_crab 68 days ago [-]
I agree, Let’s encrypt and ACME played a massive role. But it’s still far easier having Cloudflare handle TLS encryption for you.
And i say this as someone who uses ACME in certmanager and certbot at home and still prefers the ease with which Cloudflare generates a cert for my domain and terminates TLS for the public side of my cloudflare tunnel.
Tostino 68 days ago [-]
For my home stuff I just use nginx-proxy-manager and haven't thought about it since I set it up a couple of years ago.
For work, I used to use certbot directly at my old place. Now I am building my new stuff on k8s, and I have the ingress manage my certs for me (likely using certbot or similar behind the scenes). Both have been extremely low setup effort and no ongoing effort.
I don't like giving Cloudflare my (or my companies/customers) data in exchange for being able to click a checkbox.
TiredOfLife 68 days ago [-]
Lets Encrypt can proxy my old http only website to show as https? Without access to server configuration? How?
Tostino 68 days ago [-]
With nginx-proxy-manager which uses Let's Encrypt for certs you can... This isn't the gotcha you think it is.
TiredOfLife 68 days ago [-]
I don't have access to the server.
Tostino 68 days ago [-]
It can be run anywhere. You don't need it on the same server. Cloudflare isn't running on the same server either.
TiredOfLife 68 days ago [-]
Cloudflare is a checkbox.
Tostino 68 days ago [-]
And you only let them see every bit of traffic to and from your site in exchange.
What a deal.
You changed the subject btw.
TiredOfLife 67 days ago [-]
I didn't. I said that Cloudflare is the one that allowed my http only site to become https.
spoiler 67 days ago [-]
My bad! I slightly confused my timeline. CF offered free certs long before LE!
udev4096 68 days ago [-]
[flagged]
spoiler 67 days ago [-]
Are we witch hunting Cloudflare now? What have they done? I think overall CF seems like a pretty decent company? Lol I'm a bit out of the loop it seems.
Also what mis-information (other than the claiming CF integrated with LE, but it turns out CF offered free certs before LE even existed lol) did I spread?
ranger_danger 68 days ago [-]
I don't think this is true... a reverse proxy/CDN can see the full request URL even if the origin server is using TLS (unless you're using mTLS, which almost nobody is), and we don't even know if it's the proxy/CDN or the origin that is filtering based on keywords... but all of them could be doing it.
bobmcnamara 68 days ago [-]
It'll also work DigiNotar-style, when using the only root CA blessed by the National Information Network for general use: I.R. Iran.
udev4096 68 days ago [-]
Interesting. I was just setting up a LB like this:
client ->LB(nginx) ->TLS terminate for LB conn -> proxy_pass to backend which is behind nginx and has separate TLS certs. it's surprisingly easy to configure. Wonder why people still use HTTP at all. Even at home, I have setup LE certs for all local domains
On a side note, nginx doesn't support HTTP/2 for https load balancing so I am thinking of switching to haproxy which supports it
butvacuum 68 days ago [-]
Because you've now published your internal machine names. Look up certificate transparency logs.
udev4096 68 days ago [-]
What do you mean? I used self-signed for communication b/w LB and the nginx serving backend
Edit: I don't see any "machine name" on crt.sh for public LB which uses LE
Ah, you meant the DNS address is on CT now. You think I wouldn't know that? Regardless, a dns01 challenge is far better than using self-signed at home
huflungdung 68 days ago [-]
Digiboy is a treasure trove of enterprise software. Where else would I get a pirated hpe ilo license from?
losvedir 68 days ago [-]
How's this work with https like in the example? The hops along the way shouldn't see the path.
Is this implying that all TLS is terminated at the Iran border and proxied from there? And all Iranian sites are required to host via http? That has significantly more implications than what this post is about.
Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
tgma 68 days ago [-]
This is referring to something else: to detect whether the backend server host itself is inside or outside Iran. TLS doesn't prevent the backend network from reading the URL of course.
bawolff 68 days ago [-]
Well it would if things are setup according to best practises (i.e. use TLS between the backend connections). Presumably most people dont do that.
tgma 68 days ago [-]
Again, you are assuming a normal situation. The point is the country itself is operating (or has a heavy grip and perhaps even subsidizes) the backend CDN and enforcing that stuff in a rudimentary way.
"TLS between backend connections" usually involves termination and decryption on the frontend webserver and re-encryption of the upstream traffic, whatever it may be.
SahAssar 68 days ago [-]
A lot of CF upstreams are (or at least used to be) plaintext. It is one of the criticisms of CF since it "whitewashed" plaintext to look like proper TLS when it was only TLS for client<->CF and then plaintext for CF<->server.
koakuma-chan 68 days ago [-]
Has anything ever prevented you from having TLS on your origin server? You can even get a certificate from Cloudflare.
selcuka 68 days ago [-]
This is a problem for the visitor, not for the server's owner. There is no way to know whether the traffic is encrypted between the server and CloudFlare.
tialaramex 68 days ago [-]
Regardless of Cloudflare, there is no way to know whether the traffic is encrypted between your apparent end-point and where it's actually used, nor whether that traffic is subsequently revealed to other parties, on purpose or by mistake.
When you type your password into e.g. Hacker News, you are sending that password to the server. It doesn't matter that they're using bcrypt tuned for $1Bn attackers and you chose a sixteen character random alphanumeric string because that precise string, the valid password, is deliberately sent by you, to them, to authenticate and so if they accidentally reveal that or get compromised in any way, game over.
It's getting a little bit better in some areas. My good bank actually has halfway decent security now, but the bank with most of my money (which is owned by my government, and thus avoids any risk consideration - if that bank fails, the currency my money is denominated in also fails, so, it doesn't matter any more) still thinks passwords are a good idea. Google lets me use a Security Key, but most web sites I authenticate with still use passwords.
SSH is slightly better, because of its target audience. A lot of people use public key auth for SSH, which doesn't have this issue. But that's not the web.
lmm 68 days ago [-]
> Regardless of Cloudflare, there is no way to know whether the traffic is encrypted between your apparent end-point and where it's actually used, nor whether that traffic is subsequently revealed to other parties, on purpose or by mistake.
Any server could be leaking plaintext data, sure, but Cloudflare offers and even promotes wrong-thing-as-a-service.
LoganDark 68 days ago [-]
I've set up CF for a personal site and I even tell CF to use a client certificate (called "Origin CA") so nothing else can even connect to it.
tgsovlerkhgsel 68 days ago [-]
Have they started to use per-domain certificates for this, or can anyone who finds the origin bypass the check by creating their own (different) Cloudflare domain and pointing it at your origin?
Edit: Looks still the same by default, but at least they're (somewhat obscurely) documenting the issue and providing the option to use a custom cert now...
> Is this implying that all TLS is terminated at the Iran border and proxied from there?
Yeah, the law-abiding type on the Iranian National Information Network(NIN), either using the Electronic Commerce Council's I.R.Iran CA for HTTPS or just HTTP.
> Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
Due to NIN registrations being not very much not anonymous, https://xkcd.com/538/ seems pretty appropriate if you want to use an unapproved certificate authority.
68 days ago [-]
Yokolos 68 days ago [-]
I'm wondering for what purpose one would be interested in finding out if a site is hosted in Iran or not.
nostrademons 68 days ago [-]
Would assume it's to check if a site is foreign propaganda. A lot of the lesser-known news sites that you see linked on social media are actually psy-ops pushing an agenda, many of them foreign-based. Follow the technique in the article and you can easily blacklist Iranian ones.
elemdos 68 days ago [-]
I don’t buy psy-ops unless it’s American-made
keybored 67 days ago [-]
Why are people in the (presumed) West particularly afraid of the propaganda of a Middle Eastern country? Is the intelligence/propaganda unit there so good that they can program minds from a different continent better than Western oligarchs? This has got “Russia stole American democracy with millions worth of FB ads” vibes to it.
But if there is an easy technical implement to avoid some propaganda then good on them I guess. Why not. One less thing to worry about.
Iran is actively working hard to make us hate our fellow citizens. That matters.
rozab 68 days ago [-]
More concretely, a bunch of Scottish nationalist accounts were unearthed as Iranian by the recent X location switch-on
FilosofumRex 68 days ago [-]
[flagged]
ifidishshbsba 68 days ago [-]
So true, can this be adapted to detect Hasbara?
greenavocado 68 days ago [-]
Ask the person you are arguing with to denounce certain things and the response is often informative
kortilla 68 days ago [-]
If you’re in any western democracy you should worry about propaganda bots from Iran, DPRK, Russia, and China.
They have well known active operations of helping fuel the flames of political division by amplifying both sides of extremely divisive topics.
If you’ve ever engaged in flame wars about abortion, brexit, Scottish independence, the Ukraine war, the Gaza war, etc, there is a really good chance there were many participants from one of those parties.
austin-cheney 68 days ago [-]
Everybody spies and attempts psyops campaigns. I am much more concerned about nations that actively and massively attempt to exploit US election interference: Russia and Israel.
AngryData 68 days ago [-]
I worry even more about native propaganda bots honestly. Just because they are native it doesn't mean they aren't pushing a massive agenda, and they have even more motivation to do so.
Waterluvian 68 days ago [-]
Those all did concern me. These days they concern me far less than the U.S. I’ve got to prioritize my foes.
greenavocado 68 days ago [-]
JIDF never disappeared, it merely got a fresh coat of paint and disappeared from the public eye
BergAndCo 68 days ago [-]
JIDF was a geocities website by a random rabbi in his basement
greenavocado 68 days ago [-]
The website is irrelevant
keybored 67 days ago [-]
That’s terrible. There’s no war/conflict but the class war.
ipaddr 68 days ago [-]
Worry about these countries don't worry about Israel? Doesn't Israel fund both sides of fueling political division?
cj 68 days ago [-]
It’s illegal for US companies to do business with anyone in Iran.
delichon 68 days ago [-]
I'd rather not do business there.
asdefghyk 68 days ago [-]
Im guessing - its for some protest action? ... but really I have NO IDEA.
KiranRao0 68 days ago [-]
Does anyone have sample sites that return this?
phgn 68 days ago [-]
Also interested in a sample site where the request successfully resolves ;)
asdefghyk 68 days ago [-]
If search in google search with site:ir
it returns lots .ir links.
I clicked on one and it went to a .com domain site.
This may or may not be useful. How all this works is beyond my knowledge ..
68 days ago [-]
readthenotes1 68 days ago [-]
Are you asking if there are pictures of boobs on the internet?
miniBill 68 days ago [-]
You never know! Maybe they've all disappeared!
KomoD 68 days ago [-]
Here: tehranpich.com
It's behind CF
Aloisius 68 days ago [-]
So presumably Iran has a reverse proxy in front of the entire internet for HTTP?
I really want to know what's on the webpage for the iframe.
mschuster91 68 days ago [-]
> So presumably Iran has a reverse proxy in front of the entire internet for HTTP?
Standard DPI firewalls can do that for you. Absolutely no issue.
manmal 68 days ago [-]
For the path component, in a TLS secured request?
bobmcnamara 68 days ago [-]
It's a CDN, not an IP router. CDNs usually terminate TCP+TLS as close to the client as possible. This used to be done right at the edge - within the NIC for a long time, but CPUs have been more than capable for the last decade+
Few guesses:
1) CDN connects to backend server over TLS, using the national I.R. Iran root CA
2) CDN connects to backend server over HTTP
3) Backend server is running a nationally blessed Linux OS
For 1 & 2, the National Information Network would be implementing this DigiNotar style but they already own the root keys. For #3, the backend does so itself. These are the people who p0wned DigiNotar after all.
pavel_lishin 68 days ago [-]
A long time ago, my friends and I found a "scary"-looking image, written in a mixture of English and Arabic, warning the viewer that they'd come afoul of ... I forget, some Iranian government department of censorship?
Naturally, we made it so that 1% of the requests to a forum we ran at the time displayed it to the viewer. :)
vivzkestrel 68 days ago [-]
I am probably a little dumb, i read the article but dont understand what happened. can some HNer kindly explain?
whynotmaybe 68 days ago [-]
I guess that if you GET https://somedomain.com/boobs.jpg you get a 404 (not found) from a web server hosted outside of Iran but if the server for the domain is hosted in Iran, you get a 403 (forbidden) because the request is intercepted by a firewall that detect the word "boobs" and reject it with a 403 without forwarding it to the webserver that would usually return the 404.
bawolff 68 days ago [-]
So does this mean 10.x.x.x is publicly routable inside iran? Why wouldn't the Iranian government just use its own ip space for the censorship message?
lmm 68 days ago [-]
> Why wouldn't the Iranian government just use its own ip space for the censorship message?
IP addresses are expensive if you're not the US. Also they might be reusing a standard corporate filtering product that expects to be deployed on a private network (and in a way, that's what the Iranian internet is).
ycombinatrix 68 days ago [-]
I just tried this on a few Iranian websites and never got a 403, let alone an iframe.
JumpCrisscross 68 days ago [-]
I wonder if this could be broadened to a list of Wikipedia links to humanitarian content folks in repressed regimes are or might get blocked from. Tiananmen Square [1]. Wen Jiabao's staggering corruption [2]. Epstein's e-mails [3]. Et cetera.
Like Netflix launching Fast.com, this would directly weaponise these regimes' censoring tendencies against themselves.
Is there a Scunthorpe problem looming there? Birdwatchers might seek out information about boobies - are they treated like boobs.jpg is?
cluckindan 68 days ago [-]
Wow. The screenshot had the IP address exactly where I placed my finger to scroll, and iOS Safari briefly opened a popup window where it started connecting to that IP.
Fuck this shit, I’m moving to a hovel in the woods.
rootusrootus 68 days ago [-]
Along the same lines, I occasionally find myself cursing iOS for its willingness to just bring up the dialer and call a number. I really, really wish that it would confirm any dialing before doing it, especially if you didn't click on a phone number on a contact. Couple times I've ended up dialing a recent spam caller, which is the last thing I ever want to do.
lxgr 68 days ago [-]
On top of that, the only possible interaction with the number is to call it or to not call it.
Want to copy the number into the clipboard to call it later, call it from a different app, or forward it to somebody else? Tough luck.
furyofantares 68 days ago [-]
There are a few options available if you press and hold it (Call, Message, Add to Existing Contact, Create New Contact, Delete).
I feel this only make the fact that tapping calls without confirmation more annoying though.
lxgr 68 days ago [-]
That's assuming there is something I can press and hold, e.g. a phone number displayed in Safari or an email.
Some apps seem to call some "make a phone call now" API, and that opens a modal pop-up with exactly two options – make the call or don't.
One workaround is to take a screenshot of the number being displayed, but... Come on, Apple.
MaintenanceMode 68 days ago [-]
Occasionally, if you're lucky enough, an option to copy the phone number shows up, it seems like completely at the whim of the OS. And that's after accidentally starting to dial the number, of course.
quesera 68 days ago [-]
iOS presents me with "Dial NPA-NXX-XXXX" and "Cancel" options in a bottom-raised dialog, when I tap a tel link.
I don't recall doing anything special to make this happen, but I wouldn't put it past me.
rootusrootus 68 days ago [-]
That may be specific to a web browser hyperlink. Click on an entry in your recent calls list and it'll immediately dial the number that called you.
quesera 68 days ago [-]
Got it, I missed the context.
Agreed, now that I remember the self-training I had to do to avoid the issue, this is an obnoxiously awkward design choice!
pizzalife 68 days ago [-]
It’s in a private Ip range so unless you’re inside Iran you’re fine.
ycombinatrix 68 days ago [-]
I don't think that works in Iran either
culi 68 days ago [-]
Agree it's a stupid default but you can (and imo should) turn off link previews in iOS
Thanks for posting this. I mostly gave up on viewing the one or two Twitter feeds that interest me after nitter stopped working. It wasn't ideological, I just wasn't able to reliably view and navigate without an account, and when I made an account it just kept showing me like "black HS football player bad sportsmanship".
Look like I've got about two years of James Cage White story arcs to check in on.
skeledrew 68 days ago [-]
This has been so useful to me that I've created a filter in URLCheck[0] that automatically converts all X-related links.
This is a hosted instance of nitter, the reason why nearly all nitter instances died is because "guest" accounts got removed, so now you need tons of real twitter/x accounts instead of just generating thousands of "guest" accounts.
behnamoh 68 days ago [-]
[flagged]
qbit42 68 days ago [-]
I don't want to have to create an account to view the full context.
hypeatei 68 days ago [-]
> XCancel is an instance of Nitter.
> Nitter is a free and open source alternative Twitter front-end focused on privacy and performance.
Where is the mission statement about wanting X gone?
Almost like you are engaging in entirely bad faith.
throwaway290 68 days ago [-]
if nitter robs twitter,
then ublock robs youtube and youtubers. actually
worse because nitter at least saves musk money on server costs.
lexlambda 68 days ago [-]
Like posting an archive.is link, others can actually read it. No login required for reading replays, no popups and signup nagss.
floodle 68 days ago [-]
It's easier to view the tweet, to be fair
dvngnt_ 68 days ago [-]
you can view replies without logging in
llimllib 68 days ago [-]
some people don't want to give clicks to X, no we're not done with it. It doesn't harm you does it?
behnamoh 68 days ago [-]
[flagged]
mikestew 68 days ago [-]
So the question is, what does a commercial website gain from people clicking on links to that website? I’m not even sure where to start to explain that one if one has to ask.
behnamoh 68 days ago [-]
[flagged]
lovegrenoble 68 days ago [-]
Why not?
gnarlouse 68 days ago [-]
I saw “boobs” so I ran.
-Iran
Rendered at 04:25:58 GMT+0000 (Coordinated Universal Time) with Vercel.
Proxy/CDN: HTTPS (443) → Origin server: plain HTTP (80)
(example: Cloudflare in Flexible mode)
If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.
If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP: curl http://www.digiboy.ir/boobs.jpg -v
I didn't quite get if Automatic TLS (https://developers.cloudflare.com/ssl/origin-configuration/s...) could use plain transfers.
So:
* Is it insecure by default or you have to be intentionally insecure?
* Why would anyone pick the flexible/potentially-insecure option?
Because having a connection that's encrypted between a user and Cloudflare, then unencrypted between Cloudflare and your server is often better than unencrypted all the way. Sketchy ISPs could insert/replace ads, and anyone hosting a free wifi hotspot could learn things your users wouldn't want them to know (e.g. their address if they order a delivery).
Setting up TLS properly on your server is harder than using Cloudflare (disclaimer: I have not used Cloudflare, though I have sorted out a certificate for an https server).
The problem is that users can't tell if their connection is encrypted all the way to your server. Visiting an https url might lead someone to assume that no-one can eavesdrop on their connection by tapping a cross-ocean cable (TLS can deliver this property). Cloudflare breaks that assumption.
Cloudflare's marketing on this is deceptive: https://www.cloudflare.com/application-services/products/ssl... says "TLS ensures data passing between users and servers is encrypted". This is true, but the servers it's talking about are Cloudflare's, not the website owner's.
Going through to "compare plans", the description of "Universal SSL Certificate" says "If you do not currently use SSL, Cloudflare can provide you with SSL capabilities — no configuration required." This could mislead users and server operators into thinking that they are more secure than they actually are. You cannot get the full benefits of TLS without a private key on your web server.
Despite this, I would guess that Cloudflare's "encryption remover" improves security compared to a world where Cloudflare did not offer this. I might feel differently about this if I knew more about people who interact with traffic between Cloudflare's servers and the servers of Cloudflare's customers.
This is probably technically true, but setting up TLS properly on your server is really ridiculously simple.
Let's encrypt and ACME hasn't always been available. Lots of companies also use appliances for the reverse proxy/Ingress.
If they don't support ACME, it's actually quite the chore to do - at least it was the last time I had to before acme was a thing (which is admittedly over 10 yrs ago)
1. Because TLS certificates were not free
2. Because firewall was "enough" in most people's minds
3. Because TLS was the most CPU intensive part of serving a static site
4. Because some people were using cheap shared hosting providers that upcharged for TLS
I pick it whenever I don't want to setup HTTPS on my origin but still want HTTPS. Just for projects where I really don't care.
It will cost you a ton.
</Irony>
Certs used to be expensive, and had way more operational overhead and quirks (even setting up ACME/LE)
https://letsencrypt.org/docs/client-options/#other-client-op...
Granted, most CDNs these days have some form of free certicate system, but that wasn't always the case.
The sky is purple! Charlie Brown had hoes! Cloudflare invented Let's Encrypt! Just say anything you want! We live in a post-truth world- there's no need for anything you say to correspond to any external reality!
you must be new to the internet...
Someone l pointed out I mixed up my timeline a bit because this was over a decade ago, but it turns out CF offered free certs even earlier than LE :)
So, while i got the details wrong, I still stand behind what I say: most sites on the web even have TLS enabled because CF offers it for free. I'm not talking about the reverse proxy aspect, but from the UA's perspective
And i say this as someone who uses ACME in certmanager and certbot at home and still prefers the ease with which Cloudflare generates a cert for my domain and terminates TLS for the public side of my cloudflare tunnel.
For work, I used to use certbot directly at my old place. Now I am building my new stuff on k8s, and I have the ingress manage my certs for me (likely using certbot or similar behind the scenes). Both have been extremely low setup effort and no ongoing effort.
I don't like giving Cloudflare my (or my companies/customers) data in exchange for being able to click a checkbox.
What a deal.
You changed the subject btw.
Also what mis-information (other than the claiming CF integrated with LE, but it turns out CF offered free certs before LE even existed lol) did I spread?
On a side note, nginx doesn't support HTTP/2 for https load balancing so I am thinking of switching to haproxy which supports it
Edit: I don't see any "machine name" on crt.sh for public LB which uses LE
Ah, you meant the DNS address is on CT now. You think I wouldn't know that? Regardless, a dns01 challenge is far better than using self-signed at home
Is this implying that all TLS is terminated at the Iran border and proxied from there? And all Iranian sites are required to host via http? That has significantly more implications than what this post is about.
Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
"TLS between backend connections" usually involves termination and decryption on the frontend webserver and re-encryption of the upstream traffic, whatever it may be.
When you type your password into e.g. Hacker News, you are sending that password to the server. It doesn't matter that they're using bcrypt tuned for $1Bn attackers and you chose a sixteen character random alphanumeric string because that precise string, the valid password, is deliberately sent by you, to them, to authenticate and so if they accidentally reveal that or get compromised in any way, game over.
It's getting a little bit better in some areas. My good bank actually has halfway decent security now, but the bank with most of my money (which is owned by my government, and thus avoids any risk consideration - if that bank fails, the currency my money is denominated in also fails, so, it doesn't matter any more) still thinks passwords are a good idea. Google lets me use a Security Key, but most web sites I authenticate with still use passwords.
SSH is slightly better, because of its target audience. A lot of people use public key auth for SSH, which doesn't have this issue. But that's not the web.
Any server could be leaking plaintext data, sure, but Cloudflare offers and even promotes wrong-thing-as-a-service.
Edit: Looks still the same by default, but at least they're (somewhat obscurely) documenting the issue and providing the option to use a custom cert now...
https://developers.cloudflare.com/ssl/origin-configuration/a...
Yeah, the law-abiding type on the Iranian National Information Network(NIN), either using the Electronic Commerce Council's I.R.Iran CA for HTTPS or just HTTP.
> Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
Due to NIN registrations being not very much not anonymous, https://xkcd.com/538/ seems pretty appropriate if you want to use an unapproved certificate authority.
But if there is an easy technical implement to avoid some propaganda then good on them I guess. Why not. One less thing to worry about.
Iran is actively working hard to make us hate our fellow citizens. That matters.
They have well known active operations of helping fuel the flames of political division by amplifying both sides of extremely divisive topics.
If you’ve ever engaged in flame wars about abortion, brexit, Scottish independence, the Ukraine war, the Gaza war, etc, there is a really good chance there were many participants from one of those parties.
This may or may not be useful. How all this works is beyond my knowledge ..
It's behind CF
I really want to know what's on the webpage for the iframe.
Standard DPI firewalls can do that for you. Absolutely no issue.
Few guesses:
1) CDN connects to backend server over TLS, using the national I.R. Iran root CA
2) CDN connects to backend server over HTTP
3) Backend server is running a nationally blessed Linux OS
For 1 & 2, the National Information Network would be implementing this DigiNotar style but they already own the root keys. For #3, the backend does so itself. These are the people who p0wned DigiNotar after all.
Naturally, we made it so that 1% of the requests to a forum we ran at the time displayed it to the viewer. :)
IP addresses are expensive if you're not the US. Also they might be reusing a standard corporate filtering product that expects to be deployed on a private network (and in a way, that's what the Iranian internet is).
Like Netflix launching Fast.com, this would directly weaponise these regimes' censoring tendencies against themselves.
[1] https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests...
[2] https://www.nytimes.com/2012/10/26/business/global/family-of...
[3] https://jmail.world
Fuck this shit, I’m moving to a hovel in the woods.
Want to copy the number into the clipboard to call it later, call it from a different app, or forward it to somebody else? Tough luck.
I feel this only make the fact that tapping calls without confirmation more annoying though.
Some apps seem to call some "make a phone call now" API, and that opens a modal pop-up with exactly two options – make the call or don't.
One workaround is to take a screenshot of the number being displayed, but... Come on, Apple.
I don't recall doing anything special to make this happen, but I wouldn't put it past me.
Agreed, now that I remember the self-training I had to do to avoid the issue, this is an obnoxiously awkward design choice!
Look like I've got about two years of James Cage White story arcs to check in on.
[0] https://github.com/TrianguloY/URLCheck
> Nitter is a free and open source alternative Twitter front-end focused on privacy and performance.
Where is the mission statement about wanting X gone?
https://xcancel.com/about
> then I ask: what does X gain from your clicks?
https://news.ycombinator.com/item?id=46100703
> Worst that can happen is they waste resources showing you ads that you don't click on.
https://news.ycombinator.com/item?id=46100744
Almost like you are engaging in entirely bad faith.
-Iran