Comment by shishcat

Comment by shishcat 3 days ago

43 replies

View on Hacker News

This behavior only works when the reverse proxy or CDN is configured like this:

Proxy/CDN: HTTPS (443) → Origin server: plain HTTP (80)

(example: Cloudflare in Flexible mode)

If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.

If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP: curl http://www.digiboy.ir/boobs.jpg -v

mort96 3 days ago

Ah, Cloudflare. The world's most widely deployed encryption remover.

Reply View 36 replies
  • dhab 2 days ago

    Could someone help me understand. I looked at: https://developers.cloudflare.com/ssl/origin-configuration/s... it seems to support multiple modes.

    I didn't quite get if Automatic TLS (https://developers.cloudflare.com/ssl/origin-configuration/s...) could use plain transfers.

    So:

    * Is it insecure by default or you have to be intentionally insecure?

    * Why would anyone pick the flexible/potentially-insecure option?

    Reply View 6 replies
    • penteract 2 days ago

      > Why would anyone pick the flexible/potentially-insecure option?

      Because having a connection that's encrypted between a user and Cloudflare, then unencrypted between Cloudflare and your server is often better than unencrypted all the way. Sketchy ISPs could insert/replace ads, and anyone hosting a free wifi hotspot could learn things your users wouldn't want them to know (e.g. their address if they order a delivery).

      Setting up TLS properly on your server is harder than using Cloudflare (disclaimer: I have not used Cloudflare, though I have sorted out a certificate for an https server).

      The problem is that users can't tell if their connection is encrypted all the way to your server. Visiting an https url might lead someone to assume that no-one can eavesdrop on their connection by tapping a cross-ocean cable (TLS can deliver this property). Cloudflare breaks that assumption.

      Cloudflare's marketing on this is deceptive: https://www.cloudflare.com/application-services/products/ssl... says "TLS ensures data passing between users and servers is encrypted". This is true, but the servers it's talking about are Cloudflare's, not the website owner's.

      Going through to "compare plans", the description of "Universal SSL Certificate" says "If you do not currently use SSL, Cloudflare can provide you with SSL capabilities — no configuration required." This could mislead users and server operators into thinking that they are more secure than they actually are. You cannot get the full benefits of TLS without a private key on your web server.

      Despite this, I would guess that Cloudflare's "encryption remover" improves security compared to a world where Cloudflare did not offer this. I might feel differently about this if I knew more about people who interact with traffic between Cloudflare's servers and the servers of Cloudflare's customers.

      Reply View 3 replies
      • mort96 2 days ago

        > Setting up TLS properly on your server is harder than using Cloudflare

        This is probably technically true, but setting up TLS properly on your server is really ridiculously simple.

        Reply View 2 replies
    • wavesquid 2 days ago

      Historically?

      1. Because TLS certificates were not free

      2. Because firewall was "enough" in most people's minds

      3. Because TLS was the most CPU intensive part of serving a static site

      4. Because some people were using cheap shared hosting providers that upcharged for TLS

      Reply View 0 replies
    • KomoD 2 days ago

      > * Why would anyone pick the flexible/potentially-insecure option?

      I pick it whenever I don't want to setup HTTPS on my origin but still want HTTPS. Just for projects where I really don't care.

      Reply View 0 replies
  • bawolff 3 days ago

    Is it really that different than AWS? You either trust your service provider or you don't.

    Reply View 2 replies
    • lmm 3 days ago

      AWS doesn't route requests from their load balancer to your server across the public internet. Cloudflare does.

      Reply View 1 reply
      • akdev1l 2 days ago

        You can do that with AWS if you really want to.

        It will cost you a ton.

        Reply View 0 replies
  • p0w3n3d 2 days ago

    EU should simply do the global surveillance quietly on cloudflare, instead of asking all the countries for the law

    </Irony>

    Reply View 0 replies
  • spoiler 3 days ago

    To be fair, Cloudflare is also the reason why most sites even have TLS at all, because it offered free certs (through letsencrypt I think?) in a fairly easy to set up way.

    Certs used to be expensive, and had way more operational overhead and quirks (even setting up ACME/LE)

    Reply View 24 replies
    • estimator7292 3 days ago

      Absolutely not, no. That is all thanks to Let's Encrypt.

      Reply View 5 replies
      • DoctorOW 3 days ago

        This was true before Let's Encrypt existed, they'd buy massive 500 domain wildcard SSL certs that free users would split.

        Reply View 0 replies
      • koakuma-chan 2 days ago

        Let's Encrypt is unusable for me because they want you to install that certbot thing. I don't know what that is or what it does. I don't want some magical auto update thing. Is it so hard to just make a generate button that gives you cert.pem and pkey.pem? Cloudflare managed to do it.

        Reply View 1 reply
      • spoiler a day ago

        Right, DoctorOW correct me; I have limited memory about the state of affairs from a decade ago. They offered free certs for a long time regardless of LE integration

        Reply View 0 replies
      • thayne 2 days ago

        Cloudflare has native integration with Let's encrypt, which makes using TLS with a CDN much easier than if you had to acquire the ACME cert and deploy it to the CDN yourself.

        Granted, most CDNs these days have some form of free certicate system, but that wasn't always the case.

        Reply View 0 replies
    • Bratmon 2 days ago

      People on this website will just type any wild lie. I kinda love it.

      The sky is purple! Charlie Brown had hoes! Cloudflare invented Let's Encrypt! Just say anything you want! We live in a post-truth world- there's no need for anything you say to correspond to any external reality!

      Reply View 4 replies
      • tracker1 2 days ago

        I'm pretty sure Lincoln said that first...

        Reply View 0 replies
      • spoiler a day ago

        I never said Cloudflare was behind Let's Encrypt… Did I? Probably just a misunderstanding.

        Someone l pointed out I mixed up my timeline a bit because this was over a decade ago, but it turns out CF offered free certs even earlier than LE :)

        So, while i got the details wrong, I still stand behind what I say: most sites on the web even have TLS enabled because CF offers it for free. I'm not talking about the reverse proxy aspect, but from the UA's perspective

        Reply View 0 replies
    • Tostino 3 days ago

      I'm not going to give them credit for the work that Lets Encrypt did.

      Reply View 10 replies
      • master_crab 3 days ago

        I agree, Let’s encrypt and ACME played a massive role. But it’s still far easier having Cloudflare handle TLS encryption for you.

        And i say this as someone who uses ACME in certmanager and certbot at home and still prefers the ease with which Cloudflare generates a cert for my domain and terminates TLS for the public side of my cloudflare tunnel.

        Reply View 1 reply
        • Tostino 2 days ago

          For my home stuff I just use nginx-proxy-manager and haven't thought about it since I set it up a couple of years ago.

          For work, I used to use certbot directly at my old place. Now I am building my new stuff on k8s, and I have the ingress manage my certs for me (likely using certbot or similar behind the scenes). Both have been extremely low setup effort and no ongoing effort.

          I don't like giving Cloudflare my (or my companies/customers) data in exchange for being able to click a checkbox.

          Reply View 0 replies
      • spoiler a day ago

        My bad! I slightly confused my timeline. CF offered free certs long before LE!

        Reply View 0 replies
      • TiredOfLife 2 days ago

        Lets Encrypt can proxy my old http only website to show as https? Without access to server configuration? How?

        Reply View 6 replies
    • udev4096 2 days ago

      [flagged]

      Reply View 1 reply
      • spoiler a day ago

        Are we witch hunting Cloudflare now? What have they done? I think overall CF seems like a pretty decent company? Lol I'm a bit out of the loop it seems.

        Also what mis-information (other than the claiming CF integrated with LE, but it turns out CF offered free certs before LE even existed lol) did I spread?

        Reply View 0 replies
udev4096 2 days ago

Interesting. I was just setting up a LB like this: client ->LB(nginx) ->TLS terminate for LB conn -> proxy_pass to backend which is behind nginx and has separate TLS certs. it's surprisingly easy to configure. Wonder why people still use HTTP at all. Even at home, I have setup LE certs for all local domains

On a side note, nginx doesn't support HTTP/2 for https load balancing so I am thinking of switching to haproxy which supports it

Reply View 2 replies
  • butvacuum 2 days ago

    Because you've now published your internal machine names. Look up certificate transparency logs.

    Reply View 1 reply
    • udev4096 2 days ago

      What do you mean? I used self-signed for communication b/w LB and the nginx serving backend

      Edit: I don't see any "machine name" on crt.sh for public LB which uses LE

      Ah, you meant the DNS address is on CT now. You think I wouldn't know that? Regardless, a dns01 challenge is far better than using self-signed at home

      Reply View 0 replies
ranger_danger 2 days ago

I don't think this is true... a reverse proxy/CDN can see the full request URL even if the origin server is using TLS (unless you're using mTLS, which almost nobody is), and we don't even know if it's the proxy/CDN or the origin that is filtering based on keywords... but all of them could be doing it.

Reply View 0 replies
bobmcnamara 3 days ago

It'll also work DigiNotar-style, when using the only root CA blessed by the National Information Network for general use: I.R. Iran.

Reply View 0 replies
huflungdung 3 days ago

Digiboy is a treasure trove of enterprise software. Where else would I get a pirated hpe ilo license from?

Reply View 0 replies