Please Cloudflare, I'm a paying customer and have some IPv6 only users that are very frustrated every time they see a Cloudflare challenge page. Your provider, HCaptcha still do not support IPv6. I have to use workarounds like an alternative domain without CF and this is very frustrating.
HCaptcha is the absolute worst, their captchas are consistently harder, the datasets are impossible to decipher and the failure rate is much higher, even if I'm sure that I chose the right options. My parents had no chance last time they ran into one.
CF should have just rolled their own captcha service instead of buying into someone else's public ML training program again.
These are the five SSL options for a Cloudflare website [0]:
1. No SSL: User <--HTTP--> Cloudflare <--HTTP--> Origin Server
2. Flexible SSL: User <--HTTPS--> Cloudflare <--HTTP--> Origin Server
3. Full SSL: User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server;
Self-signed cert ok, expired cert ok
4. Full SSL (strict): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server;
Origin server must use an SSL certificate that Cloudflare provides [1]
5. Strict (SSL-Only Origin Pull): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; same as Full SSL (strict), but you pay need to pay Cloudflare more money
---
3 and above will fix this issue as they encrypt from Cloudflare to the Origin Server.
This is the traffic flow from the link:
User -> Cloudflare -> Airtel -> GitHub Pages
Where the connection with flexible SSL is Cloudflare <--HTTP--> GitHub Pages.
Upgrading to Full SSL (or higher) and using HTTPS on GitHub [2] should fix.
---
Alternatively, deploy your static website with Cloudflare Pages [3], which has feature parity with Github Pages.
The flow would then be: User <--HTTPS--> Cloudflare Pages
> 5. Strict (SSL-Only Origin Pull): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; same as Full SSL (strict), but you pay need to pay Cloudflare more money
The difference in this mode is that even if the client connects to Cloudflare using HTTP, Cloudflare will connect to the origin using HTTPS. In all other modes, if the client connects by HTTP, then Cloudflare will connect to origin by HTTP.
Of course, most people these days enable "HTTPS only", in which case Cloudflare will redirect HTTP clients to HTTPS and therefore not make any connection to the origin at all for HTTP clients.
Note that while option 3 will fix this particular issue (because they only seem to care about port 80), it doesn't stop them from MITMing the connection with their own self-signed cert in the future. Only options 4 and 5 ensure a fully secure SSL connection.
Glad to see this getting attention. Flexible SSL is an awful option that has no place in the modern encrypted web. Out of the four SSL options Cloudflare gives users, only one is actually secure. It's a huge foot-gun.
On the contrary, the idea that a mom-and-pop shop running an HTTP website on some ancient shared hosting can easily just drop in Cloudflare is a Good Thing. Sure, you're not removing the attack surface, a state actor could intercept the server-to-server connections... but at least the hacked router in your customers' coffee shop is removed from the threat model. You make it any tougher, and that HTTP website is just going to stay HTTP forever.
I assume you mean only ` Full (strict)` is secure, and not even `Full`?
I happened to be recently looking at putting cloudflare in front of an S3 bucket, and it looked maybe easier/more feasible to do with `Full` instead of `Full (Strict)` -- because you can skip configuring the S3 bucket have an SSL cert for your actual front-facing domain (which can be cumbersome and/or more expensive to set up) and just let CloudFlare connect to it as `*.s3.aws.com` or whatever.
As long as CloudFlare is actually requiring a trusted cert for *.s3.aws.com, are there security implications I'm missing for why this is a bad idea? (I guess AWS or someone with the keys to AWS certs could be spoofing you? Anything else?)
Or in general even without reference to this use case, explain vulnerability examples/threat models for `Full` without `Strict`?
Feedback: I might suggest changing "Now Resolved/ Not Resolved" to Resolved/Broken. This could help with readability as right now there is 1 char difference and it took me a few times to parse.
Cloudflare powered censorship in Pakistan works in a similar fashion. ISPs block websites, but because Cloudflare's data center forwards using local ISPs, you get a nice secure blocked page.
Ages ago Cloudflare started to advice against these kinds of setups. I did not even know it was still possible. TLS termination on the edge services is just stupid.
Disagree. TLS terminated at the edge, by a trusted partner, is perfectly valid and in many cases a great plus. You should, however, then always have a tls connection back to the main host, this is obviously not always the case and is wrong. Ideally CloudFlare would not make it possible.
By terminating at the edge it enables many useful features of services such as CloudFlare that would otherwise not be possible such as the “web application firewall”.
If you think of CloudFlare as a hosting provider in the same way as any other (which they are) it ridiculous not to trust them terminating TLS.
TLS termination on the edge services wasn’t stupid back when crappy vendors (Github Pages included) didn’t support TLS. GitHub Pages only added TLS for custom domains in 2018.
I also tried reporting this issue to Cloudflare in the past through their hackerone page (since I was out of ideas where to get the request though), this is the response I got:
> Enabling SSL/TLS between Cloudflare and the origin site is a customer decision. When this protection is not enabled, as is the case here, an ISP can manipulate the requests before they reach Cloudflare. If this behaviour is not desired, the customer must change the settings for the site in the Cloudflare dashboard.
The request in question gets MITMed after it reaches Cloudflare edge servers, the connection between browser and the edge server happens over SSL
In the early 2010s for a couple of years all Cloudflare websites would sometimes fail to load on my home connection - 20% or so of page loads would hit a strange error, some sort of tcp or ssl issue
It’s good to see others experience the downside of centralising the internet. Until reading this, it seemed like everyone blindly loves cloudflare.
Oh but they are. They chose Airtel in their locations. I'm using BSNL as my ISP but my request goes to one of these locations that seems to be using Airtel and I get the same DoT block message.
GitHub Pages also doesn’t (yet) support custom headers and you can add them with Cf via Workers. So if you’re concerned about the results of securityheaders.io, for example, you can add those in.
[+] [-] bratao|4 years ago|reply
[+] [-] cmeacham98|4 years ago|reply
[+] [-] meibo|4 years ago|reply
CF should have just rolled their own captcha service instead of buying into someone else's public ML training program again.
[+] [-] celsoazevedo|4 years ago|reply
[+] [-] ahupp|4 years ago|reply
edit: I realize there are plenty users behind NAT64 gateways etc, that's the point: how many users out there have no IPv4 connectivity at all?
[+] [-] p0cc|4 years ago|reply
1. No SSL: User <--HTTP--> Cloudflare <--HTTP--> Origin Server
2. Flexible SSL: User <--HTTPS--> Cloudflare <--HTTP--> Origin Server
3. Full SSL: User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; Self-signed cert ok, expired cert ok
4. Full SSL (strict): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; Origin server must use an SSL certificate that Cloudflare provides [1]
5. Strict (SSL-Only Origin Pull): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; same as Full SSL (strict), but you pay need to pay Cloudflare more money
---
3 and above will fix this issue as they encrypt from Cloudflare to the Origin Server.
This is the traffic flow from the link:
User -> Cloudflare -> Airtel -> GitHub Pages
Where the connection with flexible SSL is Cloudflare <--HTTP--> GitHub Pages.
Upgrading to Full SSL (or higher) and using HTTPS on GitHub [2] should fix.
---
Alternatively, deploy your static website with Cloudflare Pages [3], which has feature parity with Github Pages.
The flow would then be: User <--HTTPS--> Cloudflare Pages
[0]: https://developers.cloudflare.com/ssl/origin-configuration/s...
[1]: https://developers.cloudflare.com/ssl/origin-configuration/o...
[2]: https://docs.github.com/en/pages/getting-started-with-github...
[3]: https://pages.cloudflare.com/
EDIT: The replies by kentonv, x1110dc, and r1ch all have valid points.
[+] [-] x110dc|4 years ago|reply
[+] [-] kentonv|4 years ago|reply
The difference in this mode is that even if the client connects to Cloudflare using HTTP, Cloudflare will connect to the origin using HTTPS. In all other modes, if the client connects by HTTP, then Cloudflare will connect to origin by HTTP.
Of course, most people these days enable "HTTPS only", in which case Cloudflare will redirect HTTP clients to HTTPS and therefore not make any connection to the origin at all for HTTP clients.
[+] [-] r1ch|4 years ago|reply
[+] [-] r1ch|4 years ago|reply
[+] [-] btown|4 years ago|reply
[+] [-] jrochkind1|4 years ago|reply
I happened to be recently looking at putting cloudflare in front of an S3 bucket, and it looked maybe easier/more feasible to do with `Full` instead of `Full (Strict)` -- because you can skip configuring the S3 bucket have an SSL cert for your actual front-facing domain (which can be cumbersome and/or more expensive to set up) and just let CloudFlare connect to it as `*.s3.aws.com` or whatever. As long as CloudFlare is actually requiring a trusted cert for *.s3.aws.com, are there security implications I'm missing for why this is a bad idea? (I guess AWS or someone with the keys to AWS certs could be spoofing you? Anything else?)
Or in general even without reference to this use case, explain vulnerability examples/threat models for `Full` without `Strict`?
[+] [-] lbotos|4 years ago|reply
[+] [-] captn3m0|4 years ago|reply
As such, I've just dropped the column.
[+] [-] amingilani|4 years ago|reply
[+] [-] 0xbkt|4 years ago|reply
Posted this[0] months ago, even sent emails to Cloudflare NOC multiple times and nobody did even care.
[0] https://community.cloudflare.com/t/censored-pop-orpheus-not-...
[+] [-] captn3m0|4 years ago|reply
Do these ISPs limit themselves to court-ordered blocks in your case?
[+] [-] AtNightWeCode|4 years ago|reply
[+] [-] samwillis|4 years ago|reply
By terminating at the edge it enables many useful features of services such as CloudFlare that would otherwise not be possible such as the “web application firewall”.
If you think of CloudFlare as a hosting provider in the same way as any other (which they are) it ridiculous not to trust them terminating TLS.
[+] [-] oefrha|4 years ago|reply
[+] [-] Anunayj|4 years ago|reply
> Enabling SSL/TLS between Cloudflare and the origin site is a customer decision. When this protection is not enabled, as is the case here, an ISP can manipulate the requests before they reach Cloudflare. If this behaviour is not desired, the customer must change the settings for the site in the Cloudflare dashboard.
The request in question gets MITMed after it reaches Cloudflare edge servers, the connection between browser and the edge server happens over SSL
[+] [-] kiririn|4 years ago|reply
It’s good to see others experience the downside of centralising the internet. Until reading this, it seemed like everyone blindly loves cloudflare.
[+] [-] Zdh4DYsGvdjJ|4 years ago|reply
https://news.ycombinator.com/item?id=28710629
[+] [-] throwaway888abc|4 years ago|reply
Airtel support is here https://www.airtel.in/contact-us
Also, vote with your wallet and don't use Airtel ?
[+] [-] sangeeth96|4 years ago|reply
[+] [-] captn3m0|4 years ago|reply
[+] [-] miohtama|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] tomklein|4 years ago|reply
[+] [-] ghostly_s|4 years ago|reply
[+] [-] technick|4 years ago|reply
[+] [-] 0xdeadb00f|4 years ago|reply
[+] [-] ushakov|4 years ago|reply
[+] [-] BillinghamJ|4 years ago|reply
GitHub Pages originally didn't support SSL on custom domains, so people would often put Cloudflare in front of it.
Now GHP does support SSL on custom domains, so Cloudflare is no longer needed, but obviously a lot of sites still exist with the original setup.
[+] [-] whymarrh|4 years ago|reply
[+] [-] tananaev|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] adhipics|4 years ago|reply
[deleted]
[+] [-] adhipics|4 years ago|reply
[deleted]
[+] [-] adhipics|4 years ago|reply
[deleted]
[+] [-] ceda_ei|4 years ago|reply