CloudFlare

[ghost]

CloudFlare is a major privacy issue to the users of a site protected by it.

Is there a good reason to use it for privacytools.io?

[ghost]

Also, CF SSL is not very friendly.

╭─samuel@ROG  ~  
╰─$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib2 import urlopen
>>> urlopen("https://privacytools.io")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1222, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error>
>>> 

[privacytoolsIO]

The reason i decided to use CloudFlare was the fact that it's easy to setup, and nice to have a free ssl certificate. To be honest to have https for privacytools.io is totally optional, since we're not dealing with any user date whatsoever. We had some discussion about CloudFlare before: https://www.reddit.com/r/privacytoolsIO/search?q=CloudFlare&restrict_sr=on&sort=relevance&t=all

I don't think this is a priority at the moment.

[ghost]

Note: HTTPS is faster, trustworthy (this site doesn't deal with user data, but it's a good practice and feels much more trustworthy for users), and looks better.

[bakku]

Plenty of reasons to use https even for a static site. Some here: https://www.bitballoon.com/blog/2014/10/03/five-reasons-you-want-https-for-your-static-site

Personally I would move away from cloudfare and use let's encrypt to get a free certificate.

[ghost]

https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/

[privacytoolsIO]

I can't switch to Let's Encrypt at the moment, because I'd have to change the DNS servers of the domain and that would reveal my server location. I agree with you that Let's Encrypt is first choice, but CloudFlare still makes privacytools.io faster, hides my server location and provides a free SSL certificate. Again, we're not handling any user data.

[Hillside502]

@privacytoolsIO
You can hide your server location via a VPN static IP address.

[beerisgood]

Read this comment from Moonchild (Pale Moon dev) why Lets Encrypt isnt good:
https://forum.palemoon.org/viewtopic.php?f=17&t=13216&p=97307#p97307

[Hillside502]

@beerisgood
That was 14 months ago. Does that still apply?

[ghost]

@privacytoolsIO

Hide server location? Then why not rental hosting server?

Try https://danwin1210.me/ .
You'll receive:

1. Access log without IP address (all IP address replaced to 0)
2. Let's encrypt certificate
3. Can host with your own domain
4. Hosted in Germany, not in USA like Cloudflare
5. Can have .onion domain. You'll automatically receive onion domain!
6. Free
7. He's friendly.

Just try it. Better than Cloudflare.

[beerisgood]

@Hillside502 Yes. I got this answer from Moonchild:

Nothing has changed about the way Let's Encrypt does things because all of those bad things are "by design" for them

[ghost]

@Hillside502 @beerisgood
It is getting even worse https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

And they are sticking with their fragile/questionable verification process

We will initially only support base domain validation via DNS for wildcard certificates

This opens the door wide for abuse. Wondering how Mozilla is going happily along, but perhaps not any more since Mozilla is also actively sponsoring this MitM provider CF.

https://www.robtex.com/dns-lookup/www.mozilla.org

cname | www.mozilla.org.cdn.cloudflare.net

That from an organization supposedly promoting privacy and freedom of the internet and asking for donations of that cause... well bon chance