BitShares Forum

Other => Meta => Topic started by: karnal on February 28, 2016, 11:50:46 am

Title: PLEASE disable Cloudflare on the forum
Post by: karnal on February 28, 2016, 11:50:46 am

Dear forum admins,

I've brought this up before, many months ago. Cloudflares' quest to eradicate privacy and anonimity online has taken on a whole new level since.

Most users here don't realize there is a company in the middle (Cloudflare) who is scooping all you write, including private messages, since when you connect over TLS to bitsharestalk.org, it's actually to Cloudflare that you're connecting. They own the private key to the certificate and can therefore read everything you do here (including snatching your password and any and all PMs you send).

At the very least I hope that from Cloudflare to the bitshares forum webserver, the connection is TLS-secured, or all your passwords and PMs are transiting parts of the internet in cleartext.

Anyway, this is really mostly an issue for people who use Tor and VPNs, because in their infinite wisdom, Cloudflare has declared that every Tor/VPN user is a criminal or a proto criminal and therefore has to be subjected to endless harassment to be able to read content online.

As someone who browses the internet exclusively through Tor, let me tell you, it is disconcerting how many websites out there use this companys' service, possibly without realizing that they are endagering all of their users' privacy (give all your site data to a US-owned company, great idea these days!!! straight to the NSA..). The situation is becoming a bit like google analytics being ever-present, so Google has a pretty good view of what a large chunk of the internet does.

This forum is no exception;

 (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-46762057-4', 'auto');
  ga('send', 'pageview');

But I digress (and it's easy to opt out of this pervasive tracking with extensions such as ghostery and/or RequestPolicy).


Anyhow,
May I give you a very abridged version of the events over the last year or so, from a day-to-day Tor user (and there more than are a few around here):



Rather than straight loading the forum as would happen on an uncensored connection, Tor and VPN users are subjected to extra checks.

In the beginning, it was possible to solve their captchas with javascript off. It was an annoyance, to be sure, but because I'm involved with this community, I endured the pain. Most other sites, though? Can't count how many articles I haven't read because I couldn't be bothered typing yet another captcha.

Things moved on. At some point, the captchas became plain and simply plain impossible for humans to solve with javascript turned off. And Cloudflare knew that, of course. it was by design, I suspect. So now we had to turn javascript on in order to have a chance of solving the captcha, and of course, the captcha is served from google, so now we are being forced to talk to googles' servers too.

It stayed there for awhile, but I guess the endless abuse from pedophiles and terrorists continued, so they upped their game; Now it's gone up to a stage where (I'm serious) there is a matrix of squares, and solving the captcha consists of selecting "all images with pool tables", "all images with pool chairs", "all images with sweets", "all images with bodies of water" (this one is particularly funny, for some fucked up reason when you click a square with a body of water, it'll neatly disappear and reappear, at which point you have to select it again if it's another body of water, sometimes this goes on for 3-6 times in a row).

But once isn't enough, apparently the terrorists have been developing very efficient software to automatically solve the captchas, because you'll be blasted with 2, 3, 4, 5 rounds of these retarded questions, until His Cloudflarianess deems you are worthy of visiting the website (5 minutes later).

And because you might've turned into a pedophile bot since the last captcha, it'll also regularly re-prompt you to solve them as you browse the same website, in the same session.

Oh, and Javascript HAS TO be turned ON. This time they didn't even bother pretending to accomodate, no javascript = images can't be clicked = captcha can't be solved = no website for you!



I used to visit this forum several times a day during work breaks and what not. Now I'm lucky if I come once every 3 days. Sorting flowers and pool tables, I have better use for my time.


So please, one more time, disable this horrible thing from the forum, the user experience is beyond reproachable and also in terms of privacy and freedom, it's a pretty bad move to use them.

Thank you.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: cass on February 28, 2016, 02:01:32 pm

 +5%

Title: Re: PLEASE disable Cloudflare on the forum
Post by: dannotestein on February 28, 2016, 04:32:55 pm

 +5%

Title: Re: PLEASE disable Cloudflare on the forum
Post by: xeroc on February 28, 2016, 04:37:19 pm

Paging @taulant @bitsapphire

Title: Re: PLEASE disable Cloudflare on the forum
Post by: Tuck Fheman on February 28, 2016, 05:32:13 pm

#sharebits "karnal" 1 GREATIDEA
#sharebits "karnal" 5 PERCENT

Title: Re: PLEASE disable Cloudflare on the forum
Post by: btstip on February 28, 2016, 05:33:33 pm

Hey Tuck Fheman, here are the results of your tips...

• karnal (http://sharebits.io/Home/Dashboard?username=karnal): has been credited 1 GREATIDEA
• karnal (http://sharebits.io/Home/Dashboard?username=karnal): has been credited 5 PERCENT

Curious about ShareBits? Visit us at http://sharebits.io and start tipping BTS on https://bitsharestalk.org/ today!

Source: https://bitsharestalk.org/index.php/topic,21695.msg282497/topicseen.html#msg282497

Created by hybridd (https://bitsharestalk.org/index.php?action=profile;u=40140)

Title: Re: PLEASE disable Cloudflare on the forum
Post by: cass on February 28, 2016, 07:37:01 pm

http://piwik.org/

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on February 28, 2016, 08:44:19 pm

Eerily timely.. http://betanews.com/2016/02/27/tor-dark-web-surveillance/

And yes @cass, piwik is the good stuff. We should use it here. Nothing but good things to say about it, other than still not supporting postgresql.

And on a more general note, very happy to see the positive impact the thread appears to have had. Thanks @xeroc for trying to contact the right people. Thanks to everyone for participating.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on February 28, 2016, 09:25:01 pm

The discussion at https://trac.torproject.org/projects/tor/ticket/18361 is quite interesting.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on March 03, 2016, 03:44:08 pm

@xeroc any news?

Title: Re: PLEASE disable Cloudflare on the forum
Post by: xeroc on March 06, 2016, 05:23:47 pm

I cant do anything about it. This domain is under bitsapphire's control

Title: Re: PLEASE disable Cloudflare on the forum
Post by: bitsapphire on March 10, 2016, 03:23:36 pm

We're going to change the certificate provider. Totally agree with you @karnal . Just so you know why we didn't change it so far:
- Other SSL providers made the mobile app randomly drop the connection (still don't know why)
- We had 2 ddos attacks in the past, since we have Cloudflare that hasn't happened anymore.

We're currently testing "Let's Encrypt" because they are the only ones we know that won't sell user data. We still need a ddos solution, if anybody has any idea, we're open to hearing it.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on March 12, 2016, 03:05:31 pm

The choice of CA is not so much related to using a reverse-proxy-style (mitm) service such as Cloudflare.

Of course, it's still important to choose a decent CA due to other reasons (quality of OCSP responders, for instance).


As for previous DDoS, do you remember what sort of DDoS it was? Except for the really overwhelming ones, they can be simple to thwart.

1Gbps (or more) connection helps, enabling TCP syncookies under load will kill all syn floods attacks, and a decently configured firewall that drops unecessary probes and responses to closed ports is also necessary.

You can also rate-limit at the firewall how many new connections over a period of time a single ip can make.
Putting up a high-quality load balancer (even if it's just one backend server (the forum) behind it) such as HAProxy in front of the webserver can also significantly help in a DDoS scenario -- and just in general -- by doing protocol-level checks, adding security rules, and most importantly in this case, gaining the ability to queue incoming connections (rather than just dropping them) so that the backend webserver(s) never have to deal with more that they can eat.

If you want to go REALLY hardcore, then using varnish in front of the webserver and caching the dynamic content on the forum (some VCL mastery needed to make sure the cache is invalidated in a timely/correct manner) such that the webserver doesn't even see most of the requests since they are served static from varnish..

My point is, there is a LOT one can do to mitigate a DDoS attack, and force the attacker to really throw several gbit/s at you rather than relying on simpler to execute ddos techniques (and at that point, if you can detect a pattern in the ddos, getting in touch with the provider and blocking these traffic patterns will help in a pretty good portion of cases!).. the hardware investment, unless you want to start doing DNS round-robin load balancing and having backend webservers in multiple datacenters with a replicated database also in multiple locations, is negligible.

So, a good relationship with the upstream provider helps. Many times in the past, for me, it was a matter of calling the datacenter, giving them a list of IP ranges, or a range of UDP ports, or whatever pattern could be detected in the DDoS, and ask them to temporarily block traffic upstream. Most of the time that immediately brought the customers' site back online.



edit: Aware of letsencrypt, but haven't played with it yet. Good initiative. Cursory rtfm seems to indicate the official client requires root to run, which I would say is an unacceptable thing on a producting server (for the purpose of generating/updating ssl certs). There seems to be a -nosudo variant around on github, anyway, I would recommend not running it as root in the production machine.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on March 16, 2016, 03:18:31 pm

@bitsapphire just in case :)

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on April 04, 2016, 06:46:03 pm

@bitsapphire saddened to see that weeks later this has not been addressed.

Meanwhile, the tension between Cloudflare and the Tor community has been increasing: https://blog.torproject.org/blog/trouble-cloudflare

Strongly recommend (quick read) https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf - as linked in the above blogpost.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: fav on April 05, 2016, 07:34:25 pm

cloudflare is pissng me off and I use a regular ISP. that thing occasionally bans IPs from my ISP for whatever reason (we do not have static ips, so it's easy to catch one)

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on April 19, 2016, 09:37:03 am

Unfortunately still no changes on this front. Lately I don't really visit the forum any longer due to this captcha bs.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on April 25, 2016, 09:18:26 am

@xeroc @bitsapphire just spent FIFTEEN minutes between captcha loops and "Cannot contact reCAPTCHA. Check your connection and try again", captchas loading VERY slowly (happens frequently) to be able to access the forum.

I'm almost ready to give up at this point. This forum is the central point of contact with this community, and as someone concerned with being private, I'm being CENSORED from acessing the forum normally by this company CLOUDFLARE.

Title: Re: PLEASE disable Cloudflare on the forum
Post by: bobmaloney on May 02, 2016, 04:23:09 pm

...

Title: Re: PLEASE disable Cloudflare on the forum
Post by: karnal on May 02, 2016, 04:27:24 pm

Quote from: bobmaloney on May 02, 2016, 04:23:09 pm

...

My thoughts exactly. :/