[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

cloudflare and co. full ssl mode, "everyone" going to use it, ...


#1

Heard something about cloudflare and co. This is a rather sloppy writeup. Don’t quote me on it.

There are various modes.

[1] full ssl -> end to end through cloudflare
[2] CDN (content delivery network) - ssl user to cloudflare - decrypt at cloudflare - ssl cloudflare to actual server


[2] is results in a huge speedup. Static content such as images, html and scripts can be delivered from a server close to the user - including QoS (quality of service) prioritization. Since cloudflare can decrypt all the traffic, this is a solution many privacy aware websites won’t want.

[1] So cloudflare is mostly known for CDN / [2]. How can [1] be useful? It’s obviously slower, but slower here still means factor 3 speedup. It works by cloudflare having their own dark fiber and making deals with ISPs for guaranteed bandwidth so they can implement faster routing and higher QoS priority.


If true, that means the debate on net neutrality is already over and practically we transitioned into the QoS age. Most services nowadays sign up for cloudflare to be faster. Which from their point of view is profitable, since website speed is crucial. More then 2 seconds page load time and already x % bounce rate.

At the moment there are various free offers of cloudflare. [1] is among them.

If everyone signed up for cloudflare eventually, we could as well as also decide to go back to no one using it - since then some superfluous extra proxy was added - and no one benefited.

The final result will probably be that all server providers have to be bidding on bandwidth or be super slow.


Obviously we shouldn’t sign up whonix.org for cloudflare and co. However, as more and more destitutions are behind cloudflare and co, the number of destinations for all Tor traffic was reduced from many to “one”. Safe to assume cloudflare and co. as a giant global at least passive traffic observer.


#2

Related re: global passive observers/profilers.

I recommend everyone read this below to understand how dangerous Google, Facebook and Twitter are as global traffic observers given their presence on most of the top 200,000 Alexa websites. Google third party web services are on nearly 100% of those (97%).

This is why VPNs are useless. With advances in fingerprinting, anybody using a standard browser and cruising around is being profiled by these corporations, with no fancy decryption of OpenVPN required. Reminder: 29 bits of identifying information just from screen resolution output alone. It’s just too easy…

Your top 15 enemies for tracking/profiling are:

doubleclick.net, google.com, googlesyndication.com, googleapis.com, gstatic.com, admob.com, googleanalytics.com, googleusercontent.com, flurry.com, adobe.com, chartboost.com, unity3d.com, facebook.com, amazonaws.com and tapjoyads.com


#3

Other main reasons are free DDoS protection and free bandwidth which explains the popularity of Cloudflare