this post was submitted on 08 Jun 2024
16 points (86.4% liked)

Monero

1722 readers
12 users here now

This is the lemmy community of Monero (XMR), a secure, private, untraceable currency that is open-source and freely available to all.

GitHub

StackExchange

Twitter

Wallets

Desktop (CLI, GUI)

Desktop (Feather)

Mac & Linux (Cake Wallet)

Web (MyMonero)

Android (Monerujo)

Android (MyMonero)

Android (Cake Wallet) / (Monero.com)

Android (Stack Wallet)

iOS (MyMonero)

iOS (Cake Wallet) / (Monero.com)

iOS (Stack Wallet)

iOS (Edge Wallet)

Instance tags for discoverability:

Monero, XMR, crypto, cryptocurrency

founded 2 years ago
MODERATORS
 

I made a post here about the danger of Cloudflare and the nightmare about how it functions:

https://sh.itjust.works/post/20529148

Cloudflare is a MITM can see everything going on and every request I'm making plus all the data I'm sending.

So explain to me why Trocador is using it? Are they a honeypot? They pride themself soooo much on anonymity, NoJS, Onion support, deletion of records, No KYC, No logs unless fully necessary, but yet, they allow Cloudflare to record every single piece of data about my interactions on trocador, all the requests, both POST and GET, all the addresses and amounts im inputting, quotes im making, and of course, associate my browser fingerprint and IP with all that yummy data that the NSA would be really happy to collect ;) ! How curious indeed..

It's a known fact that Cloudflare works the way I described. So why would Trocador willingly give over everything I'm inputting into the site over to Cloudflare? Please, someone explain this to me.

And it's not just trocador. soooo many Monero and privacy oriented sites are using Cloudflare MITM. Today I'm picking on Trocador but later I'll pick on more as I remember/come across them.

Here is a relevant paragraph I wrote:

I'm sick to my stomach of all these orgs and companies and people talking about privacy, and then they constantly do all these kinds of things thst prove that they don't actually care about privacy or anonymity or anything in between. They are Vipers and Snakes trying to make a quick dollar on a buzzword. It's become sadly trite.

I'm fully ready to somehow(?) be wrong about all this and eat my words.

all 20 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 6 months ago* (last edited 6 months ago) (2 children)

Hey there, Trocador.app team here.

First of all, we fully get OP's concern about Cloudflare, and it would be very hard for us to argue against the gist of their argument. There's a good reason we don't have Cloudflare as part of our standard operations. However, that means we must implement our own defences against such attacks. We are fine with that. After all, that's enough most of the time. As anyone running a web service in our community knows, we've all been increasingly targeted with DDoS attacks. Here at Trocador, we've had our fair share of them over the last few months, and we've been managing well in our estimate, given our team size. However, last week's incident was something different. We were faced with the option of keeping the service down, or temporarily switching to Cloudflare in an attempt to keep the services running while we hardened our infrastructure. The switch was successful in mitigating the attack's effects, and we kept the platform up. We are aware this is far from ideal to a significant share of our users. That is why we did our best to keep our Tor service operational throughout the attack. Ideally we would have implemented a message on our main page so our users are aware, but most of our team has been busy with Monerokon the past few days. Perhaps that's why the attack was initiated in the lead-up to the event. But who knows... lesson learned!

Our aim is to switch back to normal operation as soon as the attack is over. Unfortunately this attack seems to be much more targeted than previous ones, and has been going on for many days already.

The Monero community has been great as always, and some very competent individuals have reached out to offer guidance and assistance. We're currently working on improving our defences, and we'll be off Cloudflare again very soon, probably in the next couple of days if our strategy works. We were expecting to leave CF today, which would have been only 6 days total using them, but this also depends on our team managing to solve all issues before that, and again, most of our staff is on Monerokon.

[–] Scolding0513 7 points 6 months ago (1 children)

Thank you for responding, the communication is much appreciated. Seems like poor timing with the attack and monerokon happening at once, for sure.

Yes, agreed, as said in another comment, it would be really great if such things could be communicated to the community. I recommend a banner on the site with the latest update and a link to a mastadon page or a third party blog page (so people can bookmark it in the case of a teml shutdown). All of the words you gave here should be in such a post. otherwise people see the infamous CF MITM page and have to assume the worst :(

Thanks again for the response, I really hope the team is able to get some long term non-Cloudflare mitigations very soon.

[–] [email protected] 4 points 6 months ago (2 children)

Thanks for the kind words. Tomorrow our team will be 100% focused on these tasks! By the way, Monerokon was great! A lot of good people there, an outstanding community!

[–] Scolding0513 5 points 6 months ago

awesome. our community really is the best fr.

[–] [email protected] 1 points 6 months ago

Were you guys able to move off of CF?

[–] [email protected] 2 points 6 months ago

I understand this. Tradeogre also has cloudflare I think. I think 50% of the task of staying private is made by the website, and 50% by the user.

[–] [email protected] 9 points 6 months ago (1 children)

AFAIK Trocador was getting DDoSed. They said they set up Cloudflare temporarily. They are looking for a better solution.

Some messages from https://matrix.to/#/#Trocador.app:matrix.org

Hey there! We were under a heavy ddos attack, so we moved to CF temporarily to help our defenses. As soon as it's over we'll get out of cloudflare. We apologize for the inconvenience, we are looking into alternatives for the next time we suffer a bigger attack like this

[From Tuesday]: We literally moved there 16:00 UTC as a contingency, so it's not even 24 hours yet. We are looking into alternatives for next time a massive DDoS happens

[–] Scolding0513 2 points 6 months ago* (last edited 6 months ago) (1 children)

thanks for this info. it would've been nice if they'd made a blogpost about this and put it on the front page or something, not just a response in a matrix room.

that way people can help and make suggestions. I really dont think a cloudflare mitm is necessary for DDOS protection. A DDOS protection service with reverse proxy would be fine, there's likely many companies that have this kind of service that dont require MITM like CF, or they could probably self-host one.

[–] [email protected] 3 points 6 months ago (1 children)

A "basic reverse proxy" does nothing to help against a large ddos. The only real thing you can do is absorb the traffic and this is not feasible for most operators to host themselves.

[–] Scolding0513 1 points 6 months ago* (last edited 6 months ago) (1 children)

sorry, I worded it wrong. ill edit it. I meant to say there are plenty of solutions for DDOS protection with a reverse proxy. Probably in such a way that doesn't require a MITM.

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago)

There are 0 solutions in a reverse proxy if it is not capable of absorbing the amount of traffic required to maintain service while under a ddos attack. How exactly does a reverse proxy do anything to protect from a ddos?

Edit: I see perhaps I misinterpreted this. Sure, there are other ddos protection services but if you are under attack RIGHT NOW and your critical services are down are you going to shop around for alternatives that aren't Cloudflare or are you just going to go straight to the thing you know will do exactly what you need with a proven track record of doing it?

Going to CF is entirely understandable and they said that once the dust settles they will be looking at alternatives for the future that is not CF.

I'm far from a CF shill. I believe they do more longer term harm than their short term "good" has done. From an ops perspective though this action was very reasonable.

[–] [email protected] 3 points 6 months ago (1 children)

Does not getmonero.org use Cloudflare too?

For multiple reasons we use Cloudflare to handle the DNS (including their embracing and facilitating Tor routing and access from Tor exit nodes, and their exceptional DDoS prevention).

https://github.com/monero-project/meta/issues/921

[–] Scolding0513 4 points 6 months ago (1 children)

yes, and it's a travesty. very sad. that's what my post was lamenting really, that so many just allow the monster to spy on all their users.

the Monero team is good at what they do but they dont always make the best decisions. like why depend on Microsoft Github? and remember when they put a CCS wallet on Windows and then got the funds stolen?😂 And of course, succumbing to the Cloudflare MITM filth.

[–] [email protected] 1 points 6 months ago (1 children)

Do you think this is something you could take on and resolve? perhaps pitch a solution on the CCS?

[–] Scolding0513 1 points 6 months ago

most people dont give a shit, regardless of the blatant insanity that is Cloudflare. so, wouldn't do any good

[–] [email protected] 2 points 6 months ago

It works over ToR, so maybe they just want to use cloudflare to defend them from denial of service attacks.

[–] [email protected] 1 points 6 months ago (1 children)
[–] Scolding0513 0 points 6 months ago

lol ye privacy community lemmy mods who dont touch grass or women banned me for making little jokes and deleted all my good posts. funny shit 🤣

but yeah recommend this link for info on what i was sayin https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection