Tough question for sure because only company insiders can reasonably expected to know about it.
Every time I see some site redirecting me to a Cloudflare captcha I have this uncanny feeling my browser is being fingerprinted (and tied to the web of sites I visited and sold in secret)
Am I just being overly paranoid or is Cloudflare a potential big brother mapping risk?
Yes, all modern captchas perform extensive browser fingerprinting and logging.
Cloudflare additionally is able to observe all your traffic/activity on all Cloudflare fronted websites.
We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that itâs an actual browser. The current deployment of Turnstile checks billions of visitors every day, and we are able to identify browser abnormalities that bots exhibit while attempting to pass those tests.
So yes they do a bit, along with other stuff like proof of work kind of like how Anubis works. They also use Private Access Tokens which are a private way of checking that youâre a real user, so really it depends. I donât get the sense that theyâre trying to track you across websites though, mostly just trying to verify youâre not a bot.
I have no evidence of Cloudflare attempting to de-anonymize Tor users; however, for a few months in 2021 I was seeing a flood of events in the Tor client logs similar to the following:
[NOTICE] Closed 1 streams for service cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion for reason resolve failed. Fetch status: No more HSDir available to query.
Please notice that the onion address starts with âcflareâ. The onion addresses would vary in the Tor logs, but they always started with âcflareâ.
I examined what I had open in Firefox during the times of some of the aforementioned events. I had not received a Cloudflare captcha during those times; however, Firefox did have open several Cloudflare fronted Web sites. I found no reference in uBlock Origin to onion addresses, but unless they were using Javascript, I doubt that I would. I was never able to attribute the events to using any particular Web site.
With that being said about Firefox, all of my systems used the same Tor client for all Internet bound general traffic. I am not even certain that Firefox traffic was tied to the events. It could have been any application on any system. If the events had continued and I saw harm, I would probably start running Wireshark traces.
Anyone else seen âcflareâ Tor onion service / HSDir events?
Yes thatâs Cloudflareâs hidden service:
The exact header looks something like this, except with all 10 .onion addresses included, each starting with the prefix âcflareâ:
At least for me, Silk - Privacy Pass Client from Cloudflare works. I know itâs one more extension, but I think theyâre a trustworthy company and it makes browsing with a VPN way more bearable.
Thanks for the heads-up! Got rid of it, and I feel like such an idiot.
Is Cloudflare able to sniff the plaintext of HTTPS traffic when someone connects to a website fronted by Cloudflare?
You mean the exact url or the page content? Because https also hides whatâs after the /
Yes.
Cloudflare can see it all: URL, page content, headers, everything.
Cloudflare works by terminating the HTTPS connections. ie. they have full cleartext access.
I meant everything.
My understanding has been Cloudflare holds the TLS cert of each website and acts as the end of its HTTPS traffic, then forwards the plaintext HTTP traffic (maybe over a separate HTTPS connection) to the intended website.
This is extremely disturbing because Cloudflare is used by many online services. I despise those website operators who think this is acceptable. âEncrypting the internetâ is celebrated by many as an achievement but it means little when Cloudflare can sniff a significant portion of the traffic.
IIRC encrypting the internet began with banks using SSL for their online banking services. My guess is this security existed for a while. Now, all banks that use Cloudflare are exposing that traffic, while falsely advertising customersâ connection with the bank is secure. So, itâs not just the âBanking Secrecyâ Act, KYC/AML and credit cards that undermine financial privacy but also stupid things like Cloudflareâs ability to sniff HTTPS traffic.
I may be wrong but this leads me to think the ability to sniff HTTPS traffic gives Cloudflare some more capabilities to deanonymize Tor users (and users of other anonymizing networks) and link unidentified traffic together, in addition to whatever fingerprinting they do when they present their turnstile to browsers.
Just wait until you learn how the ingress proxies of AWS, Azure, GCP, OCI (the hosts of vast majority of services by traffic) work! I donât really get why schizos always get attracted to specifically Cloudflare, itâs like a lightbulb to a moth.
Because itâs free, so people who would be perfectly fine with not using a CDN will use Cloudflare anyways just because they can.
Sorry I picked on Cloudflare because that is the topic of this thread. The problem is much wider than Cloudflare.