let's talk about our little buddy cloudflare

[Thorin-Oakenpants]

snip

[earthlng]

You don't seem to understand the CF problem. For example ghacks.net is a CF MitM-ed site.
What I was getting at is that you can't really block CF with uBO or uM unless you find + use a list with all the 6+ million sites that go through CF.

[grumpygeek]

I'm interested in fighting cloudfare (and others like it) but I can't think of any user.js related solution. And of course domain blockers won't work for this. I'd like a better explanation of what the extensions do. Also, both of those are web extensions so no good for PM or old browser versions. (I do have Fx57 installed but don't see using it as practical.) I've read the links but I am not sure I understand what cloudfare is doing, but I know they need the cooperation of the site owner. Would be nice to hear from someone who has worked with cloudfare on setting up such connections to their site.

[earthlng]

the extension should work on ESR as well. CF don't need cooperation - as soon as a site owner registers and makes the necessary changes on his side, CF will have full access to everything you send to that site.
EDIT: the extension looks for the Response headers that CF adds and blocks the request if it finds them.

[grumpygeek]

as soon as a site owner registers and makes the necessary changes on his side,

duh..huh, that is cooperation, as opposed to doing it without consent or prior knowledge

[earthlng]

Yeah I mean that part should be obvious, they can't force you to signup, duh

[theWalkingDuck]

I'm sure that they are going to remove those unique headers soon.
This is not something which can be solved on a browser level.
This goofy network is now a case for Firewalls.

[ghost]

Hi :)

mozilla-mobile/focus-android#1743

[ghost]

@grumpygeek Take a look at my comment, it's easy to understand.

mozilla-mobile/focus-android#1743 (comment)

[grumpygeek]

nope, that told me nothing. What I wanted to know was more like does Cloudfare just add a header without decrypting content. I know with email the body can be encrypted but the headers aren't. I don't know if I have any way to look at http or tcp/ip traffic. I had a similar question about the VPN I use sometimes but they did not answer. It seems like users aren't really supposed to know what goes on behind the curtain.

[ghost]

@grumpygeek

TLS connection(https://) encrypt "request header" and "body data".
TCP layer's base data, such as IP address and port number, is not encrypted.

https://stackoverflow.com/questions/187655/are-https-headers-encrypted

So they can't add any headers without decryption. It's technologically impossible.
Without decryption, Cloudflare can't read or modify the data.

similar question about the VPN I use sometimes but they did not answer

Interesting. What's your question, exactly? And who is "they"?

[earthlng]

We raised awareness a little bit but there's nothing more that we can do about it. Users can block CF with a Firewall or use the extension that blocks CF-protected sites based on the headers. This isn't the place to start an anti-CF revolution and thus I'm closing this.

[Atavic]

According to: https://trends.builtwith.com/ssl

1/10 in the Top 1 Million Sites uses Cloudflare:

Technology	Websites	%
Cloudflare SSL	108,881	10.89