Please don't use CloudFlare.

[ghost]

Your support helps Matrix to build the decentralised communciations
https://matrix.org/blog/home/

decentralised real-time communication
https://github.com/matrix-org

Cloudflare is a centralised surveilance point.
Cloudflare can read your message. This is a vulnerability.
Please don't use CloudFlare.

Your website's visitor(not me)'s toot: https://microblog.shivering-isles.com/@sheogorath/101650006550275644

---

Problem with CloudFlare
General problem with Cloudflare's MITM attack on the Internet
The Great Cloudwall

[ghost]

Yikes! That's really embarrassing. Matrix.org was presented at FOSDEM's decentralization track with decentralization at the heart of their purpose. Now to see they are centralized on CouldFlare is really despicable. Credibility and trust is hosed.

[aaronraimist]

@libBletchley Matrix IS decentralized. You don't have to use matrix.org or cloudflare in anyway, the whole point of Matrix is that you can spin up your own server.

[ara4n]

The only reason we use Cloudflare is because we were forced into it by a non-trivial DDoS a year ago, which obligated us to shield matrix.org's loadbalancer behind something much much bigger and beefier. Cloudflare (or an equivalent CDN like Cloudfront, which has all the same privacy problems as Cloudflare) is the only way to achieve that, short of investing a tonne in ops infrastructure and building our own mini-cloudflare. We simply don't have the $ to do that right now, so given a choice of cloudflare or being destroyed by DDoSes, I'll take cloudflare.

As @aaronraimist says: if you don't like cloudflare, run your own server and don't use matrix.org.

[ara4n]

p.s. a much better solution to this will be for us to turn off the matrix.org server (or at least disable signup, and encourage the paranoid to move off it) once we have decentralised accounts. and then nobody will care that it's having to hide behind CF!

[ghost]

@ara4n

I appreciate the explanation. It should first be clear that you only addressed the utilitarian angle. From a deontological standpoint it's absolute horse shit that the top adversary of decentralization and the social values associated is being patronized by a decentralization project. It would be ethically comparable to a humanitarian or civil liberties organization renting space in one of Trump's hotels to host a conference, or PETA holding a rodeo or bull fight as a fund raiser. Some decentralization proponents are not just in the movement for the functional utility of it -- we have ethical standards and we boycott CloudFlare.

As for the utilitarian points you mentioned, I struggle to believe that the Matrix project website could not function without CloudFlare. That's very far fetched. There are alternatives. Even another centralized alternative, any alternative, like netlify or perimeterX would be less controversial than CloudFlare. But why not use something that is compatible with the values of Matrix users, like DCDN?

[t3chguy]

I don't believe the website was the issue, but actually the matrix.org matrix homeserver got attacked

[wolfsprite]

Yeah, sad and very eye opening to see that Cloudflare is (& still) being used.

I agree that nobody has to use matrix.org and anyone can spin up their own server, but considering that the "Try it now" link and a lot of clients default to the matrix.org homeserver, the fact that matrix.org's homepage has the word "secure" front and center feels very disingenious. For one, Cloudflare has had known ties to government agencies for a while (anyone that does not believe this can merely read what the CEO has had to say about the idea for Cloudflare coming from US Homeland Security's interest in their predecessor, Project Honeypot.., and/or check his LinkedIn history).

But primarily, with Cloudflare every request made is tagged with a cf-ray id header. This makes all interactions, messages sent, messages seen, everything, trackable.

It is a shame that you trust them to sit as a MITM for the default homeserver. Unless there is a change, I consider this project to be yet another that is compromised.

[Mikaela]

Related: #1314 on how Cloudflare blocks clients such as Element Web and Nheko when you are using Tor, VPN or an unlucky IP range Cloudflare happens to dislike.

[artenax]

You are residents of civilized democracies, I understand your dislike of Cloudflare.

But not everyone has the same attitude. For example, we in Russia mostly respect Cloudflare.

• Cloudflare has not abandoned us, has not left the Russian market, leaving the possibility for people to access the Western internet, not just censorship. By the way, they also helped Ukraine.

• Their free WARP VPN allows us to bypass the blocking of foreign sites (like independent media) that our authoritarian government arranges

• Cloudflare recently enabled ECH (Encrypted Client Hello) on free plans, as a result the censorship agency is unable to determine which sites people visit on Cloudflare hosting and therefore unable to block such sites for now.

• Cloudflare protects many sites from DDos attacks, and very strong ones at that.

So Cloudflare is not only evil.