We need your support!
We need to grow our donations or consider cutting costs (like sunsetting non-essential services) to remain sustainable.
Besides Pixelfed, we also run https://fedidb.org, https://fediverse.info and https://activitypub.network
Donations can be made via:
Liberapay - https://liberapay.com/pixelfed
Open Collective - https://opencollective.com/pixelfed
Patreon - https://patreon.com/dansup
Spread the word! #pixelfed
@pixelfed You are producing 3 of 4 centralized privacy-abusing #Cloudflare sites that you market as “#Privacy & safety built-in” while claiming to hold decentralization in high-esteem. You conceal from your users the fact that you’ve allowed Cloudflare see the traffic of your users surreptitiously.. and then you ask for donations? The only thing needed here is a bounty to be CF-free.
@aktivismoEstasMiaLuo@activism.openworlds.info @dev_m@mastodon.social @pixelfed@mastodon.social You are producing 3 of 4 centralized privacy-abusing #Cloudflare sites that you market as “#Privacy & safety built-in” while claiming to hold decentralization in high-esteem. You conceal from your users the fact that you’ve allowed Cloudflare see the traffic of your users surreptitiously.. and then you ask for donations? The only thing needed here is a bounty to be CF-free.
@oceane @pixelfed @aktivismoEstasMiaLuo @dev_m I don't know enough about CF to have a strong opinion either way on it, but I figure the sites should at least be transparent about "this site uses CF" and letting users make up their mind from there.
@emurphy @oceane @pixelfed @aktivismoEstasMiaLuo @dev_m what does CF take? I thought they were privacy oriented? 1.1.1.1 and Apple’s support?
@mcspadden @dev_m @pixelfed @oceane @emurphy #Cloudflare falsely markets itself as privacy-respecting on the basis of hiding the identity of their customers. So say you want to setup a website that peddles Proud Boys bigotry/propaganda. CF will ensure that no one knows who runs that website. That’s the only privacy that CF gives & it comes at the cost of everyone else’s privacy because CF sees all your traffic despite SSL.
@emurphy @oceane @pixelfed @dev_m @mcspadden So when someone logs into #Pixelfed, #Cloudflare sees their username, password & all traffic on that site. CF holds the keys so that’s where the tunnel ends. CF users (e.g. Pixelfed) do not warn users of this. So suppose a user is sloppy & reuses the same pw on many websites. CF sees the pw & from that would even be able to compromise that user on non-CF sites.
@aktivismoEstasMiaLuo @emurphy @oceane @pixelfed @dev_m so you’re saying CF breaks SSL for all the sites hosted there? Or if your DNS is managed there?
@mcspadden @dev_m @pixelfed @oceane @emurphy “Breaks” is a bit vague, but CF renders SSL useless w.r.t. to CF itself. When you access Pixelfed, you see a padlock & that misleads users to believe their connection is secure all the way to pixelfed assets. The traffic is protected from you to Cloudflare’s servers, CF sees everything, and your packet doesn’t even reach Pixelfed because CF treats your request for them.
@emurphy @oceane @pixelfed @dev_m @mcspadden SSL still protects traffic between you and CF, so e.g. your isp still can’t see the payloads. The padlock is seriously misleading because users think it protects them all the way to the site’s origin. I tried to motivate browser devs to change the padlock to a clown head in situations where the tunnel terminates at Cloudflare (clownflare), but they’re not having it.
@aktivismoEstasMiaLuo @emurphy @oceane @pixelfed @dev_m how do you know PixelFed doesn’t encrypt to the origin server? And does a lock icon matter when they are using Chrome to navigate to it anyways? Imo that’s a bigger problem
@mcspadden @dev_m @pixelfed @oceane @emurphy The comms between CF and the origin often is encrypted, but that’s a separate tunnel. CF decrypts everything that reaches it (from visitors and from the origin).
@aktivismoEstasMiaLuo @dev_m @pixelfed @oceane @emurphy want to know more about this, links? Highly regulated industries use CF as a pass through expecting no data to be accessed/stored and if CF does, they need contracts in place (BAA, etc.)
@mcspadden @emurphy @oceane @pixelfed @dev_m I suggest this article which is well cited: https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md The 2nd link in that article goes to a relatively popular explanation of the MitM.
@mcspadden @dev_m @pixelfed @oceane @emurphy It’s perverse that #Cloudflare has convinced some people that they are somehow conducive to privacy. The default CF configuration blocks Tor users. And because CF grown to ~20%+ of the web, people are walking away from Tor. CF has effectively ruined one of the best tools for privacy.
@aktivismoEstasMiaLuo @dev_m @pixelfed @oceane @emurphy isn’t that the basis of the internet? Mastodon does basically the same with Gab no?