Since I am too lazy to set up my own SSL and use CloudFlare instead, notifications in Toot! are now down AGAIN, because CloudFlare is down. Joy.

@tootapp please be aware that in this case you are transferring userdata over the internet in plaintext. (Between your back end and Cloudflare)

There are many reasons to use cloudflare, but this isn't a good one :/

@sheogorath @tootapp Indeed. You should never trust CloudFlare. If you need me to help with traffic, I can help you. Please PM me and we can work it out.


That's not the point I made. Setups with Cloudflare can be secure (considering trusting Cloudflare as a third party is fine, which you might debate, but that's another problem)

But running Cloudflare in default mode for Universal TLS called "flexible" is a problem, because the Backend connection isn't encrypted at all, while users still see a shiny and well-configured HTTPS connection in their browser. I recommend to use either "Full" or "Full (Strict)" for this case.


@sheogorath @tootapp That doesn't really solve the problem. CloudFlare is still MITMing your connection regardless. But instead of blindly trusting your server's certificate, it will check it.

User's data is still vulnerable. Completely unacceptable.


Agreed and you consider that as a problem, but it's a different one. Because you at least have a contract with Cloudflare and legal bindings. That's different to any random internet stranger between your backend server and Cloudflare's backend server can see what people get as notifications.

Trusting Cloudflare or not, is a completely different problem, that at the end of a day, is something people have to decide for themselves.


@sheogorath I’m not, web push payloads are already end-to-end encrypted. It’s just the library Mastodon uses refuses to connect to non-https endpoints.

@tootapp @sheogorath hmm… and this is really the only data that runs over it? Do Web oush notifications have some meta data e.g..?

@tootapp cloudflare = cloud is on fire = their name is more apt than ever :oh_no: :oh_no_bubble:

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!