Since I am too lazy to set up my own SSL and use CloudFlare instead, notifications in Toot! are now down AGAIN, because CloudFlare is down. Joy.
@tootapp please be aware that in this case you are transferring userdata over the internet in plaintext. (Between your back end and Cloudflare)
There are many reasons to use cloudflare, but this isn't a good one :/
That's not the point I made. Setups with Cloudflare can be secure (considering trusting Cloudflare as a third party is fine, which you might debate, but that's another problem)
But running Cloudflare in default mode for Universal TLS called "flexible" is a problem, because the Backend connection isn't encrypted at all, while users still see a shiny and well-configured HTTPS connection in their browser. I recommend to use either "Full" or "Full (Strict)" for this case.
Agreed and you consider that as a problem, but it's a different one. Because you at least have a contract with Cloudflare and legal bindings. That's different to any random internet stranger between your backend server and Cloudflare's backend server can see what people get as notifications.
Trusting Cloudflare or not, is a completely different problem, that at the end of a day, is something people have to decide for themselves.
@sheogorath I’m not, web push payloads are already end-to-end encrypted. It’s just the library Mastodon uses refuses to connect to non-https endpoints.
@tootapp cloudflare = cloud is on fire = their name is more apt than ever
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!