Bitcoin Forum
December 06, 2019, 11:39:17 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Moving to Cloudflare  (Read 12679 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3584
Merit: 7341


View Profile
November 29, 2017, 08:07:39 PM
 #1

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. This change is in progress, and will take ~24 hours for everyone to see.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, but my homebrew DDoS mitigation has been one of my biggest time sinks for the last 6 months or so, and the necessary servers are still pretty expensive. If I had more manpower, then I would prioritize maintaining our own DDoS protection, but with me as the only sysadmin and current-software developer, it's become unsustainable.

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. I considered several alternatives to Cloudflare, but the smaller ones (eg. Stackpath and OVH) didn't strike me as reputable/competent enough, and the enterprise-targeted ones like Incapsula and Akamai are around $3500/month. Even though $3500/month seems absolutely ridiculous to me, I was seriously considering Incapsula due to its pretty good reputation, but then they were having all sorts of technical issues while I was trying to set it up. So I gave up for now and went with Cloudflare.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1575632357
Hero Member
*
Offline Offline

Posts: 1575632357

View Profile Personal Message (Offline)

Ignore
1575632357
Reply with quote  #2

1575632357
Report to moderator
1575632357
Hero Member
*
Offline Offline

Posts: 1575632357

View Profile Personal Message (Offline)

Ignore
1575632357
Reply with quote  #2

1575632357
Report to moderator
1575632357
Hero Member
*
Offline Offline

Posts: 1575632357

View Profile Personal Message (Offline)

Ignore
1575632357
Reply with quote  #2

1575632357
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1575632357
Hero Member
*
Offline Offline

Posts: 1575632357

View Profile Personal Message (Offline)

Ignore
1575632357
Reply with quote  #2

1575632357
Report to moderator
1575632357
Hero Member
*
Offline Offline

Posts: 1575632357

View Profile Personal Message (Offline)

Ignore
1575632357
Reply with quote  #2

1575632357
Report to moderator
Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 585
Merit: 502



View Profile
November 29, 2017, 11:01:07 PM
Merited by vlom (1)
 #2

Quote
The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

The thought of willingly passing passwords in clear text is quit disturbing for a security concerned member (me).  I can counter the PM issue as I do elsewhere by using GPG'd PMs, which are encrypted and decrypted ONLY locally on this end as needed.  At some sites I only respond to PM's where both sides have good OPSec using GPG on messages.  Is there any chance that bitcointalk could counter assault this huge password weakness by allowing U2F keys for members?  Even cloudfare can't do shit about getting around an encrypted key from a member's U2F and the site server?  I am not asking you to require U2F just allow it for those that are security concerned.  With the price of BTC and users that have been in the game for awhile the risks of doing stuff in "plain text" during logins is not Plan A by any means.

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3584
Merit: 7341


View Profile
November 29, 2017, 11:35:34 PM
 #3

The thought of willingly passing passwords in clear text is quit disturbing for a security concerned member (me).  I can counter the PM issue as I do elsewhere by using GPG'd PMs, which are encrypted and decrypted ONLY locally on this end as needed.  At some sites I only respond to PM's where both sides have good OPSec using GPG on messages.  Is there any chance that bitcointalk could counter assault this huge password weakness by allowing U2F keys for members?  Even cloudfare can't do shit about getting around an encrypted key from a member's U2F and the site server?  I am not asking you to require U2F just allow it for those that are security concerned.  With the price of BTC and users that have been in the game for awhile the risks of doing stuff in "plain text" during logins is not Plan A by any means.

What I meant is that Cloudflare can see your unencrypted password when you log in. It's still encrypted from the real server to Cloudflare and from Cloudflare to you. So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot, and it's not like the NSA is going to steal your password in order to scam people on bitcointalk.org or anything. If you use PGP for important communications and use a unique password, then IMO this addresses the plausible attacks well enough.

The U2F thing is a good idea in principle, but I've long been uneasy about fiddling with the authentication. I don't want to make a mistake which breaks security.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1974
Merit: 1769



View Profile WWW
November 30, 2017, 12:27:22 AM
 #4

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
Have you considering setting up a www2.bitcointalk.org subdomain for PMs? (that would operate outside of cloudflare)

If cloudflare can read our plaintext password, does that mean someone from google could impersonate us by entering our password, and read our PMs?

Find the fire hydrant in my Avatar for a prize.
hilariousetc
Legendary
*
Offline Offline

Activity: 1428
Merit: 2250


https://bitcoin.watfordfc.com


View Profile
November 30, 2017, 08:20:29 AM
 #5

Have you thought about maybe creating your own ddos protection service as from your concerns it seems like there'd be a gap in the market for a trusted product? I have no idea how much it would cost to create or run something like this but I'm sure it would be a worthy project people could get behind and would make for a decent ICO. Could even use the money we get from any potential new donator ranks we implement to invest in it. Something to consider at least.

radeone
Full Member
***
Offline Offline

Activity: 174
Merit: 100


View Profile WWW
November 30, 2017, 09:52:35 AM
 #6

I suppose it is a necessary evil.

ICO IS NOW LIVE    ▐┃▌    1WORLD ONLINE    ▐┃▌    WHITEPAPER
✣ ✣ ✣ ┃ Revolutionizing ONLINE MEDIA with BLOCKCHAIN TECHNOLOGY and incentives for AUDIENCE ENGAGEMENT™ ┃ ✣ ✣ ✣
ANN \ / TELEGRAM \ / FACEBOOK \ / WHATSAPP \ / TWITTER \ / KAKAOTALK
vv181
Sr. Member
****
Offline Offline

Activity: 924
Merit: 336


Africans on forum, check my profile website


View Profile WWW
November 30, 2017, 10:58:16 AM
 #7

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...
https://gladius.io/ Could be the solution. But the project not yet finished though.
Mitchell
Legendary
*
Offline Offline

Activity: 2338
Merit: 1429


Verified awesomeness ✔


View Profile WWW
November 30, 2017, 11:31:24 AM
 #8

To be honest, I rather have a forum with a lot of downtime, because of a DDoS, than handing over everything I do on Bitcointalk to Cloudflare/NSA. If we really have to go down this path, make it at least possible to bypass CloudFlare when logging in, updating your password and anything else that might be seen as sensitive data.

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
ibminer
Legendary
*
Offline Offline

Activity: 1387
Merit: 1531


Goonies never say die.


View Profile
November 30, 2017, 02:14:59 PM
 #9

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. This change is in progress, and will take ~24 hours for everyone to see.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, but my homebrew DDoS mitigation has been one of my biggest time sinks for the last 6 months or so, and the necessary servers are still pretty expensive. If I had more manpower, then I would prioritize maintaining our own DDoS protection, but with me as the only sysadmin and current-software developer, it's become unsustainable.

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. I considered several alternatives to Cloudflare, but the smaller ones (eg. Stackpath and OVH) didn't strike me as reputable/competent enough, and the enterprise-targeted ones like Incapsula and Akamai are around $3500/month. Even though $3500/month seems absolutely ridiculous to me, I was seriously considering Incapsula due to its pretty good reputation, but then they were having all sorts of technical issues while I was trying to set it up. So I gave up for now and went with Cloudflare.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.

Interesting.... nothing bad could happen here....  Huh  Are the DDoS's using the search feature?  What else could be disabled to mitigate?  I can only imagine the types of attacks the site gets but the decision seems quick and a bit extreme, haven't there been worse attacks?  I honestly don't have anything to hide from the NSA but I do value my privacy. And the general thought of the NSA collecting usernames/passwords on bitcointalk users is going to give me nightmares.  Sad

:-: Bitcointalk Public Information Project (BPIP) New stats, new reports, and a new design(done by me. Smiley)
Don't be obsessed with your desires. The Zen philosopher Basho once wrote, 'A flute with no holes, is not a flute... and a donut with no hole, is a Danish.' He was a funny guy.
Jet Cash
Legendary
*
Online Online

Activity: 1456
Merit: 1800


Trying to preserve our heritage.


View Profile WWW
November 30, 2017, 03:38:59 PM
 #10

I suspect there may be many members like me who don't really care if their posts or messages are read. If I need to make some confidential arrangements with somebody, then I would do this away from the forum. My primary concern is the protection of my posting. You may not agree with my opinions and ideas, but at least they are mine, and I don't want anybody pretending to be me to post other information, or to perpetrate any fraud. Anything that helps to reduce spam and malicious attacks is good in my opinion.

FreeBitcoinBets.com is for sale - PM me to buy it.

Welsh
Staff
Legendary
*
Offline Offline

Activity: 1792
Merit: 1743



View Profile
November 30, 2017, 04:44:35 PM
 #11

I suspect there may be many members like me who don't really care if their posts or messages are read. If I need to make some confidential arrangements with somebody, then I would do this away from the forum. My primary concern is the protection of my posting. You may not agree with my opinions and ideas, but at least they are mine, and I don't want anybody pretending to be me to post other information, or to perpetrate any fraud. Anything that helps to reduce spam and malicious attacks is good in my opinion.
Everyone should be concerned about privacy, especially storing things in plain text. Compromises have to be done though to assure the stability of the server. It's sad that this protection is also under a monopoly and really only one company can protect against it or has the resources too. Nothing has changed in terms of personal messages though as any sensitive messages should have already been encrypted.

Jet Cash
Legendary
*
Online Online

Activity: 1456
Merit: 1800


Trying to preserve our heritage.


View Profile WWW
November 30, 2017, 05:25:14 PM
 #12

There are two aspects to privacy. Reading other people's communications, and watching their actions. I'm now old enough to be boring, so I'm not too worried about this. I believe that it is better to use "the system" legally, rather than try to fight it, so I suspect that the government and its controlling superiors are well aware of my actions. The other aspect is identity theft, and this is where we need to take precautions, and be aware of potential problems.

FreeBitcoinBets.com is for sale - PM me to buy it.

achow101
Staff
Legendary
*
Offline Offline

Activity: 1974
Merit: 2948


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
November 30, 2017, 07:00:40 PM
 #13

The current Cloudflare solution appears to be blocking bots.

I run two bots that crawl the site periodically, the one for bctalkaccountpricer.info and another one for ACE. Both of these have been blocked from accessing the forum.

ibminer
Legendary
*
Offline Offline

Activity: 1387
Merit: 1531


Goonies never say die.


View Profile
November 30, 2017, 07:14:45 PM
 #14

So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot, and it's not like the NSA is going to steal your password in order to scam people on bitcointalk.org or anything.

If a secret service agent is willing to break the law to get bitcoins, why wouldn't an NSA agent?  And why is it they can only read... couldn't traffic be altered?

The recent data leak is also not comforting: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/





The current Cloudflare solution appears to be blocking bots.

I run two bots that crawl the site periodically, the one for bctalkaccountpricer.info and another one for ACE. Both of these have been blocked from accessing the forum.

Not sure if this is related or not?

--snip--
Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.

:-: Bitcointalk Public Information Project (BPIP) New stats, new reports, and a new design(done by me. Smiley)
Don't be obsessed with your desires. The Zen philosopher Basho once wrote, 'A flute with no holes, is not a flute... and a donut with no hole, is a Danish.' He was a funny guy.
Jet Cash
Legendary
*
Online Online

Activity: 1456
Merit: 1800


Trying to preserve our heritage.


View Profile WWW
November 30, 2017, 07:35:41 PM
 #15

Is this active at the moment. I'm getting server 500 errors. It's not really a problem because a reload seems to clear it.

FreeBitcoinBets.com is for sale - PM me to buy it.

InvoKing
Legendary
*
Offline Offline

Activity: 1456
Merit: 1064


CryptoTalk.Org - Get Paid for every Post!


View Profile
November 30, 2017, 08:53:54 PM
 #16

Is this active at the moment. I'm getting server 500 errors. It's not really a problem because a reload seems to clear it.

Have the same error frequently but since it gets resolved rapidly when reloading, well, it is relatively tolerated..
BTW, couldn't be the NSA conducting the ddos attacks? and what's the point of ddosing the forums?
Downtime isn't a good thing for sure but the idea of hilarious is good if feasible

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
Jet Cash
Legendary
*
Online Online

Activity: 1456
Merit: 1800


Trying to preserve our heritage.


View Profile WWW
November 30, 2017, 09:02:55 PM
 #17

It's probably some guy who got the hump because he was banned.

FreeBitcoinBets.com is for sale - PM me to buy it.

FFrankie
Hero Member
*****
Offline Offline

Activity: 1344
Merit: 888


View Profile
December 01, 2017, 12:26:59 AM
 #18

Sounds like you just sold the site to the NSA.

I agree with Mittchell I would rather have downtime than being a sell out
minifrij
Legendary
*
Online Online

Activity: 2100
Merit: 1173


In Memory of Zepher


View Profile WWW
December 01, 2017, 09:16:22 AM
 #19

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
If this is the case, I think that now would be a good time to implement this plugin or something similar to keep accounts secure, should another Cloudbleed happen. It's well overdue regardless.

Have you thought about maybe creating your own ddos protection service as from your concerns it seems like there'd be a gap in the market for a trusted product? ... Could even use the money we get from any potential new donator ranks we implement to invest in it. Something to consider at least.
This is something that I would happily support with my BTC. Please consider this, theymos.
hilariousetc
Legendary
*
Offline Offline

Activity: 1428
Merit: 2250


https://bitcoin.watfordfc.com


View Profile
December 01, 2017, 11:21:02 AM
 #20

Have you thought about maybe creating your own ddos protection service as from your concerns it seems like there'd be a gap in the market for a trusted product? ... Could even use the money we get from any potential new donator ranks we implement to invest in it. Something to consider at least.
This is something that I would happily support with my BTC. Please consider this, theymos.

Same, as I'm sure many others would also. Most ICOs are just hollow get rich quick schemes run by greedy scammers but I'd happily support one for a valuable service created by reputable people and it could actually be one that makes a lot of money as a business which we could give back to investors as dividends. Maybe bitcointalk could create it's own coin and give that out for promoting the ICO and bonuses for helping out the forum as well.

Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!