Moving to Cloudflare

[theymos]

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. This change is in progress, and will take ~24 hours for everyone to see.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, but my homebrew DDoS mitigation has been one of my biggest time sinks for the last 6 months or so, and the necessary servers are still pretty expensive. If I had more manpower, then I would prioritize maintaining our own DDoS protection, but with me as the only sysadmin and current-software developer, it's become unsustainable.

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. I considered several alternatives to Cloudflare, but the smaller ones (eg. Stackpath and OVH) didn't strike me as reputable/competent enough, and the enterprise-targeted ones like Incapsula and Akamai are around $3500/month. Even though $3500/month seems absolutely ridiculous to me, I was seriously considering Incapsula due to its pretty good reputation, but then they were having all sorts of technical issues while I was trying to set it up. So I gave up for now and went with Cloudflare.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.

[1714142656]

1714142656

[1714142656]

1714142656

[1714142656]

1714142656

[1714142656]

1714142656

[Coin-Keeper]

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

The thought of willingly passing passwords in clear text is quit disturbing for a security concerned member (me).  I can counter the PM issue as I do elsewhere by using GPG'd PMs, which are encrypted and decrypted ONLY locally on this end as needed.  At some sites I only respond to PM's where both sides have good OPSec using GPG on messages.  Is there any chance that bitcointalk could counter assault this huge password weakness by allowing U2F keys for members?  Even cloudfare can't do shit about getting around an encrypted key from a member's U2F and the site server?  I am not asking you to require U2F just allow it for those that are security concerned.  With the price of BTC and users that have been in the game for awhile the risks of doing stuff in "plain text" during logins is not Plan A by any means.

[theymos]

The thought of willingly passing passwords in clear text is quit disturbing for a security concerned member (me).  I can counter the PM issue as I do elsewhere by using GPG'd PMs, which are encrypted and decrypted ONLY locally on this end as needed.  At some sites I only respond to PM's where both sides have good OPSec using GPG on messages.  Is there any chance that bitcointalk could counter assault this huge password weakness by allowing U2F keys for members?  Even cloudfare can't do shit about getting around an encrypted key from a member's U2F and the site server?  I am not asking you to require U2F just allow it for those that are security concerned.  With the price of BTC and users that have been in the game for awhile the risks of doing stuff in "plain text" during logins is not Plan A by any means.

What I meant is that Cloudflare can see your unencrypted password when you log in. It's still encrypted from the real server to Cloudflare and from Cloudflare to you. So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot, and it's not like the NSA is going to steal your password in order to scam people on bitcointalk.org or anything. If you use PGP for important communications and use a unique password, then IMO this addresses the plausible attacks well enough.

The U2F thing is a good idea in principle, but I've long been uneasy about fiddling with the authentication. I don't want to make a mistake which breaks security.

[Quickseller]

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.

Have you considering setting up a www2.bitcointalk.org subdomain for PMs? (that would operate outside of cloudflare)

If cloudflare can read our plaintext password, does that mean someone from google could impersonate us by entering our password, and read our PMs?

[hilariousetc]

Have you thought about maybe creating your own ddos protection service as from your concerns it seems like there'd be a gap in the market for a trusted product? I have no idea how much it would cost to create or run something like this but I'm sure it would be a worthy project people could get behind and would make for a decent ICO. Could even use the money we get from any potential new donator ranks we implement to invest in it. Something to consider at least.

[radeone]

I suppose it is a necessary evil.

[vv181]

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

https://gladius.io/ Could be the solution. But the project not yet finished though.

[Mitchell]

To be honest, I rather have a forum with a lot of downtime, because of a DDoS, than handing over everything I do on Bitcointalk to Cloudflare/NSA. If we really have to go down this path, make it at least possible to bypass CloudFlare when logging in, updating your password and anything else that might be seen as sensitive data.

[ibminer]

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. This change is in progress, and will take ~24 hours for everyone to see.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, but my homebrew DDoS mitigation has been one of my biggest time sinks for the last 6 months or so, and the necessary servers are still pretty expensive. If I had more manpower, then I would prioritize maintaining our own DDoS protection, but with me as the only sysadmin and current-software developer, it's become unsustainable.

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. I considered several alternatives to Cloudflare, but the smaller ones (eg. Stackpath and OVH) didn't strike me as reputable/competent enough, and the enterprise-targeted ones like Incapsula and Akamai are around $3500/month. Even though $3500/month seems absolutely ridiculous to me, I was seriously considering Incapsula due to its pretty good reputation, but then they were having all sorts of technical issues while I was trying to set it up. So I gave up for now and went with Cloudflare.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.

Interesting.... nothing bad could happen here....    Are the DDoS's using the search feature?  What else could be disabled to mitigate?  I can only imagine the types of attacks the site gets but the decision seems quick and a bit extreme, haven't there been worse attacks?  I honestly don't have anything to hide from the NSA but I do value my privacy. And the general thought of the NSA collecting usernames/passwords on bitcointalk users is going to give me nightmares. 

[Jet Cash]

I suspect there may be many members like me who don't really care if their posts or messages are read. If I need to make some confidential arrangements with somebody, then I would do this away from the forum. My primary concern is the protection of my posting. You may not agree with my opinions and ideas, but at least they are mine, and I don't want anybody pretending to be me to post other information, or to perpetrate any fraud. Anything that helps to reduce spam and malicious attacks is good in my opinion.

[Welsh]

I suspect there may be many members like me who don't really care if their posts or messages are read. If I need to make some confidential arrangements with somebody, then I would do this away from the forum. My primary concern is the protection of my posting. You may not agree with my opinions and ideas, but at least they are mine, and I don't want anybody pretending to be me to post other information, or to perpetrate any fraud. Anything that helps to reduce spam and malicious attacks is good in my opinion.

Everyone should be concerned about privacy, especially storing things in plain text. Compromises have to be done though to assure the stability of the server. It's sad that this protection is also under a monopoly and really only one company can protect against it or has the resources too. Nothing has changed in terms of personal messages though as any sensitive messages should have already been encrypted.

[Jet Cash]

There are two aspects to privacy. Reading other people's communications, and watching their actions. I'm now old enough to be boring, so I'm not too worried about this. I believe that it is better to use "the system" legally, rather than try to fight it, so I suspect that the government and its controlling superiors are well aware of my actions. The other aspect is identity theft, and this is where we need to take precautions, and be aware of potential problems.

[achow101]

The current Cloudflare solution appears to be blocking bots.

I run two bots that crawl the site periodically, the one for bctalkaccountpricer.info and another one for ACE. Both of these have been blocked from accessing the forum.

[ibminer]

So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot, and it's not like the NSA is going to steal your password in order to scam people on bitcointalk.org or anything.

If a secret service agent is willing to break the law to get bitcoins, why wouldn't an NSA agent?  And why is it they can only read... couldn't traffic be altered?

The recent data leak is also not comforting: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/

The current Cloudflare solution appears to be blocking bots.

I run two bots that crawl the site periodically, the one for bctalkaccountpricer.info and another one for ACE. Both of these have been blocked from accessing the forum.

Not sure if this is related or not?

--snip--
Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.

[Jet Cash]

Is this active at the moment. I'm getting server 500 errors. It's not really a problem because a reload seems to clear it.

[InvoKing]

Is this active at the moment. I'm getting server 500 errors. It's not really a problem because a reload seems to clear it.

Have the same error frequently but since it gets resolved rapidly when reloading, well, it is relatively tolerated..
BTW, couldn't be the NSA conducting the ddos attacks? and what's the point of ddosing the forums?
Downtime isn't a good thing for sure but the idea of hilarious is good if feasible

[Jet Cash]

It's probably some guy who got the hump because he was banned.

[FFrankie]

Sounds like you just sold the site to the NSA.

I agree with Mittchell I would rather have downtime than being a sell out

[minifrij]

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.

If this is the case, I think that now would be a good time to implement this plugin or something similar to keep accounts secure, should another Cloudbleed happen. It's well overdue regardless.

Have you thought about maybe creating your own ddos protection service as from your concerns it seems like there'd be a gap in the market for a trusted product? ... Could even use the money we get from any potential new donator ranks we implement to invest in it. Something to consider at least.

This is something that I would happily support with my BTC. Please consider this, theymos.

[hilariousetc]

Have you thought about maybe creating your own ddos protection service as from your concerns it seems like there'd be a gap in the market for a trusted product? ... Could even use the money we get from any potential new donator ranks we implement to invest in it. Something to consider at least.

This is something that I would happily support with my BTC. Please consider this, theymos.

Same, as I'm sure many others would also. Most ICOs are just hollow get rich quick schemes run by greedy scammers but I'd happily support one for a valuable service created by reputable people and it could actually be one that makes a lot of money as a business which we could give back to investors as dividends. Maybe bitcointalk could create it's own coin and give that out for promoting the ICO and bonuses for helping out the forum as well.