Is using Clownflare wise?

Due to quick temporary forum outage i’ve noticed that forum uses :clown_face:flare…which ain’t as harmless as one might think, apart from being pain in the ass of Tor generally speaking.

Cloudflare is able to see everything a user does and sends or receives on the website, including sensitive data like login information

(c) PrivacyDev - Cloudflare

Perhaps not everyone would like such a stellar feature in exchange for DDOS protection, just saying :joy:

While this might be true (because it’s a technical requirement to provide this service), it is not only DDOS protection, Cloudflare offers A LOT more than that. Cloudflare also caches a lot of data to reduce load on our origin servers (7 days metrics):

We also get insanely cheap worldwide mirroring for both ISO files and our whole repository (an anecdote: it is < 3€/month, and we once had a Chaotic team member ask AWS for what they would take: more than 1000x times more than that :smiley: )

Apart from that, we have a free Pro plan going and don’t only have the standard features available. More than worth for what it gives, imo.

Some off-topic information: the short downtime itself was due to taking down Piped as per our last announcement btw, and setting up something new in place:

at :slight_smile:


Sounds totally like deal with a :japanese_ogre: to me… :rofl:

You either like it or don’t, for me personally this suffices:

Haven’t had any doubts until now apart from being quite happy with the service.


Sounds like you’re volunteering your vast opsec experience to improve the Garuda community! Thank you!


Gotta love a daily dose of paranoia


Just block the :poop: out of it:



While that’s objectively funny, you really can’t block it with ublock / umatrix, because cloudflare is a server (in case of that forum) or if it’s used only for DDOS protection like on most websites - it still loads waaaay before website is even resolved…

So only real way to block the :poop: out of it:

  1. Hijack html / js parts of cloudflare with something like Tampermonkey - which is NOT an easy task
  2. Then cut out all of it’s parts from those files, which are not trivial to de-obfuscate and find
  3. Hijack browser’s event for loading html / js before it occurs (which may or may not require to rewrite browser’s internal hooks, that will also open you with a potential of opening a huge vulnerability) and replace original files with tampered ones.
  4. Repeat all above each time those files changes on server side :rofl:

tl;dr Not recommended for 99% of people. :joy:

Well, yeah, that part of it is running, unfortunately, it’s just fingerprinting client-side scripts that load later that are blocked.

I wouldn’t be so sure of that, don’t even know why they need client-side js part once it’s resolved to be honest.

I was playing around with Tampermonkey and :clown_face:flare supercookies some time ago, and let me tell you - if :clown_face:flare page is loaded on cleint - they already own you through serverside traffic sniff, there’s no way to get rid of it once supercookie with your uid is obtained and stored on client…unless you do the whole procedure outlined above and not get the supercookie in the first place. :melting_face:

They don’t mess around.

Thanks for making a post here with your concerns @keybreak, I definitely appreciate bringing things like this up to us.

While this is a valid concern, let me bring up some points that I hope will alleviate your worries a little:

  • Cloudflare acts as a reverse proxy fronting the actual webserver infrastructure on layer 7, meaning that Cloudflare necessarily has to act as a man in the middle for their implementation to work. This is true for any CDN that works the way Cloudflare does, and is standard practice in the industry.

  • Cloudflare does not have any kind of advertisements or similar displayed to the user. They have no interest in collecting your data, because their entire business model is different from that of tech giants. The user is not the product, because Cloudflare does not make money from users. The money Cloudflare makes comes from the web admins that pay a regular fee to Cloudflare for the use of their services. To that extent, there is no motivation for Cloudflare to collect user data, in fact, collecting data on a scale like that would add an enormous cost for no benefit, while also adding big concerns related to privacy regulations in regions Cloudflare operates in.

DDOS protection is just a fraction of why we use Cloudflare. Pulling up some graphs from Cloudflare’s dashboard (last 72 hours), Cloudflare caches about 50% of all requests that would normally hit our server infrastructure. While 125 GB of traffic is served from our infrastructure, a staggering 2.8 terrabytes of data is served from Cloudflare’s edge. This amount of server load would be rough to handle and would probably lead to us having to invest more of the funds donated to us from the community (<3) on server costs to continue providing the same service we do currently.

In addition to the graphs above, ISO hosting is handled by Cloudflare R2, which adds another 12.3 terrabytes of data to the mix. (Served by Cloudflare/Served by origin is excluded, since all of R2 is on Cloudflare, so caching or no caching makes no difference)


As should be rather obvious by now, the amount of saved costs in terms of infrastructure is hard to overstate, it’s a truly massive amount. In addition, we are currently being sponsored by Cloudflare (as in, we get their premium services free of charge). We also make use of quite a number of other features of Cloudflare in the backend, including things like access control to internal addresses (for administration purposes).

I would also argue that the privacy concerns you have are largely unwarranted or sensationalized, given that the company does not have a history of engaging in anything like that either, in addition to man-in-the-middle being required for them to provide the service in the first place.

I hope that clears up why the infrastructure in its current state uses Cloudflare!


Hey @TNE, thx for detailed answer! :upside_down_face:

I think you and @dr460nf1r3 may have missed the point of my question a bit, perhaps i’ve phrased it in not the most obvious way, so excuse me if i did…It’s not technical or business oriented question in nature (nor should it be, since hey, we’re all here guests on your :eagle: servers after all!), it’s more of a moral question to me.

Undeniable, i’m glad that we all on a same page here - it’s MITM by nature of a service (although i add - so it can and therefore will [already, since one can find easily accessible leaks even in public hacker databases which no amounts of GDPR could reverse unfortunately, since it’s just legal cover, not technical one] be used that way).

It’s a bit tangential, but still interesting to dive into - to me that’s a very questionable logic.
As @dr460nf1r3 has pointed out - Cloudflare outcompetes even Amazon by x1000 margins, you have all the possible upsides as an admin of a website / forum can only dream of for just a fraction of a penny, it has all the technical upsides, it’s super-cost-effective…and it makes you a coffee too probably :joy:

So it’s all brought to you by a company that is technically already became a big tech, if you’ll look around 80% of all websites you’ll come across - use Cloudflare in some shape or form, even a static ones like discogs, absolute most of AI websites use it…practically everyone, so it’s already nearly an internet-monopoly…The motivation for selling out sniffed data to any 3rd parties including but not limited to ad companies and governments is hard to miss (yeah, do you really think that they won’t be asked “nicely” to get access to MITM parts since they control huge part of the internet like it was with 100% of big tech cases we all known before?).

So, my personal :clown_face: :crystal_ball: prediction goes as follows:

Mark my words - in not so distant future we’ll likely see Cloudflare as a part of infrastructure used for some horrible stuff like mass surveillance and censorship.

But anyways, as i’ve said - my question was in a moral plain and was a very simple one:

Do you know it’s MITM?
How likely it is that you’re paying differential of it’s cost-effectiveness by selling everyone to a higher bidder?

Would you be still willing to keep using it despite knowing it can be used to harm users, including leaking their personal data / credentials?

You’ve already answered it in a way.

Personally - i’d newer use :clown_face:flare for that reason alone, even if they’d offer me 1 000 000 $ above and best waifu in town :rofl:
Maybe i’m just that dying breed of 90s :cowboy_hat_face: internet and it was all just a cyberdream in my :clown_face: head?

This all is a bit like Free & Open-Source Software question in nature, i guess :penguin:

P.S. I don’t think it was me who selected a thread solution, but who cares… :rofl:

By the nature of a reverse proxy, yes.

Very unlikely. Cloudflare does not have a history of doing anything even remotely like that and does not mention this in any agreement. Contrary to popular belief, most companies do not sell user data to anyone, but instead use their data to give advertisers a sophisticated set of tools that allow them to advertise to specific people based on profiles that they have created about you, while never actually giving anyone access to any data. Cloudflare does neither this, nor shares deanonimized data with third parties to my knowledge.

Given that I think the threat is sensationalised needlessly, *isn’t* being used to harm users, yeah, I would say so.

When you start approaching software and Services from the perspective you are coming from, it starts to get ridiculous pretty quickly.

For example, one could advocate for Garuda Linux to have its own server infrastructure, because the current one could be monitored. Or require users to pin SSL certificates manually, because SSL pins from Browsers may be purposefully malicious (what if I told you those are managed by an actual tech giant known for selling user data!). Or ask Garuda Linux to host their own DNS server, because nothing stops the authorative DNS server from creating a SSL certificate in our name at any time.

At some point, there is a limit to how much fear is reasonable in this case. Realistically, how much personal data that only you can see are you sharing with Cloudflare on Garuda Linux’s web presence? I assume you use a different password or OAuth (if you don’t, you should) for your login. The rest you post is public anyway on the forum for example, so there is no fear of privacy violation either.

Some services like our bitwarden instance might be a concern, but bitwarden is fully end to end encrypted. Neither cloudflare, nor us, the server operators, are able to see your personal data. The same applies to the firedragon sync server, I do believe.


While i disagree that it’s ridiculous, especially DNS part…we haven’t even got to hardware trust…haven’t we? :joy:

Yep, me of course is covered plenty - i don’t worry or fear for myself, coz i don’t do or write anything that could really personalize…if i were - i wouldn’t write anything at all! :joy:

Not everyone is me though… :thinking:
Also i don’t think fear is a good metrics here, for example i don’t fear Microsoft…i just REALLY don’t like it for everything that they’ve done, that’s why i’m on Linux. It’s a rational choice.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.