Does this extension only inject JavaScript? #251
Comments
|
Only JS, and only some specific JS resources. JS libs are the only content widely retrieved from 3rd-party CDNs (as opposed to using CloudFlare to deliver your website for instance). |
|
Thanks for the info.
Not really. One example: Amazon Cloudfront is also widely used for images and CSS. |
|
Well third-party are always a privacy issue by definition. But of course removing them altogether is not really possible since they solve real problems. Regarding boostrap, I’ve mostly seen it for JS, not CSS. The only large image delivery CDN I’ve encountered is Gravatar. |
|
Ok. So this extension is fairly limited as far as I understand. It would be good to make it possible for the user to have locally delivered resources from other CDNs too and not only JS. |
|
That could be an idea, but I’m not sure they are a lot of versioned common resources loaded from CDNs outside of JS. If you can gather examples this could likely help, since they would have to be listed somewhere in the code to be replaced anyway. |
|
Found through a quick searching for "popular css hosting cdn": https://css-tricks.com/adding-a-cdn-to-your-website/ Perhaps finding each and every CDN hosting CSS or other resources is a heavy task. Some kind of list similar to the lists of uMatrix would surely be possible but perhaps a more efficient option (without being limited to a list) would be to simply cache 3p resources beyond the cache lifetime. Surely that has the risk of making cache size too big and of using dated resources but I don't know if there is any technological solution ensuring both privacy and having the right resources (unless one uses a dedicated caching proxy server). |
|
You’ve missed the most two important words of my sentence despite the emphasize I’ve put on them. For Decentraleyes to be useful, the resources it aims to replace must be:
We’re not talking using CDNs to deliver website here, we’re talking CDNs as providing common resources used by a lot of different websites. There are huge differences between the two, and Decentraleyes only apply to the later, there is nothing that can be done for the former. |
|
So what do you suggest? Is there any room for improvement or should it all stay as it is now? |
|
Thank you @AnChEv for getting in touch, and @ArchangeGabriel for the helpful replies.
Decentraleyes features files that are shared between multiple websites. It's impossible to bundle a wide range of rare (or site-specific) resources with the extension. On another note, Amazon is probably not the best choice if you value end-user privacy, as they do business with US intelligence agencies. [1] [2]
Yes, it is a privacy issue and, from my experience, completely unnecessary. I usually see CDN services being used as a means to speed up websites, that'd perform a lot better if they were a bit more optimized to begin with. For most websites it's overkill, and widespread usage severely centralizes the web. I am guessing that services like CloudFlare CDN have become this popular because they typically offer a free tier. It's worth noting, yet unsurprising, that these services often come with "free" analytics. [3]
Delivery networks that proxy entire websites are a separate problem (see issue #236). However, I'm happy to say that support for common, versioned, stylesheets and webfonts is on the roadmap. It's being held back by a blocking bug (see [1] huffingtonpost.com/norman-solomon/the-cia-amazon-bezos-and_b_4559317.html |
Synzvato
changed the title
It is not my choice but that of thousands of sites. Re. Cloudflare - why is it an issue to use a free service which improves security and offers also free analytics? The web hosting provider also has web server logs for all the sites they host which is a form of centralization. We can't host our websites on our own computers, it is too expensive and requires certain expertise in network server administration. What would you suggest? (slightly off topic, sorry, but still it would be interesting to know if you don't mind)
Sounds good. Thanks! |
I see. It wasn't clear from your previous comments that you do not personally have any content hosted on Amazon Web Services. Also, yes. It's sad to see how many sites are in the hands of one single entity.
This is in fact an issue, and "improved security" is quite debatable. In such cases, the delivery network acts as a man in the middle, and has the ability to perform full packet inspection. They clearly do open up packets, and justify this by stating it's necessary to be able to provide analytics for website owners. So, as a result, both your underlying web hosting provider, and the CDN provider have direct insight into unencrypted, end-user, traffic. This can hardly be called a security improvement, in my opinion. Lastly, while most web hosting providers do indeed keep traffic logs, this in and of itself, isn't a form of centralization. Choosing smaller, independent, web hosting providers over existing enterprises absolutely helps to decentralize the landscape. Centralization facilitates automated, warrantless, surveillance.
There is nothing inherently wrong with relying on a third-party hosting provider. There is, however, a rather large difference between serving pages from your own server, and aiming for a ping of under nine milliseconds for visitors from any random location in the world. In most cases, this is just overkill. So, I'd advise you to get in touch with independent, reputable, web hosting companies, with independent server infrastructures (so, avoid resellers), within the rough vicinity of your main target audience. |
How do they "clearly open up packets" if the connection is HTTPS. Even if the certificate is issued by Cloudflare the private key is on the origin server. So how can Cloudlflare acting as a CA simply "open up packets" (i.e. decrypt them)? Is that technically possible? |
|
They definitively have to terminate the SSL connection on their side, else Cloudflare would serve no purpose at all, so it is their private key that is in use (or the same one as the website, but provided to them by the owner). So your HTTPS connection is with Cloudflare, not with the server. |
|
I am not so sure. Please check sections Full SSL on page https://www.cloudflare.com/ssl/. In strict mode both the connection between the user and CF and between CF and the origin server are encrypted. On my origin server I am not using any private key generated by CF, it is generated on the origin server itself and not shared with anyone. From the origin I only got the CSR and then CF generated a certificate based on the CSR. But CF doesn't know the private key, so I don't see how they could possibly decrypt. In case I am missing something please clarify. |
|
Yes you are missing something: they are two types of connections, between the user and Cloudflare, where there is SSL using Cloudflare private key, and between Cloudflare and your server, where it’s your private key that is in use. Quoting your link: “Full SSL mode provides encryption from end users to Cloudflare and from Cloudflare to your origin server.”. But on Cloudflare, it is decrypted. Even for “Keyless SSL” (https://www.cloudflare.com/ssl/keyless-ssl/) they say this: “Keyless SSL requires that Cloudflare decrypt, inspect and re-encrypt traffic for transmission back to a customer’s origin.”. If Cloudflare wasn’t decrypting the requests content, all they could do would be loadbalancing (provided you have multiple servers) depending on source IP and DDoS protection by removing part of the trafic eventually. But people use Cloudflare as proximity cache, so this definitively requires decrypting. |
|
@AnChEv They absolutely do decrypt SSL traffic. In flexible SSL mode, Cloudflare decrypts incoming traffic and communicates with your servers in plain text. In full SSL mode, said party has an equal amount of insight into your traffic, but re-encrypts any payloads before sending them off to your server. [1] Even Cloudflare's non-default "Keyless SSL" solution does not prevent this. Instead of handing them your keys, you establish shared secrets to allow their edge nodes to decrypt and inspect any packets. [2] [1] support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ
[2] cloudflare.com/ssl/keyless-ssl/
|
|
Damn. That sounds terrible. Thanks for explaining. I don't use Keyless SSL, but I use Full SSL (which after what you shared I am seriously reconsidering). Is it possible to have an SSL certificate only on the origin and use CF only as a firewall/proxy so that they wouldn't be able to decrypt? The caching benefit of CF improves page load time significantly and reduces traffic usage on the origin too. |
As correctly said by @ArchangeGabriel, in his last comment, you can't do much with encrypted traffic.
It's pretty much impossible to provide caching, and to bypass origin servers, without being able to see what your end-users are actually requesting, and without the ability to reply on your behalf. Even |
|
I understand. Thank you for this info. Then I guess one has no options for avoiding centralization/decryption and good page loads then (unless one builds one's own high speed cloud infrastructure across the globe). So much for "the land of the free". |
|
@AnChEv I would argue that in the vast majority of cases, you absolutely do not need exit nodes in all corners of the world, in order to make your website perform well. Being facilitated by a multi-million dollar infrastructure is prestige, and often not a necessity when it comes to serving regular website assets. Caching content isn't in any way patented by Cloudflare. All one really needs to do to fight centralization, and keep end-user data, is to rent infrastructure in locations close to one's main target audience.
You're very welcome! Thanks to you for getting in touch, and to @ArchangeGabriel for the replies. |
Yes. But in my case it is also about ecommerce sites which need to perform well. The fact that I decided to use CF some time ago is that showed much better results than anything else. For example reducing page load time from Australia from 10-15 sec to about 3 sec was surely an improvement, considering that the origin is in North America. Definitely a serious difference. |
|
@AnChEv In my opinion basically any website needs to perform well. The reason Cloudflare gave you instant performance improvements, was that you apparently have visitors from Australia, but did not rent any servers on said continent. I'd reward local providers, and shield my customers' shopping habits. |
Sure.
Actually the site has visitors from the whole world but I can't have servers on each continent. That's too expensive and not easy to manage. The income the site generates cannot balance it. |
|
I'm assuming you're thinking in terms of a full replica of your original infrastructure, when in reality you would really only need to have local solutions in place for caching any static files (e.g. product images and website dependencies). This is typically quite affordable, and more ethical, in my personal opinion. That said, what you do is up to you. Thanks again for getting in touch, and all the best. |
|
Thanks. You too. |
I have JavaScript disabled by default in Chromium. I also use uMatrix with rules:
and I enable per-site what I want.
On the test page I enabled JS and allowed ajax from Google APIs just to test and I saw "1" appearing in the extension icon. However on no other sites which I visit I see no effect whatsoever.
So is this extension supposed to have any effect only when JS is enabled and resources are injected through XHR? Or is it also supposed to store locally other resources like css or images (which would be relevant since requesting such resources from CDN's can also lead to tracking)?
The text was updated successfully, but these errors were encountered: