CloudFlare MITM security concerns... #350
Comments
|
Sure. lnbits.com is a playground for experimenting with the service, not a stable service, so it shouldnt be used for anything important. lnbits.com is also a private service, and like many private services it chooses to use cloudflare to prevent attacks. A way you could contribute from your experience, is setup a guide for running lnbits with ddos protection and a CDN without using something like cloudflare |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When accessing the lnbits.com wallet over the Tor network yesterday (2021-09-30) I noticed that CloudFlare was used (got the captcha treatment).
This is bad security practice for a number of reasons; first off you expose every wallet accessed to a "Man In The Middle" (MITM) since you are sharing keys with CloudFlare related to HTTPS, also consider information about lnbits.com users will be given by CloudFlare on government requests (this is an established fact https://www.cloudflare.com/transparency). The security is already low considering all you need to access the wallet is a valid URL, exposing that URL to a third party makes it even worse.
CloudFlare has leaked information in the past due to a bug, this is possible because their cache and DDOS prevention technology lacks memory isolation between customers for performance reasons. The leak was confirmed in CloudBleed: https://en.wikipedia.org/wiki/Cloudbleed
The text was updated successfully, but these errors were encountered: