freedomPusher

Some of these take an ethical step backwards. I see the pattern: lemmy.ml on the left-hand side, which is generally a good idea because lemmy.ml is centralized by disproportionate numbers. But when you have another quite large node on the RHS which is rendered strictly centralized by Cloudflare, you have a downgrade. E.g. the nodes lemmy.ca and lemmy.one should appear on the LHS, and for transparency I suggest tagging them with a lightening cloud (🌩).

How many websites can handle the amount of traffic that CF can handle? It’s not just about configuring your firewall, it’s about having the bandwidth. Otherwise it’s not much of a DDoS protection.

That’s what I’ve been saying throughout this thread. The only significant DDoS protection offered by Cloudflare requires CF seeing the traffic (and holding the keys) so it can treat the high-volume traffic. If CF cannot see the payloads, it cannot process it other than to pass it all through to the original host (thus defeating the DDoS protection purpose).

As I don’t have an account there I can’t see which requests containing credentials use which cert.

Why would you need an account? Why wouldn’t bogus creds take the same path?

If it’s true that this is unverifiable, that’s good cause to avoid Cloudflared banks. It’s a bad idea for customers to rely on blind trust. Customers need to know who the creds are shared with /before/ they make use of them -- ideally even before they make the effort of opening an account.

And also, just because the cert is verified by cloudflare does not mean they have the private key.

This uncertainty is indeed good cause to avoid using a Cloudflared bank.

UPDATE: I’ve spoken to some others on this who assert that it is impossible for a bank customer to know for certain if a bank uses their own key to prevent disclosure to CF.

It seems like a lot of your points hinges on this being true, but it simply isn’t.

“AFAICT” expands to “as far as I know”, which means the text that follows not an assertion. It’s an intuitive expectation that is open to be proved or disproved. The pins are all set up for you to simply knock down.

There is a massive benefit to preventing DDoS attacks, and that does not require keys.

This is unexplained. I’ve explained how CF uses its own keys to offer DDoS protection (they directly treat the traffic because they can see the request). I’ve also explained why CFs other (payload-blind) techniques are not useful. You’ve simply asserted the contrary with no explanation. HOW does CF prevent DDoS in the absence of treatment of the traffic? Obviously it’s not merely CFs crude IP reputation config because any website can trivially configure their own firewall in the same way without CF. So I’m just waiting for you to support your own point.

There is no indication that banks are handing over client ctedentials to CF.

This is trivially verifiable. E.g. if you get the SSL cert for eagleone.ns3web.org, what do you see? I see CF keys. That means they’re not using the premium option to use their own keys. Thus CF sees the payloads. I’m open to being disproven so feel free to elaborate on your claim.

I’m not looking to be proven right. The purpose of the tangent discussion was to substantiate whether or not bank creds are exposed to CF. If banks are actually protecting consumer creds from CF, then it requires a bit of analysis because banks don’t even disclose the fact that they use Cloudflare. They make the switch to CF quietly and conceal it from customers (which is actually illegal - banks are supposed to disclose it but it’s not enforced in the US). AFAICT, CF’s role is mostly useless if the SSL keys are held by the site owner.

In the US, the financial system is quite sloppy with user creds and user data. There are even a couple 3rd-party services (Yodlee / Mint) that ask customers for their banking creds at all the places they bank. This service then signs on to all the banks on behalf of the customer to fetch their statements, so customers can get all their bank statements in one place. IIRC some banks even participate so that you login to a participating bank to reach Yodlee and get all your other bank statements. Yodlee and Mint are gratis services, so you have to wonder how they are profiting. The banks are not even wise enough to issue a separate set of read-only creds to their customers who use that Yodlee service. In any case, with that degree of cavalier recklessness, I don’t envision that a US bank would hesitate to use CF in a manner that gives the bank the performance advantage of CF handling the traffic directly. But I’m open to convincing arguments.

Without TLS termination Cloudflare is still useful for e.g. DDoS protection,

I’m not seeing that. Cloudflare’s DDoS protection is all about having the bandwidth to serve the traffic. If CF cannot treat the traffic itself (due to inability to see the payloads), that whole firehose of traffic must be passed through to the original host which then must be able to handle that volume. CF’s firewall in itself is not sophisticated enough to significantly reduce the traffic that’s passed along. It crudely uses IP reputation which can easily be done by one’s own firewall. What am I missing?

I’m well aware that Cloudflare holds the TLS keys. I’m also well aware that that does not equal having access to credentials.

Can you elaborate? I believe the hashing must be done on the server side not the user side, so Cloudflare would see the creds before hashing. I know it’s possible to subscribe to an enterprise package where you hold your own SSL keys, but it’s unclear why CF would even be used in that scenario. If CF cannot see the traffic, it cannot optimize it as it all has to be passed through to the original host anyway. AFAICT, CF’s only usefulness in that scenario is privacy of the websites ownership - something that banks would not benefit from.

Banks certainly can not outsource willy nilly. Or well, I suppose they may in some jurisdictions, but the context here is Europe, where the banks actually are regulated.

US banks (esp. credit unions) outsource with reckless disregard for just about everything. Europe is indeed different in this regard. But European banks have no hesitation to outsource email to Microsoft or Google and then to use email for unencrypted correspondence with customers. That crosses a line for me.

European banks will also outsource investments to JP Morgan (one of the most unethical banks in the world), and they tend to be quiet about it. I boycott JPM along with other similar banks in part due to investments in fossil fuels and private prisons. This means banking in Europe is a minefield if you boycott the upstream baddies.

Cloudflare holds the keys. They decrypt all traffic that reaches their reverse proxy. It’s legal. Banks can outsource anything they want and they do so willy nilly. Their privacy policies cover this.. they can share whatever they need to with their partners.

BTW FWiW, I have caught banks breaking a few laws and reported it to regulators. Regulators don’t care. Everyone thinks consumer banks have a gun pointed at them to comply with the law because it periodically makes a big splash in the media when they’re caught not enforcing AML rules. But when it comes to consumer protection, anything goes to a large extent. There’s very little pressure to do right by consumers. One regulator even had the nerve to say to me “why don’t you change banks?” (in response to a report of unlawful conduct).

Be the change you want to see.

I agree with that principle. And for me, that leads me elsewhere. (I’m not the OP)

I oppose forced banking. I also oppose forced online banking within the banking sector.

Forced online banking

Technologists are mostly incompetent, evidenced by today’s web which is increasingly enshitified. The ultimate escape from incompetently implemented shitty tech is an offline/analog option. It’s important for consumers to be able to say “fuck this, I’m done with electronic access.” Naturally you’d think if you write the app yourself that solves the problem. Not exactly. That API is still controlled by the bank. While the API is likely decent, there’s a firewall around it. Banks are increasingly making stupid anti-consumer moves in their firewalls:

1. They either put their services on Cloudflare, thus blocking Tor and subjecting all users (tor and non-tor) to Cloudflare’s eye on all their sensitive financial traffic including usernames and passwords. Or
2. they simply block Tor, which then enables your ISP to track where you bank and also enable the bank to track your physical whereabouts upon every single login.

These factors are outside of the control of the app developer. A developer could invest a lot of their own time building a great app, only to be demoralized by aggressive firewall anti-features. And worse, if the dev boycotts Cloudflare and/or the bank, their FOSS app continues to benefit the bank after they begin their boycott. IOW, the fruits of their labor is used against them.

Forced banking

Banks are becoming increasingly anti-consumer both online and offline. I could fill a book on this. But to be brief, imagine a bank decides to force everyone online, they close their countertop service, and then force people to obtain a mobile phone, mobile phone service, and force them to share their mobile phone number with the bank. (yes, this has actually happened). The ultimate escape is being able to function without a bank. The #WarOnCash is killing that option off so we are being forced to use banks.

So when you say “Be the change you want to see”, that’s exactly what I’m doing by living an unbanked life and fighting against the war on cash. In that mission, producing a FOSS app would actually be antithetical. A FOSS app would make banking a little more satisfying when it’s more important to have unbanked people fighting for the right to live an analog life.

Looks like Ing still maintains the linux CLI app. I thought they discontinued that but it’s apparently still maintained. I’ve never seen a FOSS app from any other Belgian bank. FOSS phone apps are entirely non-existent for all Belgian banks AFAICT. The link you posted does not appear to lead to one.

BTW, wouldn’t it be strange if Ing had a FOSS Android app considering their app from playstore detects when it’s launched in a virtual machine and then refuses to run? If they had a FOSS app, the user could make it run inside a VM.

Great, so your hypothetical Amish have already been granted all their hypothetical wishes, so you answered your own question.

Not hypothetical. And wrong government. You also misunderstood what you quoted (which was speaking of a general philosophical scenario that manifests in the real world in parallel to the hypothetical Amish scenario).

Incidentally, a US supreme court ruled that Amish (who per their religion oppose insurance) are exempt from the social security system on the basis of religious freedom. The hypothetical is obviously unanswered, as it involves Amish people in Europe and not over insurance but over forced use of on-grid technology and forced use of machines that are more complex than a word processor.

How do you even think a European gov could have protected the religious freedom of the Amish? They do not exist in Europe. US and Canada only.

You only posted this trainwreck

Your trainwreck, not mine. I was after intellectual replies by folks with a bit more civility. You hi-jacked the train then off-railed it. The train wreck is purely your hot-headed emotional rant -- effectively your #threadCrap.

and now that you have been mad and answered your own question, why don’t you bake some bread or do some other useful stuff after maybe deleting this whole episode from lemmy so you don’t waste other people’s time?

Why don’t you try to practice constructive use of your own time by writing civil responses - or not writing at all? Lose the hot-head, think about the inequality of religious freedom to religious people and lack thereof to non-religious people with an equally strong moral code, and try to come up with something that avoids logical fallacy. Even better if you can display a bit of inspirational wisdom. Try to show people that you’re somehow more than an annoying troll.

It’s also simply not true.

It simply is true. You’re talking about what should happen based on something you read. I’m talking about what is happening based on concrete 1st-hand experience.

municipalities still have to allow people to book on the spot, or help them on the kiosks available.

“have to” ≠ status quo reality. Apparently you missed the demonstration in Brussels a few weeks ago where hundreds of people demanded the reopening of offline public services. Some real-world test cases:

• case 1: If you go to the commune to deregister, you fight your way past their attempt to push the online service, at which point you talk to someone in the population registry dept. who only directs you to send the request via post. If you hand-deliver the request into their postbox, they simply ignore it. (side note: ignoring postal correspondence is the same way public services in the US have started quietly unofficially imposed online transactions)

• case 2: If you go to the commune to reserve parking in front of your property for workers, they point to a QR code on the wall. If you insist on an offline transaction, the receptionist refuses. If you say that you need to pay cash, the receptionist says “impossible, because online is the only way”.

“have to” ≠ reality also for analog payments. It is legally obligatory in Belgium for money recipients to accept cash banknotes. But it’s not enforced. Both the gov and private sector services (e.g. Vivaqua) are violating that law.

So indeed, you cannot simply trust at face value what you read is supposed to happen. You need to actually demand offline service yourself. Best to test it in Brussels; this is where some communes are experimenting with digital exclusion.

From the flemish website

(…)Maar waar ze altijd welkom zijn op het gemeentehuis als ze dat wensen.

That page is undated and that quote is no longer true. Case 2 above happened this year.

It’s also simply not true.

It simply is true. You’re talking about what should happen based on something you read. I’m talking about what is happening based on concrete 1st-hand experience.

municipalities still have to allow people to book on the spot, or help them on the kiosks available.

“have to” ≠ status quo reality. Apparently you missed the demonstration in Brussels a few weeks ago where hundreds of people demanded the reopening of offline public services. Some real-world test cases:

• case 1: If you go to the commune to deregister, you fight your way past their attempt to push the online service, at which point you talk to someone in the population registry dept. who only directs you to send the request via post. If you hand-deliver the request into their postbox, they simply ignore it. (side note: ignoring postal correspondence is the same way public services in the US have started quietly unofficially imposed online transactions)

• case 2: If you go to the commune to reserve parking in front of your property for workers, they point to a QR code on the wall. If you insist on an offline transaction, the receptionist refuses. If you say that you need to pay cash, the receptionist says “impossible, because online is the only way”.

“have to” ≠ reality also for analog payments. It is legally obligatory in Belgium for money recipients to accept cash banknotes. But it’s not enforced. Both the gov and private sector services (e.g. Vivaqua) are violating that law.

So indeed, you cannot simply trust at face value what you read is supposed to happen. You need to actually demand offline service yourself. Best to test it in Brussels; this is where some communes are experimenting with digital exclusion.

From the flemish website

(…)Maar waar ze altijd welkom zijn op het gemeentehuis als ze dat wensen.

That page is undated and that quote is no longer true. Case 2 above happened this year.