You’ll be attacked and pay for the priviledge! I suppose what you’re really paying for is knowing who’s attacking you. Mind you, I think it’s free for small sites, which is probably quite an attractive trade-off for many.

You see the problem. Yes, cloudflare decrypt the request from the browser, inspect it, then reencrypt it and send it to the host server. Then they take the response, decrypt that, inspect it, reencrypt it and send it to the browser.

Basically there are two TLS flows, one from the browser to cloudflare, and one from clourflare to the host server. Between those, on the cloudflare system, both the traffic and response are in plain text. That includes usernames, passwords (for HTTP basic auth anyway) and any sensitive data you send or receive.

Given that they front sonewhere between 19 and 40% of all websites, d£pending on whose stats you trust, that should be pretty alarming.

Do it properly, or don’t do it at all: https://m.youtube.com/watch?v=T8XeDvKqI4E

Cloudflare don’t hoat sites, but they do end up being a ‘man in the middle’ attack on any site they proxy for, regardless of where that site is nominally hosted. That ends up exposing all traffic on those sites to a US corporation, and ultimately the US government. Considering that Cloudflare proxy somewhere between 19% and 40% of all websites, I think that’s pretty alarming.

The US IP address is for Cloudflare, who are acting as a front end for things like DDoS protection. A lot of lemmy servers use them, which is unfortunate, but there don’t seem to be any viable European alternatives.

You can check the details with the whois command. The relevant bit when querying for one of their addresses is:

NetRange:       104.16.0.0 - 104.31.255.255
CIDR:           104.16.0.0/12                         
NetName:        CLOUDFLARENET                         
NetHandle:      NET-104-16-0-0-1                      
Parent:         NET104 (NET-104-0-0-0-0)              
NetType:        Direct Allocation                     
OriginAS:       AS13335                               
Organization:   Cloudflare, Inc. (CLOUD14)            
RegDate:        2014-03-28                            
Updated:        2024-09-04                            
Comment:        All Cloudflare abuse reporting can be
done via https://www.cloudflare.com/abuse             
Comment:        Geofeed: https://api.cloudflare.com/local-ip-ranges.csv                                     
Ref:            https://rdap.arin.net/registry/ip/104.16.0.0

That sentence was going rather predictably right up until the last word. Well done.