Self-Hosted Main

Do you want to be blown off the internet by DDoS? How much bandwidth do you have/can you pay for?

Beyond what everyone else has said here about it being practically an industry standard now with insane levels of trust, it also foists a lot of the responsibility for security/uptime onto an external company with a good track record. That's great in the eyes of product management and likely the legal department too.

Don’t forget, for selfhosters, the value proposition of free is always pretty strong. I have tiers of data and not everything needs to be super private at all times.

You realize your computer can have a backdoor put in place by the brand right? Pretty much same deal isn't it?

You could say the same about any cloud provider. "AWS can read all my data! The horror!"

The sites I expose to Cloudflare were already being publicly hosted for my friends. Anything actually private or sensitive I run via private DNS and Wireguard internally.

OP, what you're describing is not the "big scary MITM" attack vector. It's how TLS/Reverse proxies work. Whether you are using Cloudflare or hosting your own reverse proxy somewhere with full control, it's still terminating TLS at the endpoint and passing back traffic in the clear to the backend.

Some people like Cloudflare for whatever reasons, and that's okay. I host my own reverse proxy out on a VPS and it works just fine.

You'll find that not all of the seflhosted community is super-focused on privacy as say r/privacy is.

It sounds like you think the issue with a man-in-the-middle attack is the MITM part, not the attack.

Cloudflare is awesome and undervalued in my opinion. They provide dozens of services and charge extremely reasonable pricing.

I'm either reading this wrong or there's a disconnect in knowledge. If you have your own SSL cert and do the termination of that on your end, CF cannot do any MITM without an error on the user's end.

However, if your just setting up an a record or whatever to your server that isn't doing ssl termination, then yes they are mitm

Outsourcing of (some) risk

If Cloudflare loses the data and it negatively impacts our brand, we can sue the shit out of them.

Half of the people don't remotely understand the issue. The other half is aware that what's in behind isn't trustworthy anyways if it's "in da cloud" and just went all YOLO-mode.

Also...shouldn't we talking more about self-hosting rather than privacy and efficiency issues? I think the topic is a moot point - either you feel that Cloudflare is 'trustworthy'...or you don't.

IMHO, it's sorta like using Google's Gmail for business purposes. Read the fine print - they can do whatever they want with your data, despite their privacy statements. Same goes with Cloudflare. You're using *their* services on *their servers.

They have to lookout for themselves and the risks involved.

Yes by default traffic is only encrypted between cloudflare and users, but you can set it to “full (strict)” and have it end to end encrypted

It comes down to the same line of reasoning that most people are "OK" with using cloud, be it aws, google, oracle, microsoft etc .. Out of laziness and lack of expertise, basically sysadmins are dead. Otherwise it's always a bad idea to offload anything on a third-party specially without transparency (pinky promise)

Badger DAO lost 120M, to this pinky trust. https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack

Same issue however exists wirh domain name registerers, etc, hence even such a thing as ens.domains are much more trustworthy, and it's much harder to exploit.

Yes. This means they can see your native encrypted self-signed traffic.

Which does not do much. Unless you expose unsecured content to the internet. Please don't.