[–] 20538690? 0 points 1 point 1 point (+1|-0) ago
Seems like a short project!
[–] 20538085? 0 points 6 points 6 points (+6|-0) ago
FUCKING DISGUSTING.
because of cloudflare, EVERY PRIVATE MESSAGE sent between two users on voat.co is stored unencrypted at cloudflare because the SSL (https) certificate is not owned by voat.co, its cloudflare! really!
Look at the cert now if you doubt me
[–] 20538185? 0 points 3 points 3 points (+3|-0) ago
Click on the green lock at the top, next to https and get more details, and you will see, cloudflare did indeed issue the certificate.
However, this does not necessarily mean cloudflare can read all messages, since there could be multiple layers of encryption. Should probably be possible to tell by observing the data leaving the browser from the network tab of the developer view in the browser.
But yeah, probably shouldn't expect secure messaging from a public site. Is cloudflare much worse than voat? Maybe. Maybe not.
[–] 20538241? 0 points 3 points 3 points (+3|-0) ago (edited ago)
you are ...
It is not a certificate owned nor controlled by voat.co and data is in fact ONLY sent to actual voat.co server in palintext or in a DIFFERENT KEY if any.
If you read about RULES and PROCEDURES for using Cloudflare you would know this.
If you knew how to read the SSL cert you would know this.
If you read the news, or messages from cloudflare regarding us gov subpoenas , you would know they OFTEN give large amounts of data to feds... unencrypted on their end.
"But what seems to be overlooked by many is that fact that the ‘Flexible SSL’ option only provides secure traffic between the user and CloudFlares network – NOT between CloudFlare and your website. Which means the users traffic is exposed over the internet as normal HTTP traffic." :
The Real Cost of a CloudFlare “Free” SSL Certificate :
https://info.ssl.com/the-real-cost-of-a-cloudflare-free-ssl-certificate/
and :
https://support.cloudflare.com/hc/en-us/articles/203295200
EDIT :
and "baby talk" explanation of scandal here :
https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/
TL/DR: ALL DATA is momentarily decrypted by the real owner of the SSL key , Cloudflare, before exiting cloudflares servers to voat.co
[–] 20539136? 1 point 0 points 1 point (+1|-1) ago
Of course it’s stored unencrypted, you don’t know the first goddamned thing about computers. Even if it was encrypted on disk, he key has to live somewhere; as long as the Voat servers themselves are going to store your message, it’s going to be decryptable without your knowledge.
The SSL certificate has fucking nothing to do with that. That’s encryption across the wire, not at rest.
If you wanted your messages across Voat to be secure, you would have to have a private encryption key in your client, and a public key in your profile, and other people’s clients would encrypt their messages to your public key.
Note that there’s nothing stopping you from using Keybase to store keys and then using GPG, but we would need users to get some goddamned agency and set up all of that, which they’re not going to do.
[–] 20542735? ago (edited ago)
I am sorry, you are retarded, and I , the OP and specifically hired to implement security on millions of computers for several fortune-100 corporations throughout history. By the way I am a SSL long time PROGRAMMER as well.
I told the truth. You must be a fed shill.
My words went over your head.
I guess I did not explain myself. Or you dont know what cloudflare is , or how their system works.
1 > cloudflare offers free anti-ddos and dns fail-over to tens of thousands of large sites, including voat.co
2 > its free, because it is NOT ALLOWED to send gibberish encrypted data predominantly through them, all data must be clear unencrypted and only encrypted with a CLOUDFLARE owned and cloudflare controlled key. In the near past they even reused this same key for thousands of servers, like voat.co.
3 > for extra $, and rare according to their own FAQs , cloudflare will let voat.co also receive ssl encrypted data AFTER DECRYPED and stored at cloudflare for US gov and others, then re-encrypt using adifferent SSL key no user ever sees, but to make sure data on last part of the trip is ssl protected.
No one here, not even me is talking about voat.co servers representation of data, it gets decrypted at some point , so your lame "straw man" argument with yourself is retarded.
read this thread , i already addressed my points but you never read them I think or followed the links! Read here , it explains how Cloudflare prohibits real SSL controlled by voat.co : https://voat.co/v/QRV/3421748/20538241
[–] 20537830? [S] ago
https://files.catbox.moe/s9oxab.png