hmm, I'm not sure I agree - or perhaps I didn't explain myself well previously and caused confusion between us.
Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.
What I'm saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol' website over an ISP's network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.
If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following
wg client --(tunnel to CF)--> CF network --(tunnel to your server)--> wireguard server
the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.
The last gleam of hope I had was last year when John Oliver did an episode on data brokers. He in turn went and purchased data that would match congressmen in the D.C. area, along with their "interests." He jokingly threatened to release it (bc congressmen tend to act on an issue if it affects them personally). I thought that would be huge, everybody would see how rampant and invasive data collection would be. I was thrilled for a breakthrough.
but so far no movement, hasn't been released. I wonder if people wrote to John Oliver and his team if we will get an answer haha
Bills aren't being passed by lawmakers because like many of us who care about privacy, they have not heard about the abilities of data brokers and have no visibility into how rampant and disgusting and invasive their behavior is.
Friends and family I talk to don't care. "Oh well, what are they going to do, find me personally?"
I feel if people were able to look themselves up in these databases, they would fear it as well
reminds me of the John Oliver episode on Data Brokers where he started buying up data on senators in an effort to get better regulations about tracking data and aggregation bc that seems to be the only way they want to pass bills. Their interests > interests of the people they should be representing
I apologize, I misread the chain of comments. Your explanation is perfectly adequate for someone who has a basic grasp on networking and VPN and tunnels and encryption.
I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn't matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF's network.
And to some, packet inspection is not a downside since they can offer more protection - but that is totally up to your attack vector tollerence
WARP (a client) just connects you to CF's network.
If your server is running cloudflared (an outbound-only tunnel) then you can enroll your WARP client to reach your server, while your server is never accessible on the public web. That's the principal behind Zero Trust.
While techinically yes, WARP can be considered as a VPN, it is just a secure tunnel to an endpoint. In which case you can argue any point-to-point tunnel is a VPN.
discovered tailscale from this post and after reading their "how tailscale works" I was hoping to get some clarification from an activer user (you).
CF tunnels setup an outbound-only tunnel from my private network via cloudflared, I have no ingress holes in my firewall to access my services. cloudflared does all the proxying. Plus my IP changes monthly as I don't pay for a static one from my ISP. This "outbound-only" connection is resilient to that.
Tailscale is point-to-point (for data plane) connection and only the control plane is "hub and spoke". This sounds like I need to allow ingress rules on my private network so my server can be connected to? Is this true or where did I misunderstand?
I would recommend finding a company with a solid internship program and use the internship program to get your foot in the door and get hired. Companies like Cloudflare, VMWare or other with a security interest have strong internship programs.
Point is, using internships is arguably easier to get in. Many college students, myself included, used internships just to get any experience. But what you really want to strive for is interning where you want to work and kicking butt.
honestly, having a spare phone that sits at home is a great solution. Your main phone can be a native pixel/grapheneos (not lineage, graphene has no issues with feature comparability). And the spare phone at run all the apps for, idk, your robot vaccum, smart home, etc. At home you have more control of data and connectivity.
we all have old phones that can be used as spares. My 8 yr old phone is the "remote control" for my house. Using accounts that don't tie to me, on it's own vlan, pi-holed, etc
for speech recognition there is "futo voice" which not only works better than Google's speech talk-to-type by allowing the user to fluently speak, but it also works offline and doesn't upload voice recordings anywhere. You won't be able to use it with gboard because google will not allow the use of another talk-to-speech engine with gboard, you'll have to download another keyboard first.
mobile banking is an unnecessary luxary. Moving money around/paying CC biils often takes days to go through anyway so the urgency of "doing it now" mobily can wait until you're at your desktop.
Push notifications, I'll give you. Without any services some apps cannot recieve push notifications. As the other user suggested, using a pixel with grapheneos, you can install sandboxes google services or microG and then have full functionality.
On grapheneOS you can choose which apps have access to internet/data much more fine-grained that what google allows you.
hey I'm right there with you. I didn't want to type out all the details but the customer didn't want to use any tools they had to "learn". All they wanted to do was be able to do is view a file structured similarly to CVS. View, filter, and sort alphabetically. This was like a subtask of a bigger project.
Bottom line is we were like "hey don't waste your money on this request, there are tons of tools that can do this"
Their response was essentially "we contracted you, you guys figure it out." LOL okay, pay us for 1 additional month and you can have a program to load your csv and sort it
Had a client that couldn't understand a small dataset of data. They needed "something interactive to filter and sort the data for a human to review." We suggested putting it into an excel spreadsheet, and did it for them. Customer didn't know how to use excel so we had to create a knock-off excel table GUI that had buttons labeled "filter and sort".
some people seem to have money they don't know what to do with smh
What is incredible about this product is that I can speak normally and fluently as I normally do.
The need to look at the output as you speak is only necessary if you expect there to be errors. FUTO, amazingly, performs extremely well in this regard and I have a high confidence in not being able to trip it up. I don't feel that I need to look down at a live transcription.
This whole comment was written using FUTO voice input. I'm definitely going to donate to them.
GrapheneOS is the open source android OS on pixel hardware without any google binary blobs.
The advantage of using it is Google develops and optimizes the OS so it works on their hardware. The GrapheneOS project compiles the source code, hardens some parts, and boom
I take you are a satisfied user. Ages ago when I looked into it, I didn't see the need. To save time for me and other people on this thread, what value does it bring to you? I would consider subscribing just to financially support them but what other tangible use does a subscription bring?
hmm, I'm not sure I agree - or perhaps I didn't explain myself well previously and caused confusion between us.
Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.
What I'm saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol' website over an ISP's network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.
If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following
wg client --(tunnel to CF)--> CF network --(tunnel to your server)--> wireguard server
the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.