Through Torand this is
not the first time Ive had this problem:
[...403 error...]
For the downloads problem, if the downloads do not require you to be logged in, accessing the BCT server by its direct IP address and/or a DNS record that resolves to the IP should make it accessible, provided BCT hasn't blacklisted all non-CF IPs.
For the website issue, how about 2FA, that could help the situation? As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.
You could also make a login URL that is not routed through CF. I don't know how much hacking of SMF it would take to implement that. Actually, cloudflare might have a way to direct certain URLs to directly point to the backend (BCT) servers. I haven't messed with them in a while, since before they started doing their shared SSL service, so I'm not positive about this.
On the other hand, this might not address the problem that putting in a CDN was designed to prevent. If the DDOS attacks were directed to the login URL it would then be vulnerable again.
Thanks for the suggestions, Ben.
Unfortunately, to the best of my knowledge, all of your suggestions would require action by theymos; theres nothing there which I could do myself, as a workaround to obtain downloads right now. If theres a legitimate public means to find a direct IP address, Id appreciate being corrected here. But I rather suspect that theymos wishes to keep his real IP addresses unknown to DDoSers; and if I could find it, so could they.
I have an inherent distrust of infrastructure services that I don't control, which is why I try to avoid CDNs. However, I have no website with as much traffic as BCT, so have never had to deal with that situation.
Same here. Specifically as to Cloudflare, in addition to how they
sometimes cavity-search you with Javascript while still failing to keep the site reliably available, see
e.g.:https://trac.torproject.org/24351As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.
Cloudflare intercepts
all traffic (and modifies at least HTTP response headers), as a matter of course!
My biggest complaint is that
Cloudflare is a MITM attack against TLS on a substantial portion of the whole Internet. From the user end of things, I generally boycott Cloudflared sites insofar as practical. But I support the Bitcoin Forum, out of my respect for how theymos was honest with people when he was effectually forced behind Cloudflare by Internet arsonists:
With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. [...]
I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, [...]
I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. [...]
The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...
The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.
To get a gauge on what independent, no-MITM DDoS protection can require for a(n extremely) high-profile target, I found Protonmails experience interesting:
https://protonmail.com/blog/ddos-protection-guide/The attack faced by ProtonMail was highly sophisticated and unfortunately required extraordinary effort to defeat. In the next section, some technical details of the attack against us are discussed.
In defeating this attack, we were able to benefit from strong in-house technical expertise, along with a partnership with
IP-Max, the leading networking experts in Switzerland. Defending against large scale DDoS attacks remains an expensive undertaking. Below are the typical costs for this type of DDoS protection:
Networking equipment: $30000
BGP/GRE DDoS Mitigation (per year): $50000 $100000
Dedicated IP Transit (per year): $20000
Maintenance Overhead: $10000+
(
N.b. that I dont trust in-browser Javascript crypto which is downloaded separately for each session, and thus cannot be in any way verified and kept at a known good version. That would be most dangerous for targeted attacks. Moreso for a service which offers no alternative, as would allow people to choose according to their own security needs. Im not endorsing Protonmail by linking to them for other reasons; do your own PGP on your own hardware!)
For an easier limited workaround on theymos end, ChipMixer had an excellent suggestion upthread:
The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
Is there an official .onion proxy of BitcoinTalk that bypass Cloudflare? We do sometimes get support request PMs.
How about BitcoinTalk Pro accounts with monthly payments, private proxy without Cloudflare and captchas, bot access?
Though I would be concerned about the affordability of an ongoing subscription, an official .onion proxy would solve many problems. I may even offer to help with such a project, depending on what would be required of me. See
my reply to ChipMixer upthread.
Why no bitcointalk forum coin with ICO
You earn coins by posting, and devs & sysadmins are paid with it?
Everything is creating tokens and ICOs... Even without value...
This place here is valuable!
Decentralise the Forums!
That would mad, the whole point of this forum is to have the public have a balanced or neutral stance in the cryptocurrency community.
Creating a token or ICO for BTCtalk is effectively the same as losing net neutrality in the CC industry.
And congratulations, Phash2k reinvented Steem. This sort of nonsense reminds me of one of the earliest posts to which I awarded merit. It spoke of how DHTs...
...get invoked in ignorance to every distributed systems problem because they're the first distributed systems tool people have heard of (sadly, "blockchain" is seems to be stealing this role), much as "neural network" has infested lay understanding of machine learning, or perhaps in other times "XML" was treated as a magical solution for inter-working serialization in places where it made little sense.
No, the problem will not be fixed by sprinkling some magical blockchain pixie dust on it.