Part 3: A https site behind cloudflare (where security goes wrong)
1) you contact your DNS and resolve mixer.tld. Instead of getting the ip of the mixer's server, you get the ip of cloudflare... Tricky isn't it?
2) you send unencrypted data to the CLOUDFLARE server, this data includes some random data, some (more or less) boilerplate stuff and a list of cyphers your browser supports
3) the CLOUDFLARE server sends unencrypted data back, this data includes some random data, some (more or less) boilerplate stuff and his public key
3.a) you can verify if this CLOUDFLARE key was issued by a CA you trust, and the browser can show a warning message (which you can disregard) if this isn't the case
4) a symetric key is generated between you and cloudflare
5) if you actually request a page, or post data, it is encrypted with the key from step 4. CLOUDFLARE decrypts your data and looks if he can reply with content from it's cache (yup, cache). If not, cloudflare acts as a client and requests data from the mixer's server. semi-ideally, they run in full or strict mode and they repeat step 2-4 to generate a new, symetric encryption key between their server and the mixer's server. In flexibel mode, they even request data over non-https!!!
So, semi-ideally, it would look more or less like this:
You see what's wrong with this picture? Even in the best-case scenario (cloudflare-wise), cloudflare decrypts EVERY package that's meanth for the mixer's server, it caches everything and it re-encrypts the request if it cannot reply with data from it's cache. Eventough the node operators cannot decrypt your packages, cloudflare has a big datacenter filled with UNENCRYPTED data that can link "dirty" and "clean" wallet together. This data was meanth to be seen only by you and the mixer, but because the mixer chose convenience over security, your most intimate and private financial data is now stored somewhere in the datacenter of a big, us-based company.
Even worse, eventough the network node operators cannot decrypt your packages, they can still capture them. Cloudflare has the symetric keys, so if they get their hands on those keys (due to law enforcement getting involved, hacking, social engineering,...) they can still decrypt any historical packages they captured.
Cloudflare is a US based company, the US is known to be very lenient in privacy-matters when 3 letter agencies get involved. Cloudflare is also a big company, with many employees and many attack vectors... Social hacking, stealing employees, security flaws,...?
1) you contact your DNS and resolve mixer.tld. Instead of getting the ip of the mixer's server, you get the ip of cloudflare... Tricky isn't it?
2) you send unencrypted data to the CLOUDFLARE server, this data includes some random data, some (more or less) boilerplate stuff and a list of cyphers your browser supports
3) the CLOUDFLARE server sends unencrypted data back, this data includes some random data, some (more or less) boilerplate stuff and his public key
3.a) you can verify if this CLOUDFLARE key was issued by a CA you trust, and the browser can show a warning message (which you can disregard) if this isn't the case
4) a symetric key is generated between you and cloudflare
5) if you actually request a page, or post data, it is encrypted with the key from step 4. CLOUDFLARE decrypts your data and looks if he can reply with content from it's cache (yup, cache). If not, cloudflare acts as a client and requests data from the mixer's server. semi-ideally, they run in full or strict mode and they repeat step 2-4 to generate a new, symetric encryption key between their server and the mixer's server. In flexibel mode, they even request data over non-https!!!
So, semi-ideally, it would look more or less like this:
You see what's wrong with this picture? Even in the best-case scenario (cloudflare-wise), cloudflare decrypts EVERY package that's meanth for the mixer's server, it caches everything and it re-encrypts the request if it cannot reply with data from it's cache. Eventough the node operators cannot decrypt your packages, cloudflare has a big datacenter filled with UNENCRYPTED data that can link "dirty" and "clean" wallet together. This data was meanth to be seen only by you and the mixer, but because the mixer chose convenience over security, your most intimate and private financial data is now stored somewhere in the datacenter of a big, us-based company.
Even worse, eventough the network node operators cannot decrypt your packages, they can still capture them. Cloudflare has the symetric keys, so if they get their hands on those keys (due to law enforcement getting involved, hacking, social engineering,...) they can still decrypt any historical packages they captured.
Cloudflare is a US based company, the US is known to be very lenient in privacy-matters when 3 letter agencies get involved. Cloudflare is also a big company, with many employees and many attack vectors... Social hacking, stealing employees, security flaws,...?