It's great for non-political blogs, it's great for mom and pop shops... This being said: it's not OK to use cloudflare's cache (and their ssl certificates) for a mixer, a gunshop, a political blog, a porn site,...
I understand part of your concern. And it would be interesting to hear your opinion. For example, the site may have a certificate issued by an outside organization, but it will still use cloudflare services, you will never know, but you will be sure of your safety.
And I’d like to point out one thing. Jambler, for example, is not a mixer, it’s a platform for the rapid deployment of mixers. The end-user who does not want to advertise the sending and receiving addresses and other data does not address to the site jambler, and not mediocre to our partners. Also, all default partners have a version of tor that helps raise the level of anonymity.
I see your point of view... And i do agree... You're in a grey area yourself, you're not really a mixer, so maybe you can get away with using cloudflare's SSL certificates... This being said: three letter agencies might still find it usefull to know who your partners are, so i wonder if it wouldn't be better to use an x3 certificate instead of cloudflare's. Offcourse, you'd lose DDos protection, your website responsiveness *might* drop (if you were using slow hosting, or a high latency dc), and you'd use a little bit more bandwith.
I actually pointed this out to you in august 2018!
https://bitcointalk.org/index.php?topic=4667343.msg44815063#msg44815063
Here's your reply:
why is your mixer using cloudflare's ssl? Do you realise cloudflare will be able to decrypt all data between your customers and yourself? I'd encourage you to buy your own SSL certificates and move away from cloudflare asap if you want to be taken seriously.
Even letsencrypt certificates would be a hell of a lot better than cloudflare's on such a privacy-centric service (don't get me wrong: cloudflare is great if you're not a service that would require absolute privacy... I've been using cloudflare on my sites for a long time, but then again: i don't even allow useraccounts to be created on my sites...)
Even letsencrypt certificates would be a hell of a lot better than cloudflare's on such a privacy-centric service (don't get me wrong: cloudflare is great if you're not a service that would require absolute privacy... I've been using cloudflare on my sites for a long time, but then again: i don't even allow useraccounts to be created on my sites...)
Thank you for pointing this bug out. This is a very acute thing. We will definitely resolve the issue and will replace ssl certificates to eliminate this weak point of using cloudflare’s ssl.
At this moment, your platform is enabling 7 mixing services (when looking at https: // jambler.io /mix -coins. php). 6 have a clearnet presence, 3 of them use cloudflare, and one does not use ssl at all (what?
). I know there are your customers, but maybe giving them a nudge in the right direction wouldn't be to bad? Only 3 out of 7 of your clients got it right... Some kind of guidance from you side would probably be a good thing for privacy as a whole.@LeGaulois: you make a valid point aswell... For some people, "moderate" privacy against non-law enforcement might be enough... I know i have never actually needed protection against the law, i'd still like them to keep their nose out of my business tough
The main problem, which is the same for cloudflare SSL certificates and tor: not everybody is tech savvy, not everybody will do their homework... A lot of people will just use google to find a mixer, look at the green padlock, read the promo text and mix their coins, thinking they are now anonymous... A lot of people won't look at which certificate is issues by who, they won't look up nameservers or dns records, they won't inspect the code for embedded javascript,... They certainly won't download the tor proxy and start using the tor mirror... They are average people that want privacy, they trust the mixer in question, and in the end, they usually don't get the privacy they payed for... Granted, 99% of them don't *need* said privacy, they still payed for it, they trusted the mixer, so they should get that privacy (wether they need it or not).
But that's just my opinion
