this post was submitted on 21 Jan 2025

131 points (98.5% liked)

Technology

61166 readers

4747 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

131

Cloudflare Issue Can Leak Chat App Users' Broad Location (www.404media.co)

submitted 1 week ago* (last edited 1 week ago) by otter@lemmy.ca to c/technology@lemmy.world

34 comments fedilink hide all child comments

cross-posted from: https://lemmy.ca/post/37638868 !privacy@lemmy.dbzer0.com

This affects Signal too

An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.

https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117?ref=404media.co

Signal, an open-source encrypted messaging service, is widely used by journalists and activists for its privacy features. Internally, the app utilizes two CDNs for serving content: cdn.signal.org (powered by CloudFront) for profile avatars and cdn2.signal.org (powered by Cloudflare) for message attachments.

all 42 comments

sorted by: hot top controversial new old

[–] knighthawk0811@lemmy.ml 36 points 1 week ago (3 children)

i think this would be true of basically any large service that had multiple data centers. whichever one catches your data is the one closest to you.

the difficulty is accessing that data even if you can't read it you still have the closest location.

sounds to me like the Internet working as intended. if you want true privacy you need to take extra steps

[–] Telorand@reddthat.com 11 points 1 week ago

Agreed. Privacy is always a balance between your threat model and useability. If your general location is enough to put you in danger, hopefully you're already aware of how your data is being sent over the various networks and have measures in place to stay safe.

For most people, knowing very generally where they are isn't especially useful information to anyone with an interest in surveillance.

[–] KairuByte@lemmy.dbzer0.com 9 points 1 week ago (1 children)

Not even guaranteed to be the closest data center. It’s not completely out of the ordinary for there to be a faster route available to a data center farther away.

[–] knighthawk0811@lemmy.ml 1 points 1 week ago

true, true

[–] azertyfun@sh.itjust.works 2 points 1 week ago* (last edited 1 week ago) (1 children)

On the one hand, deanonimization attacks are never entirely avoidable on unhardened targets and this one isn't particularly sophisticated and leaks relatively little information.

On the other hand deanonimization attacks are always bad and it's a good reminder to people of the risks they are taking. This is also slightly non-obvious behavior, even if it makes sense to the technically competent, as something like an IP grabber normally requires user interaction such as clicking a link. It's also a vector that CF might be able to mitigate by patching the ability to query a given cache directly.

[–] knighthawk0811@lemmy.ml 1 points 1 week ago

they should be able to patch that as long as nothing relies on it working as is

[+] GreenKnight23@lemmy.world 8 points 1 week ago* (last edited 1 day ago) (2 children)

[deleted]

[–] theunknownmuncher@lemmy.world 16 points 1 week ago (1 children)

I support this because most all cloudflare websites require browser fingerprinting otherwise they will not serve you the page. The moment I enable the jShelter addon, I am cut off from a significant portion of the internet

[–] knighthawk0811@lemmy.ml 5 points 1 week ago (1 children)

CF is DNS you could be using it a lot and never know

[–] theunknownmuncher@lemmy.world 5 points 1 week ago (2 children)

I have a pihole serving DNS for my local network that is configured to use unfiltered Quad9 for upstream.

[–] knighthawk0811@lemmy.ml 3 points 1 week ago

ok, you are certainly not a common user.

[–] melroy@kbin.melroy.org 2 points 1 week ago (2 children)

Unbound is better IMO :)

[–] theunknownmuncher@lemmy.world 2 points 1 week ago

Well, I'm now using pihole for blocking + unbound for recursive resolving

[–] theunknownmuncher@lemmy.world 2 points 1 week ago* (last edited 1 week ago) (2 children)

What are the advantages over pihole?

EDIT: https://docs.pi-hole.net/guides/dns/unbound/ this page has a good explanation

[–] Hellmo_Luciferrari@lemm.ee 2 points 1 week ago* (last edited 1 week ago) (1 children)

You can use both. Unbound is a validating, recursive, caching DNS resolver.

You can setup Unbound to be a self hosted DNS solution, and point PiHole to use your Unbound.

Source: Unbound

[–] theunknownmuncher@lemmy.world 1 points 1 week ago (1 children)

Okay but what are the advantages of doing this?

[–] Hellmo_Luciferrari@lemm.ee 1 points 1 week ago (1 children)

Do you know what DNS does?

If you don't, essentially is what translates IP addresses to hostnames.

So what having unbound would do is allow you to do DNS lookup locally.

[–] theunknownmuncher@lemmy.world 2 points 1 week ago* (last edited 1 week ago) (1 children)

Um.... yes I understand what DNS does. Really?

I'm not trying to challenge you in any way. My disconnect in understanding is what unbound does and why I would want to use it over the built-in pihole FTLDNS. What are its advantages?

EDIT: I've answered my own question, unbound queries root name servers directly instead of using DNS providers. This is interesting. New question, what is the advantage of being my own DNS provider? Privacy from my ISP (who can just see the IPs that I am connecting to, anyway)?

[–] Hellmo_Luciferrari@lemm.ee 2 points 1 week ago

I wasn't trying to be short or condescending either. Just relaying what I know.

It is another layer of privacy in some cases. Could protect against poisoning of I'm not mistaken, but don't quote me.

I know for me, I prefer to self host things where I can so I can own as much of my own data as possible.

[–] melroy@kbin.melroy.org 2 points 1 week ago

So Unbound is actually a very powerful validating, recursive and caching DNS resolver. So without relaying on Google DNS or ISP DNS, you can host your own Unbound recursive DNS server, which can do request to other DNS servers and even root-dns servers. You can even setup your own stub zones and forward zones (sorry this is too much details I know). And like I said it also has caching feature. I will soon create a blog post about Unbound as well on my https://blog.melroy.org/ site be sure to subscribe.

Here is a snipped of part of my config, feel free to use it however you want:

        # Serve stale data
        serve-expired: yes
        serve-expired-ttl: 86400           # one day, in seconds
        serve-expired-client-timeout: 500  # 500ms

        # Increase caches for better performance
        msg-cache-slabs: 4
        rrset-cache-slabs: 4
        infra-cache-slabs: 4
        key-cache-slabs: 4

        rrset-cache-size: 300m
        msg-cache-size: 150m

        outgoing-range: 200
        num-queries-per-thread: 100

[–] melroy@kbin.melroy.org 12 points 1 week ago

Fully agreed, sorry to see people down voting you. But the Internet was not meant to be run by a single company called Cloudflare, it's a dangerous prospective. Since the more people depend on Cloudflare the more powerful it become and the more depend people will become. We need alternative solutions to protect against DoS and more.

[–] boaratio@lemmy.world 8 points 1 week ago (2 children)

I don't want to be a contrairian, but your cellphone carrier does this non stop. Cloudflare is not a good company, but this is the least of your problems.

[–] Rogue@feddit.uk 4 points 1 week ago

You have entirely misunderstood this exploit.

[–] ByteOnBikes@slrpnk.net 2 points 1 week ago (1 children)

How so? Asking out of curiosity.

[–] boaratio@lemmy.world 7 points 1 week ago (2 children)

I'm not trying to wear a tinfoil hat, but Snowden clearly revealed that the government is easily able to purchase cellphone location data based on GPS and tower data more easily than they can go through the FISA courts.

[–] ByteOnBikes@slrpnk.net 2 points 6 days ago* (last edited 6 days ago)

Ah, thought you meant though metadata. Like a end user snooping through some obscure meta data method (even after cleaning) let's you triangulate something.

[–] Danitos@reddthat.com 3 points 1 week ago

Your cellphone provider very likely already sells this data.

I know mine does, because I attended a webinar of a buying company where they explicitly mentioned this.

[–] hal_5700X@sh.itjust.works 7 points 1 week ago

Another reason why Cloudflare sucks.

[–] nandeEbisu@lemmy.world 7 points 1 week ago

oh no, now they nkow I'm in the US North East, assuming I'm not using a VPN...

[–] melroy@kbin.melroy.org 2 points 1 week ago (2 children)

Another reason to not use Cloudflare. Not that long ago they also "lost the log records" (this incident happened on November 14, 2024). I strongly believe the internet can become better without Cloudflare, especially now basically the whole world is depending on it.

[–] melroy@kbin.melroy.org 2 points 6 days ago

Sorry to see so many people still down vote me. What is wrong with you? The internet has become a joke. Moving all to cloudflare will only make the problem worse.

[–] sunzu2@thebrainbin.org 6 points 1 week ago (1 children)

It is impossible to use most of corpo internet if you block cloudflare. Shit is wild.

Not sure who is down voting you lol

I wish people would respond with a rebuttal so we can move convo forward.

[–] melroy@kbin.melroy.org 2 points 6 days ago (1 children)

I also have no idea why is down voting me lol. But you are 100% right. Could you imagine in the year 2000 that everything needs to behind Cloudflare in 2025 in order to have a functional internet? This shit is indeed wild.

[–] ganymede@lemmy.ml 2 points 6 days ago

fuck me lemmy is turning into an absolute reddit-esque cesspool shithole.

i do not understand why people are in here simping for cloudflare (presumably unpaid) do they have money in cloudflare? clearly they don't have a fucking clue whats really going on in the world, but what makes them think they need to actively enforce (ie. downvote people) for pointing out issues with cloudflare??

this is beyond weird.

[–] sunzu2@thebrainbin.org 0 points 1 week ago

You don't need a VPN mate...

It ain't a solution but surely would help here