Since I am too lazy to set up my own SSL and use CloudFlare instead, notifications in Toot! are now down AGAIN, because CloudFlare is down. Joy.
@tootapp please be aware that in this case you are transferring userdata over the internet in plaintext. (Between your back end and Cloudflare)
There are many reasons to use cloudflare, but this isn't a good one :/
@sheogorath @tootapp Indeed. You should never trust CloudFlare. If you need me to help with traffic, I can help you. Please PM me and we can work it out.
That's not the point I made. Setups with Cloudflare can be secure (considering trusting Cloudflare as a third party is fine, which you might debate, but that's another problem)
But running Cloudflare in default mode for Universal TLS called "flexible" is a problem, because the Backend connection isn't encrypted at all, while users still see a shiny and well-configured HTTPS connection in their browser. I recommend to use either "Full" or "Full (Strict)" for this case.
@sheogorath @tootapp That doesn't really solve the problem. CloudFlare is still MITMing your connection regardless. But instead of blindly trusting your server's certificate, it will check it.
User's data is still vulnerable. Completely unacceptable.
@L1Cafe
Agreed and you consider that as a problem, but it's a different one. Because you at least have a contract with Cloudflare and legal bindings. That's different to any random internet stranger between your backend server and Cloudflare's backend server can see what people get as notifications.
Trusting Cloudflare or not, is a completely different problem, that at the end of a day, is something people have to decide for themselves.
@tootapp