I'm kinda annoyed at #lemmyworld tbh. More often than not I get random errors when I want to check it out. I think I'll just move to lemm.ee. I wish we could just move our accounts like on Mastodon. It's a hassle resubscribing to everything. #lemmy
@sklc There are some account migration tools, however they require to enter you credentials, so you'd need to decide if you trust them or maybe review the code yourself.
https://github.com/CMahaff/lasim
https://github.com/wescode/lemmy_migrate
If you’re concerned about username & password being shared, you should certainly avoid both #Fosstodon & #LemmyWorld. They are both centralized in #Cloudflare so your acct creds are exposed to Cloudflare Inc. every time you login, along with all your traffic.
@kev see, this is one of the reasons I enjoy your content. You’re an admin of one of the biggest indie social networks, but it doesn’t inflate you with hot air. Cool and factual, you know what you say and when to say it. 🙂
@kev I’ve detected a bit of intellectual dishonesty here. #Fosstodon used the standard default #Cloudflare configs as early as March & for months thereafter, certainly at least as late as May 29th confirmed by someone’s complaint specifically about the block screen.The timeline shows complaints about CF are littered around before & after that point. If you expand some of the threads in that timeline, it’s clear the default CF configs persisted despite Fosstodon staff being told that the default configs were resulting in users being forced to run non-free software & that the configs needed to change. That change never happened because I know I saw the block screen whenever I tried to directly visit fosstodon.
Fosstodon finally made a recent move from CF proxy to CF NS. I am not checking every day to see what fosstodon does next.
Under the current config, you can spontaneously switch on the CF reverse proxy at any moment with immediate effect without even telling users all their traffic will be seen by Cloudflare (including passwords). It’s in fact the only way that the reverse proxy can work. If you don’t use the MitM certs, CF cannot process the requests for you during an attack.
So the compromise is still in place. The only difference is that now it’s spontaneous instead of continuously ongoing. And most likely you’ve probably not fixed the CF configs, so when you flip that switch users will get a captcha that pushes #nonfreesoftware. The goal should be to get off CF entirely including nameservers.
The thing is, that you dont need to use their certificates in order to be MiTM'ed.
The only thing that is needed is any certificate with a private key uploaded to their platform.
Unless you do pure TCP tunneling, but CF does not support that (I think)
What do you mean by MiTM in this context?
If Alice connects to hogehoge.net and hogehoge.net uses Cloudflare for DDoS protection, how would Mallory eavesdrop or tamper with Alice’s connection?