Is this website safe?
Aractus
I want my visitors and readers to know that I take your experience seriously. I don’t want to waste your time with a trashy blog, and I don’t want you to feel you were click-baited or otherwise mislead either. One of the things that keeps my website objective is that it is not a commercial website, and I have no conflicts of interests to declare. Recently I received, let’s call it criticism, for posting a graphic depiction of Androgen-insensitivity syndrome (i.e. nudity). I took this criticism on board and I put it behind a warning, not really because I want to or because the content warrants it, but because I recognise that some visitors from certain cultures seem to expect that.
But now let’s talk about web safety in the broader sense. Can you even tell that a website is safe any more? Does the green padlock even mean anything now that Cloudflare uses a MITM approach?
You might be thinking you can look websites up on WOT (Web of Trust). WOT has recently been exposed for selling user-data that was inadequately anonymised (link is in German). German data scientist Andreas Dewes showed that the supposedly anonymous data sold by WOT could be easily de-anonymised, saying “für mich war sehr überraschend, wie einfach man einen Großteil der Daten deanonymisieren konnte. Die Privatsphäre des Nutzers wird in keinster Weise respektiert”. Or in English “I found it very surprising how easily one could de-anonymise much of the data, privacy of the users was not respected in any way”.
You guys know that I think privacy is a basic human right, and it’s one of the key reasons I advocate the use of extensions such as uBlock Origin. In light of the information above, WOT has subsequently been removed from DuckDuckGo as well as other search engines that supported it, and its Chrome and Firefox extensions have also been removed from the official respective extension repositories. WOT’s response has been inadequate, to say the least.
Privacy issues aside, WOT was never a great service anyway. It’s just an opinion-based thing, which is terrible because as I noted right at the start – some people have expectations of what they consider to be “safe” that are different to others. And that has the potential to affect smaller websites like mine that contains content that is no more or less safe or acceptable than content you might find on Wikipedia.
The discussion on SSL and Cloudflare will have to wait for another day. For now, I encourage you to read this article which pretty much sums up the problem with Cloudflare’s SSL, and this one that explains how an intercept proxy works. There are several problems with Cloudflare SSL, but as mentioned this blog entry got quite long so I’ll have to go over it separately.