Let’s say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?

Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?

EDIT: Clarifying question: Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?

  • sweng@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    1 year ago

    any website can trivially configure their own firewall in the same way without CF.

    How many websites can handle the amount of traffic that CF can handle? It’s not just about configuring your firewall, it’s about having the bandwidth. Otherwise it’s not much of a DDoS protection.

    I see CF keys.

    As I don’t have an account there I can’t see which requests containing credentials use which cert.

    And also, just because the cert is verified by cloudflare does not mean they have the private key.

    • freedomPusher
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      How many websites can handle the amount of traffic that CF can handle? It’s not just about configuring your firewall, it’s about having the bandwidth. Otherwise it’s not much of a DDoS protection.

      That’s what I’ve been saying throughout this thread. The only significant DDoS protection offered by Cloudflare requires CF seeing the traffic (and holding the keys) so it can treat the high-volume traffic. If CF cannot see the payloads, it cannot process it other than to pass it all through to the original host (thus defeating the DDoS protection purpose).

      As I don’t have an account there I can’t see which requests containing credentials use which cert.

      Why would you need an account? Why wouldn’t bogus creds take the same path?

      If it’s true that this is unverifiable, that’s good cause to avoid Cloudflared banks. It’s a bad idea for customers to rely on blind trust. Customers need to know who the creds are shared with /before/ they make use of them – ideally even before they make the effort of opening an account.

      And also, just because the cert is verified by cloudflare does not mean they have the private key.

      This uncertainty is indeed good cause to avoid using a Cloudflared bank.

      UPDATE: I’ve spoken to some others on this who assert that it is impossible for a bank customer to know for certain if a bank uses their own key to prevent disclosure to CF.