jake/jarv.is
1
Fork 0
mirror of https://github.com/jakejarvis/jarv.is.git synced 2025-07-03 17:46:39 -04:00
Code Issues Activity

archive.is vs cloudflare post updates

Browse Source
This commit is contained in:
Jake Jarvis
2019-05-06 10:28:58 -04:00
parent ae4ab9c05d
commit 0f01f7f1b2
4 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
content/notes/cloudflare-dns-archive-is-blocked/images/archive-is.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 86 KiB

After

Width:  |  Height:  |  Size: 24 KiB

BIN
content/notes/cloudflare-dns-archive-is-blocked/images/tweet.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 135 KiB

After

Width:  |  Height:  |  Size: 40 KiB

8
content/notes/cloudflare-dns-archive-is-blocked/index.md
View File

@ -14,15 +14,15 @@ draft: false
![](images/archive-is.png)
A [recent post on Hacker News](https://news.ycombinator.com/item?id=19828317) pointed out what I've noticed for a long time -- the [Archive.is](https://archive.is/) (aka [Archive.today](https://archive.today/)) website archiver appears unresponsive when I'm on my home network, where I use Cloudflare's fantastic public DNS service, [1.1.1.1](https://1.1.1.1/). I didn't connect the two variables until I read this post, where somebody noticed that the Archive.is domain resolves for Google's 8.8.8.8 DNS, but not 1.1.1.1.
A [recent post on Hacker News](https://news.ycombinator.com/item?id=19828317) pointed out what I've noticed for a long time -- the [Archive.is](https://archive.is/) (aka [Archive.today](https://archive.today/)) website archiver appears unresponsive when I'm on my home network, where I use Cloudflare's fantastic public DNS service, [1.1.1.1](https://1.1.1.1/). I didn't connect the two variables until I read this post, where somebody noticed that the Archive.is domain resolves for Google's 8.8.8.8 DNS, but not 1.1.1.1. An interesting and timeless debate on privacy vs. convenience ensued.
Matthew Prince, the CEO & Co-Founder of Cloudflare (who's also [very active](https://news.ycombinator.com/user?id=eastdakota) on Hacker News), responded to the observation [with a detailed explanation](https://news.ycombinator.com/item?id=19828702) of what's happening behind-the-scenes, revealing that the owners of Archive.is are actively refusing to resolve their own website for 1.1.1.1 users because Cloudflare's DNS offers ***too much*** privacy. Excerpts below:
> Archive.iss authoritative DNS servers return bad results to 1.1.1.1 when we query them. Ive proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. [...] The archive.is owner has explained that he returns bad results to us because we dont pass along the EDNS subnet information. This information leaks information about a requesters IP and, in turn, sacrifices the privacy of users.
Essentially, Archive.is throws a hissy-fit and returns a bogus CNAME when Cloudflare doesn't provide them with geolocation info on you via the dated and optional [EDNS IP subnet standard](https://tools.ietf.org/html/rfc6891). The owner of Archive.is has even [admitted this](https://twitter.com/archiveis/status/1018691421182791680) with a questionable claim about the lack of EDNS information causing him "so many troubles."
Essentially, Archive.is throws a hissy-fit and returns a bogus CNAME when Cloudflare doesn't provide them with geolocation info on you via the dated and optional [EDNS IP subnet standard](https://tools.ietf.org/html/rfc6891). The owner of Archive.is has even admitted this with [a questionable claim](https://twitter.com/archiveis/status/1018691421182791680) about the lack of EDNS information causing him "so many troubles."
<blockquote class="twitter-tweet" data-dnt="true"><p lang="en" dir="ltr">&quot;Having to do&quot; is not so direct here.<br>Absence of EDNS and massive mismatch (not only on AS/Country, but even on the continent level) of where DNS and related HTTP requests come from causes so many troubles so I consider EDNS-less requests from Cloudflare as invalid.</p>&mdash; archive.today (@archiveis) <a href="https://twitter.com/archiveis/status/1018691421182791680?ref_src=twsrc%5Etfw">July 16, 2018</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
{{< tweet 1018691421182791680 >}}
I left the [following reply](https://news.ycombinator.com/item?id=19828898) to Matthew:
@ -32,4 +32,4 @@ I left the [following reply](https://news.ycombinator.com/item?id=19828898) to M
Sure, it's annoying that I'll need to use a VPN or change my DNS resolvers to use a pretty cool (and otherwise convenient) archiving service. But I'm more happy to see that Cloudflare is playing the privacy long-game, even at the risk of their users concluding that they're blocking websites accessible to everyone else on the internet.
[**Learn how to switch your DNS to 1.1.1.1 here.**](https://1.1.1.1/dns/)
[**Learn how to switch your DNS to 1.1.1.1 here.**](https://1.1.1.1/dns/)

2
worker.js
View File

@ -1,5 +1,5 @@
let newHeaders = {
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline' stats.jarv.is comments.jarv.is buttons.github.io platform.twitter.com cdn.syndication.twimg.com; style-src 'self' 'unsafe-inline' comments.jarv.is platform.twitter.com; img-src 'self' data: https:; font-src 'self' comments.jarv.is; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self' www.youtube.com www.youtube-nocookie.com codepen.io; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is comments.jarv.is api.github.com syndication.twitter.com; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline' stats.jarv.is comments.jarv.is buttons.github.io platform.twitter.com cdn.syndication.twimg.com; style-src 'self' 'unsafe-inline' comments.jarv.is platform.twitter.com; img-src 'self' data: https:; font-src 'self' comments.jarv.is; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self' platform.twitter.com syndication.twitter.com; frame-src 'self' www.youtube.com www.youtube-nocookie.com platform.twitter.com syndication.twitter.com codepen.io; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is comments.jarv.is api.github.com syndication.twitter.com; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
"Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}",
"NEL": "{\"report_to\":\"default\",\"max_age\":604800}",
// "Strict-Transport-Security" : "max-age=1000",