Privacy

Has avoiding Cloudflare become Impossible?

Mostly, yes. But let’s break this down. Cloudflare only breaks web services and so far Cloudflare’s privacy abuses and gate-keeping is mostly confined to the web. Avoiding Cloudflare is impossible in some circumstances.

CFd government sites are unavoidable (voting rights lost in the US)

The only Cloudflare sites that are strictly unavoidable AFAICT are government sites. You can always boycott the private sector, but the public sector is shoved down our throats. There are 6 or so states in the US where voter registration goes through Cloudflare. Even if you register on paper there is still no escape because the data entry worker likely uses the Cloudflare site. I am a non-voter for this reason. Although it’s still possible to move to one of the 44 other states and register there.

CFd medical websites

See How lack of digital rights, Cloudflare, and Google worsened a medical emergency situation and undermined human rights. When you need medical info in a hurry, boycotting is tough.

search is liberated -- but only by 1 single search service to date

There is only one general purpose search service that helps avoid Cloudflare: Ombrelo, which tags and down-ranks Cloudflare websites in the results.

What's your threat model? Adjust accordingly.

The situation is, what it is, but there's a wide range of actions one can take that fall between the two poles of do nothing and burn all internet enabled devices.

Cf only acts as a mitm for encrypted traffic if you choose it in the options. If you provide your own cert then they can’t decrypt anything.

Stupid Question:

How do I find out if a website I use is hosted over cloudflare? The noscipt javascript blocker extension shows in some cases I blocked some cloudflare javascript. For example on the lemmy.world instance it shows a script labeled "cloudflareinsights.com" that I block. That apparently provides visitor analytics

According to them on insights:

Our edge sees all requests made to a website, regardless of whether it’s cached or uncached, the user has adblock, or they turned off JavaScript. This enables us to [....]

On other sites it shows a "confirm you are human" check-box labeled with the cloudflare brand (if I activate javascript for that site) -- according to cloudflare wikipedia that service is known as Cloudflare Turnstile. This is how I currently see if cloudflare is involved.

Another interesting thing I noticed on stackoverflow is email protected which confirms to me stackexchange also uses cloudflare somehow.

I guess you could detect a Reverse Proxy by cloudflare based on its IP-Adress ~ but I do not really know how to look that up perhaps the following stack overflow answer might help using the tools nslookup and whois... Any other hints on this?

nslookup www.monero.town whois -h whois.arin.net n <IP-Adress from prev command> | egrep 'Organization'

VPN. Tor. Those are basic tools for relative anonymity.

Even my proposed solution to use archive.org as a proxy is not a valid solution since I found out today that archive.org is also hosted behind Cloudflare…

Yikes! Can you give more detail? I’ve used archive.org quite heavily for years (it’s the only practical universal escape from Cloudflare). The IP address is not in Cloudflare’s range. But recently Cloudflare as started hiding its own presence by outsourcing to 3rd parties. It’s a vast minority of cases but this could obviously worsen. Is archive.org using CF through one of the undisclosed 3rd parties? A couple years ago archive.org announced a disturbing partnership with CF but did not disclose the details.

I don't think it's possible to avoid companies like Cloudflare, AWS, Akamai, etc. Or not without a whole lot of effort that isn't really reasonable and would severely degrade user experience. They provide what's become fundamental infrastructure to the internet, and that doesn't seem likely to change.