Don't Trust CloudFlare
Whether on matrix, the fediverse, or wherever else you know me, you've probably seen me ranting about CloudFlare for one reason or another and advocating for its abandonment by server administrators. CloudFlare has issues on quite a few fronts, which depending on your ideals, may only amount to one or two. This post is an attempt to enumerate all of the different, often unrelated, issues with CloudFlare, in a single place for reference purposes. In fact I plan on keeping this updated as CloudFlare pulls-off crazier and crazier bullshit and continues to become the norm among administrators. Odds are if you are reading this you are somebody I or somebody else referred here, so to expedite your visit here is an outline of the post by headings:
NOTE: Throughout this article Cloudflare is spelled “CloudFlare” for accessibility purposes, I would encourage you to do the same for similar names to help e-readers.
Outline: 1. The immediate problem with CloudFlare, with a fix for lazy admins. 2. The fundamental issue with CloudFlare and similar services. 3. CloudFlare as a threat to federation. 4. CloudFlare's expansion into the decentralized web and beyond.
Other similar/related posts: 1. CloudFlare, We Have A Problem (joepie91) 2. The Trouble with CloudFlare (Tor blog) 3. CloudFlare's Captcha Deanonymizes Tor Users (cryptome) 4. CloudFlare and RIAA Agree on Tailored Site Blocking Process (torrentfreak) 4. Why CloudFlare is Probably a Honeypot (cyberpunk.is) 5. The Great CloudWall (notabug.org) 6. iSucker: Big Brother Internet Culture (exiliedonline.com)
The immediate problem with CloudFlare, with a fix for lazy admins.
So here is where I'll cut to the chase for all you CloudFlare sellouts who aren't interested in the future of the internet or the threats that CloudFlare poses to it, but instead worry about “User Experience” and want more people to be able to access your website by offloading the basic work onto somebody else (yeah, I'm mad at you, stop being lazy).
CloudFlare's “protection” has a massive issue which blocks an entire demographic of users from accessing your site because it will consistently have “false-positives” about threats, and this demographic is Tor users (Who uses tor?). Basically, any tor user is systematically blocked from viewing not only your websites behind CloudFlare, but also any resources like media hosted behind CloudFlare. For more details from the tor project about how this makes the average user's experience on the modern internet completely unusable because of admin incompetence (looking at you, admin) you can read more here. Something to note is that CloudFlare has a bunch of highly skilled PR people who train their support employees and marketing department to avoid the word “block” and instead say newspeak like “challenged” or “flagged due to threat score”, which are all the same thing in practice.
The Lazy Workaround:
CloudFlare allows its useds (the administrators being used to dragnet its user's data) to allow for an exception to the prohibitive blocking which harasses tor users. CloudFlare treats Tor exit-relays like a “country” under its UI (
Tor (T1)), and to allow them to visit go to the IP Firewall > Access Rules panel and select the Whitelist option for Tor.
Notice how I hosted this media on my site which doesn't have CloudFlare to make it accessible rather than linking to CloudFlare.
And then if that's all you are here for, that's it. I would invite you to read on though.
The fundamental issue with CloudFlare and similar services.
Aside from the web becoming a bloated mess and needing all this stuff in the first place, one way or another, CloudFlare represents a model web-service which negates all the privacy and security benefits of independent hosting. User connections to sites configured with CloudFlare are decrypted not at the site itself, but at CloudFlare's servers, allowing them to snoop like teenagers fiddling around with Wireshark in 2004 before HTTPS was being used by most websites. Even worse, traffic passed between two servers each configured to use CloudFlare is owned by CloudFlare at both ends. This comes with extreme privacy and security implications which are at least partially explored here, but have otherwise not received any attention whatsoever. As services like CloudFlare become more and more “Comprehensive”, and more and more security responsibilities are passed off to them by administrators, the purpose for these privacy and security features to begin with is being negated. I'm not the type who is interested in doing a full security analysis, but there is definitely one that deserves to be done concerning services like CloudFlare and I think I have made clear the fundamental issue at the very least. I urge administrators to take back the responsibilities of their jobs and quit handing off their duties to companies like CloudFlare or else we are in for serious trouble in the future.
CloudFlare as a threat to federation.
Whether you are talking about the fediverse (mastodon/pleroma), or any other federated network the motivations behind such projects as of late can be clearly outlined:
- Decentralization of Power (Not beholden to any single administration and its policies)
- Privacy (Anti-Mass surveillance)
- Interoperability (Anyone can run a node following the specification and expect it to work with the rest of the network)
These have been, and remain, the appeals of federated networks for social networking.
However, the increasing and alarming trend of administrators in these federated networks to use CloudFlare threatens all three of these.
Decentralization of Power
CloudFlare threatens decentralization of power by being in a position to deny service to nodes in the federated network by its own policies. Any portion of the network running on CloudFlare is not subject to the policies of a diverse selection of hosting services, but a singular entity's conditions and terms of service which are subject to change at any point in time. Using CloudFlare is re-centralizing power.
I will not get into too many specifics, but above in the “Fundamental issue” section I outlined the general security issue presented by having major nodes on CloudFlare's network. The threat described above applies only to HTTPS and secure web connections, but the degree of this issue can vary from more mild to extremely concerning based on how nodes in a federated network communicate with each other.
One of the benefits of federated networks is that nodes can provide entry points from different networks altogether which once connected allow users who prefer to browse, message, or interact on one service to keep in touch with users anywhere else. In principle, any server which implements of the specifications of a federated network and begins federating with peers on other networks can participate. CloudFlare's policy of blocking Tor connections, and presumably other anonymization overlay networks in the future threatens this key accessibility feature. Nodes running on CloudFlare are cut-off from nodes running via Tor (as hidden services, for example) by default. I would also suspect that CloudFlare may have the potential of limiting interoperability between networks and undercutting this accessibility property in other ways which have yet to be seen.
Any one of these on its own should be enough for a keen observer to have concerns about how CloudFlare usage may effect the future of federated networks, but all three of these have been the case for quite some time now. I think it is time to ring the alarm bells.
CloudFlare's expansion into the decentralized web and beyond.
CloudFlare's business model, surprise surprise, keeps finding new ways to coincidentally end up as an intermediary for internet traffic. Here I will outline the new and innovative ways in which CloudFlare is commercializing alternative and traditional networks while simultaneously deononymizing users and recentering trust towards their proprietary infrastructure:
- Here is a mild one to start with, you may have already heard of CloudFlare as a DNS Resolver, which they brag controls 39% of managed DNS domains.
- What you may not be aware of, is their “Hidden DNS Resolver for Tor” which uses their now-famous “220.127.116.11” DNS server, but now for your Tor sessions!
- Here's a fun one: CloudFlare's IPFS gateway which they bill as being used to “Browse files stored on IPFS easily and securely with CloudFlare’s Distributed Web Gateway without downloading software. Serve your own content hosted on IPFS from a custom domain over HTTPS.”. Geez, I wonder how removing the entire P2P benefit of IPFS could possibly suit their interests.
There are many admins out there with no regard for the future of the internet as it becomes hypercentralized, and as few megacorporations accumulate absolute power. An example would be /r/selfhosted and all the people behind sites which rely on ad-revenue.
And so what if you don't too?
Fuck you and Fuck CloudFlare.