The Unclear Impact

Genuine question here…

Aside from the centralisation issue, why do people dislike so much?

No hyperbole please, I’d prefer the discussion to be based on facts.

@kev I hate it because of the captcha implementation it does. That one is sooo annoying that even I am annoyed by how frequent it is

@kev it seems that some people an offence in the way it operates by terminating TLS connections. This obviously breaks the trust of TLS as now the connection is between you and Cloudflare and no longer you and the site owner. (At the same time people might don't mind hosting providers like which also terminate TLS sessions on someone's behalf.)

Another critique point is of course the never ending CAPTCHA thingy.

@sheogorath great point. I know I’d personally prefer it if my TLS chain wasn’t MiTM, especially when services like Let’s Encrypt exist.

I suppose what’s important here is to understand what they’re doing with that data when the carry out TLS inspection.

@kev Privacy reasons. I am forced to trust that they are not collecting, selling, or processing my data and especially meta data.

@floppy that’s hyperbolic IMO. That’s the same for any service, with any provider. It’s not unique to Cloudflare.

@kev 13 minutes and already we found factual reasons to hate them. Says much about hoe prople hate it dontcha think?

@kev they act as a MITM, Cloudflare decrypts all your traffic. All the usernames, passwords, have passed in plain text through cloudflare’s server.

Here you have more information about Cloudflare

@kev @floppy The problem is that CloudFlare is so ubiquitous that it is hard to avoid. Try using Tor Browser for a day.

@kev Any service can collect data, yes, but CDN has access to different data. I respectfully object that this is hyperbolic.

Separate web services can collect data separately for their own use. A CDN backing those services can associate and correlate separate requests to several services. It possesses an overview of what collection of services are used by an individual, which is information that cannot be acquired trivially by individual services.


Re: cloudflare, privacy

@kev @floppy Their quantity has a quality of its own. Due to the sheer number of sites they MITM, they have a nearly exceptional ability to correlate and analyze user behavior across sites. Granted, a site may still chose to share data with trackers and data aggregators, which gives aggregators the same correlation ability, but at least that’s overt, while sites opting to use a CDN with MITM inadvertently give away connection data for free (or even pay for the ‘privilege’).

@kev Urgh...thank you for asking that. I've asked this question for myself, too.

People often say, it was "the biggest privacy abuser", while linking to some dubious websites and Github comments/README's (!)
I mean...WTF!?

@kev Depending how the CDN is integrated, it can collect more or less meta data, e.g. when were requests made (and when not). Meta data can be used for creepy correlations to work out e.g. when somebody is on holidays, who your friends are, or what you like. Due to the various sources for the CDN, the available meta data is more potent.


@kev Yes, here I may get a bit hyperbolic regarding what intentions I assume. Problem is: The technical possibilities exist. I don't see any technical limitations that make abuse impossible. So I am required to trust, which I don't think is a good model in this case.


@kev Here is a addon for multiple browsers, related to the discussion of CDN, tracking, and privacy.

Decentraleyes | Local CDN Emulation

@be @MindOfJoe @kristof

@floppy @kev @be @MindOfJoe Decentraleyes is a bit different, because it replaces CDN for third-party resources. Thankfully, browsers nowadays use first-party isolation, so third-party resources leak very little information to the CDN (the CDN can’t just set a cookie when you browse one site and retrieve it when you browse another). Probably the largest vulnerability would be the CDN injecting malicious code, but that can be avoided by the developers with subresource integrity. That is not to say that local CDN emulation is not useful (that’s one fewer HTTP request to analyze and correlate, the very least), but it can’t do much against willful MITM use for first-party resources, where the request may carry much more relevant information (like usernames, first-party cookies and session IDs).


@kristof @floppy @be @kev Identify-activity fingerprinting begins simply with my IP address as a source seeking a resource at the destination IP address. If all of the resources you visit are hosted by me, then I know quite a bit about you. I don't need everything in the payload for metadata analysis.

@MindOfJoe @be @floppy @kev Yeah, probably only the names of resources requested close to each other (or in the same TLS connection) would be most of the time enough to identify the site a given IP address is visiting. Although with aggressive enough browser caching, that fingerprinting vector can be plugged up, but then you’d have just created another one.

@kristof @be @floppy @kev Interesting discussion, but I think we've drifted from Kev's intent. I just wanted to throw support for floppy against Kev's off-hand dismissal: One reason to dislike CDNs is that they have a very broad view of individual activity. Same applies to ISPs, VPS Providers, etc. If Tor were *centralized* (meaning they had complete information about every node's activity), we wouldn't trust it either. #justsayin'

@kev I’m personally a bit torn. Cloudflare have done many good things, such as making it easy for website operators to use HTTPS, help haveibeenpwned with caching (for free!), and recently help keep icanhazip online.

At the same time their spam filtering is way to aggressive. It was rare, but I sometimes couldn’t open websites while I lived in the Philippines because of Cloudflare’s filtering. That’s my primary reason for disliking them.

@kev Not sure, I use Cloudflare as my primary dns and am rather happy with it.
So no dislike from me

@werwolf yeah, I know that Cloudflare basically MiTM your traffic, but that's the same as any corporation who uses systems like Alteon to do SSL inspection.

It's what they do with that data that counts - which the link you posts doesn't offer any credible sources.

I agree that we should assume worst case and hope for best case and that's where the layered InfoSec comes in - unique passwords, multi-factor etc.

@kev @werwolf who is on the cloudflare board? Who are their investors? That will tell you a LOT. If it include people like Richard Clarke or Gilman Louie, or investors something like blackstone or in-q-tel, be afraid, be VERY afraid.

@kev since we don't know what's running at cloudflare's servers we should assume that Cloudflare is malware. That's why I have it blocked on my browser and I distrust Cloudflare's certs.

@kev people in this sphere can be self-important, and paranoid. But this is anecdotal based on what I see.

As in: major trust issues. I often see that they view Cloudflare’s infrastructure as a MitM. Especially using their edge network for CDN or for proxy.

Also as in: believing ideology comes at the expense of infrastructure. “Cloudflare is for profit, trust is implicit, they are not FOSS, and therefore should be abandoned.” When that’s not how the rest of the world thinks, acts or does work.

@werwolf if that's the case, you should probably block traffic to the vast majority of large enterprises too, as many of them do content inspection too.

@wholesomedonut very eloquently put. Thank you!

@rny does Cloudflare market it's SSL/TLS offering as E2E? That's a new one on me if it does.

@kev yeah, I try to do it. I have my Pihole blocking a ton of dangerous domains and hosts. Then on my browser I have uBlock Origin blocking third parties by default and with custom filter lists.

Sometimes when I really need to use a site that's broken I may make an exception. But only if it's completely necessary.

@kev my previous, personal experience with cloudflare (and the only time I tried to use it) back when they provided mitm https for everyone before letsencrypt was available:

@kev they're a bit monopolistic

@kev for me it was because if Cloudflare has any issues then my site could be down and it's completely out of my control.

@rny so in full mode I assume you have to give your private key to Cloudflare?


Well, isn't the centralisation issue enough ?

@Iutech depends on the person, I suppose.