Don't Trust CloudFlare

December 4, 2019

Whether on matrix, the fediverse, or wherever else you know me, you've probably seen me ranting about CloudFlare for one reason or another and advocating for its abandonment by server administrators. CloudFlare has issues on quite a few fronts, which depending on your ideals, may only amount to one or two. This post is an attempt to enumerate all of the different, often unrelated, issues with CloudFlare, in a single place for reference purposes. In fact I plan on keeping this updated as CloudFlare pulls-off crazier and crazier bullshit and continues to become the norm among administrators.

The immediate problem with CloudFlare, with a fix for lazy admins.

So here is where I'll cut to the chase for all you CloudFlare sellouts who aren't interested in the future of the internet or the threats that CloudFlare poses to it, but instead worry about “User Experience” and want more people to be able to access your website by offloading the basic work onto somebody else (yeah, I'm mad at you, stop being lazy).

The Problem:

CloudFlare's “protection” has a massive issue which blocks an entire demographic of users from accessing your site because it will consistently have “false-positives” about threats, and this demographic is Tor users (Who uses tor?). Basically, any tor user is systematically blocked from viewing not only your websites behind CloudFlare, but also any resources like media hosted behind CloudFlare. For more details from the tor project about how this makes the average user's experience on the modern internet completely unusable because of admin incompetence (looking at you, admin) you can read more here. Something to note is that CloudFlare has a bunch of highly skilled PR people who train their support employees and marketing department to avoid the word “block” and instead say newspeak like “challenged” or “flagged due to threat score”, which are all the same thing in practice.

The Lazy Workaround:

CloudFlare allows its useds (the administrators being used to dragnet its user's data) to allow for an exception to the prohibitive blocking which harasses tor users. CloudFlare treats Tor exit-relays like a “country” under its UI (Tor (T1)), and to allow them to visit go to the IP Firewall > Access Rules panel and select the Whitelist option for Tor.

cloudflare_firewall_UI

Notice how I hosted this media on my site which doesn't have CloudFlare to make it accessible rather than linking to CloudFlare.

And then if that's all you are here for, that's it. I would invite you to read on though.

The fundamental issue with CloudFlare and similar services.

A couple of years ago the web started becoming incredibly bloated with redundant technologies, adverts, trackers, and such which all went beyond displaying the content the user asked for using open, standardized technologies. As a result of this, CDNs (Content Delivery Networks), which had previously been relegated to hosting media content like videos and images which they can cache and serve faster for larger audiences began hosting javascript frameworks and applets embedded in webpages along with various forms of tracking and social media connections. Once this started happening, and web design stopped being about how to make your content compatible with as many browsers as possible using the features from web standards (HTML+CSS), and more about unnecessarily mimicking much of that functionality with javascript frameworks (which take quadruple the time to load and create a bottleneck for the user's browsing experience). It was inevitable that a lazy solution would come presenting itself as the solution to a lazy problem (relevant talk and relevant article). Nowadays CloudFlare is far more, its the ultimate laziness bundle for web administrators who won't properly configure a server to use caching, retain a valid TLS certificate, perform load balancing, and more. Its the reverse proxy for people too lazy to know what that even means plus a bunch of shiny bits on top. It is common to hear CloudFlare being used for the purpose of “DDOS protection”, sure, making all your traffic go through foreign servers does have that as a side effect, but it seems like most hosting services these days offer that regardless, and self-hosters probably only need to setup some basic DDOS mitigation on a private server. But enough of reviewing what CloudFlare already is with my extremely sarcastic tone, what's the problem here with CloudFlare in particular?

Aside from the web becoming a bloated mess and needing all this stuff in the first place, one way or another, CloudFlare represents a model web-service which negates all the privacy and security benefits of independent hosting. User connections to sites configured with CloudFlare are decrypted not at the site itself, but at CloudFlare's servers, allowing them to snoop like teenagers fiddling around with Wireshark in 2004 before HTTPS was being used by most websites. Even worse, traffic passed between two servers each configured to use CloudFlare is owned by CloudFlare at both ends. This comes with extreme privacy and security implications which are at least partially explored here, but have otherwise not received any attention whatsoever. As services like CloudFlare become more and more “Comprehensive”, and more and more security responsibilities are passed off to them by administrators, the purpose for these privacy and security features to begin with is being negated. I'm not the type who is interested in doing a full security analysis, but there is definitely one that deserves to be done concerning services like CloudFlare and I think I have made clear the fundamental issue at the very least. I urge administrators to take back the responsibilities of their jobs and quit handing off their duties to companies like CloudFlare or else we are in for serious trouble in the future.

CloudFlare as a threat to federation.

Whether you are talking about the fediverse (Mastodon/Pleroma/Misskey), or any other federated network the motivations behind such projects as of late can be clearly outlined:

Decentralization of Power (Not beholden to any single administration and its policies)
Privacy (Anti-Mass surveillance)
Interoperability (Anyone can run a node following the specification and expect it to work with the rest of the network)

These have been, and remain, the appeals of federated networks for social networking.

However, the increasing and alarming trend of administrators in these federated networks to use CloudFlare threatens all three of these.

Decentralization of Power

CloudFlare threatens decentralization of power by being in a position to deny service to nodes in the federated network by its own policies. Any portion of the network running on CloudFlare is not subject to the policies of a diverse selection of hosting services, but a singular entity's conditions and terms of service which are subject to change at any point in time. Using CloudFlare is re-centralizing power.

Privacy

I will not get into too many specifics, but above in the “Fundamental issue” section I outlined the general security issue presented by having major nodes on CloudFlare's network. The threat described above applies only to HTTPS and secure web connections, but the degree of this issue can vary from more mild to extremely concerning based on how nodes in a federated network communicate with each other.

Interoperability

One of the benefits of federated networks is that nodes can provide entry points from different networks altogether which once connected allow users who prefer to browse, message, or interact on one service to keep in touch with users anywhere else. In principle, any server which implements of the specifications of a federated network and begins federating with peers on other networks can participate. CloudFlare's policy of blocking Tor connections, and presumably other anonymization overlay networks in the future threatens this key accessibility feature. Nodes running on CloudFlare are cut-off from nodes running via Tor (as hidden services, for example) by default. I would also suspect that CloudFlare may have the potential of limiting interoperability between networks and undercutting this accessibility property in other ways which have yet to be seen.

Any one of these on its own should be enough for a keen observer to have concerns about how CloudFlare usage may effect the future of federated networks, but all three of these have been the case for quite some time now. I think it is time to ring the alarm bells.

CloudFlare's expansion into the decentralized web and beyond.

CloudFlare's business model, surprise surprise, keeps finding new ways to coincidentally end up as an intermediary for internet traffic. Here I will outline the new and innovative ways in which CloudFlare is commercializing alternative and traditional networks while simultaneously deanonymizing users and re-centering trust towards their proprietary infrastructure:

Here is a mild one to start with, you may have already heard of CloudFlare as a DNS Resolver, which they brag controls 39% of managed DNS domains.
What you may not be aware of, is their “Hidden DNS Resolver for Tor” which uses their now-famous “1.1.1.1” DNS server, but now for your Tor sessions!
Here's a fun one: CloudFlare's IPFS gateway which they bill as being used to “Browse files stored on IPFS easily and securely with CloudFlare’s Distributed Web Gateway without downloading software. Serve your own content hosted on IPFS from a custom domain over HTTPS.”. Geez, I wonder how removing the entire P2P benefit of IPFS could possibly suit their interests.

There are many admins out there with no regard for the future of the internet as it becomes hyper-centralized, and as few mega-corporations accumulate absolute power. An example would be /r/selfhosted and all the people behind sites which rely on ad-revenue.

And so what if you don't too?

Fuck you and Fuck CloudFlare.