116

They get shit on a lot here. Why? What do they do and how is that different from other companies that offer similar services?

What I know of them: they offer DDS brute force/spam protection for websites.

top 50 comments
sorted by: hot top controversial new old
[-] slazer2au@lemmy.world 138 points 10 months ago

I wouldn't call it hate, just concern.

Cloudflare acts as a front door to many sites and as such your TLS session is terminated at Cloudflare, then CF makes a additional session from themselves to the target site.
This is concerning as that means CF can see all of your data.

[-] kn33@lemmy.world 38 points 10 months ago

It's worth mentioning the advantage of why they do this. There are several reasons, but the two most common are:

  • Seeing the data means they can do a better job at detecting attacks and fending them off.

  • They can issue certificates with longer lives from their private CA which simplifies certificate management for their customers.

[-] slazer2au@lemmy.world 38 points 10 months ago

considering they are a US company they are bound by US warrantless wiretapping laws.

[-] lemmyng@lemmy.ca 20 points 10 months ago

Plus other capabilities like injecting banners, caching, etc

[-] gregorum@lemm.ee 19 points 10 months ago* (last edited 10 months ago)

you say, "caching," CF says, "ca-ching!"

[-] gencha@lemm.ee 15 points 10 months ago

There is https://developers.cloudflare.com/ssl/keyless-ssl/

If you don't own your private keys, wtf are you doing anyway? People are fucking lazy and they are paying for it.

[-] SnotFlickerman@lemmy.blahaj.zone 16 points 10 months ago* (last edited 10 months ago)

While true, and I am not a hater of Cloudflare:

Keyless SSL is only available to Enterprise customers that maintain their own SSL certificate purchased from a valid Certificate Authority. Cloudflare does not supply any certificates for use with Keyless SSL.

I'm not part of any Enterprise organization and I'm too poor to sign up for Enterprise level service, and so I am unable to use their Keyless SSL.

Just for example. Sometimes it's not that we don't want to but can't afford to, especially if we're just Joe Schmoe running a handful of services on a server box.

Once again, I have no issues with Cloudflare myself, and personally have a decent amount of respect for them.

I'm just saying getting access to the Keyless SSL is less easy than you made it sound.

[-] gencha@lemm.ee 2 points 10 months ago

I get that. If you're not paying for a service, there's still a price. There are no companies out there doing you any favors, only those that make you believe they do.

Clouflare is okay. Don't trust anything apparently free ever

[-] rikudou@lemmings.world 7 points 10 months ago

Keyless SSL is only available to Enterprise customers

[-] gencha@lemm.ee 3 points 10 months ago

If you're not paying money for a service, you're paying another way

[-] redcalcium@lemmy.institute 4 points 10 months ago

How much the Enterprise plan on cloudflare cost? $300/mo?

[-] ISometimesAdmin@the.coolest.zone 1 points 10 months ago

Right?? To let your website be susceptible to that kind of act by anyone means that you probably didn't really care about security in the first place, so much as just getting the magic lock icon happy.

[-] zeluko@kbin.social 3 points 10 months ago

Magic lock icon is easy, hard is it to block attacks and being able to do very little about it.
Spoofed packets, server providers not caring what their customers do, many abuse email adresses dont even work.
Keyless SSL would be nice and i'd use it. I have my own keys, but its for Enterprise customers only.

I am not using Cloudflare as i dont like them handling like 80% of all traffic. But as website owner i can understand why someone would still choose them..

[-] FlexibleToast@lemmy.world 60 points 10 months ago

It's partly just their sheer size. The internet continues to become a worse place as it gets more and more centralized, and Cloudflare is part of that.

[-] Dogeek@sh.itjust.works 49 points 10 months ago

They get hated on because :

  • they inspect packets. They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such

  • they are used everywhere. If they go down, 30% of the internet goes with them.

[-] IphtashuFitz@lemmy.world 5 points 10 months ago

They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such

And any organization that utilizes a CDN/security provider, like Akamai, AWS, Fastly, etc. knows that they all do this. They need access to the unencrypted content in order for services like CDN and WAF to work properly.

load more comments (3 replies)
[-] redcalcium@lemmy.institute 35 points 10 months ago

Cloudflare is cool now, but what would happen 10 years from now when they get enshittified while handling majority of global web traffics? We would be truly fucked.

[-] BestBouclettes@jlai.lu 16 points 10 months ago* (last edited 10 months ago)

Yep, it's never a case of "if", only "when"

[-] rikudou@lemmings.world 8 points 10 months ago

What would happen? Well, people would switch. It's not like you're entering a contract that forces you to host using CloudFlare.

I once bought a website that was on CloudFlare, few simple config changes later it's running directly on a webserver.

[-] redcalcium@lemmy.institute 14 points 10 months ago

Not so easy to switch it you're balls deep into their products such as Worker, Zero Trust Network, Magic WAN, Stream, etc.

[-] KiranWells@pawb.social 5 points 10 months ago

To be honest, you can say the same about any large cloud provider. What happens if AWS, or Azure, or Google Cloud go down, or become terrible?

[-] redcalcium@lemmy.institute 2 points 10 months ago* (last edited 10 months ago)

Cloudflare has much more impact than other cloud vendors here simply because they MITM their customers by default. Combine that with ever increasing market share, cloudflare has the potential to tap into data not even Google analytics can collect because they're able to see all unencrypted data following through their reverse proxy. If they decided to up their analytics game, you won't be able to block their data collection with ublock origin.

[-] BaroqueInMind@lemmy.one 28 points 10 months ago* (last edited 10 months ago)

Most people enjoy bandwagon jumping onto hating the status-quo. If Cloudflare goes down, the majority of the internet goes with it, because they are the most prolific private entity that owns most of the hardware running the entire internet.

They are the biggest because they provide the overall best and essentially fastest level of DDoS, geoIP block, and packet-inspection malware protection of any provider on commercial hardware short of utilising spooky predictive DARPA machine learning algorithms that ride the razors edge of sapience on government funded terawatt supercomputer clusters. They are expensive and you get what you pay for.

[-] spacecowboy@sh.itjust.works 25 points 10 months ago

That’s exactly why many of us dislike cloudfare. They’ve maneuvered themselves into a “too big to fail” position. Seems to be the goal of big corps these days.

[-] Maiznieks@lemmy.world 1 points 10 months ago

Preemptive hate, that's smart!

[-] chaogomu@kbin.social 4 points 10 months ago

To be fair, they've also earned that hatred. Several times over.

[-] Limonene@lemmy.world 24 points 10 months ago

Cloudflare seems to incorrectly classify my Internet connection, which is a residential Internet connection going to my house, as a datacenter connection or VPN or something.

Many websites that use Cloudflare give me endless captcha forms. As soon as I solve one, it demands another, and never lets me access the website.

Sometimes I solve one captcha, and then it says I'm blocked forever for sending automated queries, even though I filled it out correctly. The error message is: "You are blocked."

Sometimes it lets me in after one captcha, but I still resent having to enable Javascript for these assholes just to access a site that doesn't otherwise require Javascript.

Sometimes Cloudflare adds extra security to certain pages, just for me. The developers of the website didn't program it to handle this extra security, so the site fails for just me, and the site developers don't believe me, telling me I have a browser problem (in three different browsers, which I can fix by using a proxy). For example, when the site's javascript has my browser to do a CORS operation, the first step is the browser sending an OPTIONS request. However, the extra security of the proxy introduced by Cloudflare responds slightly differently from the actual website, so the site breaks.

Cloudflare uses a holistic approach to deciding whether you are a legitimate user or a bot. In other words, they use every single possible piece of data they can get on you, including tracking your visits across other Cloudflare sites. They do discriminate against certain user-agent strings.

Cloudflare completely blocks many Tor users, even from having read-only access to a site.

When you ask Cloudflare why your IP address is blocked, they falsely claim that it's a setting created by the website admins. I strongly suspect that this setting is something like "use Cloudflare(tm) Adaptive Security(tm)" and probably doesn't explain to the site admin that they're blocking large quantities of innocent users.

Cloudflare has previously used Google Recaptcha, which has a ton of problems (tracking, accessibility, training AIs that will make my life worse).

[-] Fleppensteijn@feddit.nl 23 points 10 months ago

It sucks to go through "prove you are human" screens that seem to time out half the time. Even worse when they put RSS feeds behind this Cloudflare wall

[-] shellsharks@infosec.pub 12 points 10 months ago
[-] hedgehog@ttrpg.network 4 points 10 months ago

This reads to me like:

Cloudflare is consistent in their refusal to censor legal free expression by refusing service to those sites. As a result, they serve sites containing offensive, but legal free expression, as well as expression that should be illegal (and may already be - specifically when it comes to). People are mad about this.

To emphasize their refusal to police the content of sites they host, Cloudflare used to simply forward complaints about their customers to those customers. They thought they were making it clear that they were doing this, and maybe they were, but sometimes people miss those sorts of disclaimers and given the subject matter of these complaints, that was a bad process on their part. They haven’t apologized but they have amended their process in the years since.

Did I miss anything?

Now, I get that “free speech absolutist” is a dog whistle for “I’m a white supremacist” thanks to the ex-CEO of a particular social media company, but there’s a difference between

  1. saying it and not doing it, and
  2. actually doing it

And unlike the aforementioned anti-semitic billionaire, Cloudflare is pretty consistent about this. They refuse to block torrent sites as well, and I’ve never heard of them blocking a site that was legal and should have been kept around. (As opposed to immediately blocking the account of the guy who was tracking his personal jet.)

That all said, Cloudflare did eventually cancel the accounts of The Daily Stormer, 8chan, and Kiwi Farms.

I wouldn’t feel as strongly about this if the examples of corporations that do censor speech didn’t show that they’re consistently bad at it. I’m talking social media sites, payment processors, hosts, etc.. If Cloudflare were more willing to censor sites, that would be a bad thing. And they agree:

After terminating services for 8chan and the Daily Stormer, "we saw a dramatic increase in authoritarian regimes attempting to have us terminate security services for human rights organizations — often citing the language from our own justification back to us," write Prince and Starzak in their August 31 blog post.

These past experiences led Cloudflare executives to conclude "that the power to terminate security services for the sites was not a power Cloudflare should hold," write Prince and Starzak. "Not because the content of those sites wasn't abhorrent — it was — but because security services most closely resemble Internet utilities."

To be clear, I’m not saying that social media sites should stop censoring nazis. I’m saying that social media sites are bad at censoring nazis and just as often they censor activists, anti-fascists, and minorities who are literally just venting about oppression, and I see no reason why that would be different at a site level instead.

When you have a site that’s encouraging harassment, hate speech, cyber-bullying, defamation, etc., or engaging in those things directly, that should be a legal issue for the site’s owners. And on that note, my understanding is that there’s a warrant out for Anglin’s arrest and he owes $14 million to one of the women whose harassment he encouraged.

Cloudflare said they’re trying to basically behave like they’re a public utility. They’re strong proponents of net neutrality, which is in line with their actions here. There are reasons to be suspicious of or concerned about Cloudflare, but this isn’t a great example of one.

Side note: It’s funny to me that the comment immediately below yours says that one of the reasons to distrust Cloudflare is because of a concern that they may have been abusing their power (due to effectively being a mitm) and censoring particular kinds of content.

[-] shellsharks@infosec.pub 2 points 10 months ago

A measured response to be sure. Thanks for writing it up. I'm definitely not the one who's going to tell you for sure what CloudFlare should or should not do in this case or any other cases. It's a tricky business to be in in terms of making those decisions. That said, I do think there is a line to be drawn SOMEWHERE, and because of this they would eventually need to deplatform something. If that signals to the regimes of the world that Cloudflare can be influenced than so be it, but to me (and I think a lot of the people who were going after Cloudflare during this time), Nazi's (and those sites you mentioned, e.g. Kiwi Farms) are easy to draw lines for. Good thing I'm just a dude on Lemmy and not a high powered CF exec hah!

load more comments (2 replies)
[-] Fontasia@feddit.nl 8 points 10 months ago

For me, it's the blog posts, written with a level of arrogance and condescension that they are "fixing" the limitations of TCP\IP and if you aren't using them, you're making the Web worse for everyone

[-] Lath@kbin.social 8 points 10 months ago

You won't see it much in the wild, but there have been a few sporadic cases of suspicion where cloudflare may have removed or modified attachment files.
Of course, there's a chance those files were malware or that cloudflare didn't do anything, but for now, there is a theory being formed that all the websites managed by cloudflare can have any of its data modified at will by cloudflare, making it a potential hub for tyranny, censorship and oppression.

[-] ObsidianZed@lemmy.world 6 points 10 months ago

For the better part of a decade, I've used Cloudflare's DNS servers, 1.1.1.1 & 1.0.0.1, mostly because they claimed it was more secure and slightly faster than say, Google's 8.8.8.8.

What are the secure-minded folks using these days?

[-] zeluko@kbin.social 3 points 10 months ago
[-] orbital@infosec.pub 2 points 10 months ago

Cloudflare's 1.1.1.2 blocks known malware domains, so that's better than 1.1.1.1 unless you want nothing blocked.

If you want to block ads and trackers in addition to malware, try ControlD's 76.76.2.2 .

Better still is to use encrypted DNS if your device supports it. I like NextDNS or ControlD for that, as DNS-Over-TLS or -HTTPS.

[-] notannpc@lemmy.world 4 points 10 months ago

From what I could tell it’s mostly because they didn’t participate in the immediate removal of deplorable, but legal sites from their service.

The most recent case being Kiwi Farms https://www.cbsnews.com/news/cloudflare-abuse-policy-kiwi-farms-harassment-clara-sorrenti-keffals/

They quickly reversed course and dropped kiwi farms within a few days of that article dropping https://www.washingtonpost.com/technology/2022/09/03/cloudflare-drops-kiwifarms/

load more comments
view more: next ›
this post was submitted on 24 Jan 2024
116 points (96.0% liked)

No Stupid Questions

35868 readers
775 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS