A lot of people have issues with Cloudflare, some more justified (e.g. their shitty and aggressive “sales” tactics that skirt the line with extortion), and some not so much.
I checked their comments in another thread where they were discussing Cloudflare, and they linked to a site with some false information about CF, like claiming that Cloudflare blocks VPN traffic to sites hosted on or tunneled through them (they don’t, and I just tested this to verify I wasn’t crazy, because I’ve been hitting CF-tunneled sites through VPNs for years), or very misleading information (like seemingly trying to conflate CF blocking some CGNAT IPs, which could have blocked innocent users behind those addresses, into claiming that they block all CGNAT IPs… which they don’t).
There are also a lot of people who like to say that Cloudflare is a MITM (by ignoring the “unknown to the communicating parties” part of the definition of MITM), but honestly, as someone whose job is information security, this mostly strikes me as overfocusing on one part of a large chain that you have very little control over, to feel more in-control.
Once traffic leaves your home network, you are trusting a lot of different groups with your data, whether you like it or not. You’re trusting the DNS provider to send you to the right IP. You’re trusting the AS operators to properly and honestly maintain their BGP routes to take you to the legitimate owner of that IP. If a site is being served on a VPS, you’re trusting the VPS provider not to be reading or altering the traffic. If it’s SSL-encrypted, you’re trusting the CertificateAuthorities involved not to be issuing malicious certs, etc etc…
As usual, there is a grain of truth behind those claims:
Cloudflare offers their own DNS, with stated benefits like filtering out some sites, while resolving CF sites… but some VPNs also set their own DNS, which don’t fully match Cloudflare’s… resulting in some combinations of CF site and VPN, not working. I’d blame the VPN for that, but people’s experience is going to be “everything works, except some CF sites” 🤷
Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.
All non-encryped traffic is considered to be “insecure” for some time now. The whole point of initiatives like Let’s Encrypt, is to remove everyone on the client-server path from the list of entities you have to trust, so it ends up as: client software, client system, CertAuth, server owner, server software.
Ideally, we’d have homomorphic encryption on the servers, but it’s not there yet.
Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.
Yes, and this is also true for AWS ALBs and any other hosted reverse-proxies that do SSL offloading/ termination. Hell, it’s even worse for AWS in general, since they also have potential access to your databases and instances, nevermind SecretsManager info that you just directly give them. It’s just such a weird thing to specifically only harp on Cloudflare like that site is.
Besides, the only real threat actor I can see them being worried about with CF is the USFG, since they’re the only ones I could see being able to compel CF to break their customer contracts like this. And if the USFG is your presumed threat actor, and you’re in the US, you’re not going to “out-security” them by avoiding Cloudflare.
A lot of people have issues with Cloudflare, some more justified (e.g. their shitty and aggressive “sales” tactics that skirt the line with extortion), and some not so much.
I checked their comments in another thread where they were discussing Cloudflare, and they linked to a site with some false information about CF, like claiming that Cloudflare blocks VPN traffic to sites hosted on or tunneled through them (they don’t, and I just tested this to verify I wasn’t crazy, because I’ve been hitting CF-tunneled sites through VPNs for years), or very misleading information (like seemingly trying to conflate CF blocking some CGNAT IPs, which could have blocked innocent users behind those addresses, into claiming that they block all CGNAT IPs… which they don’t).
There are also a lot of people who like to say that Cloudflare is a MITM (by ignoring the “unknown to the communicating parties” part of the definition of MITM), but honestly, as someone whose job is information security, this mostly strikes me as overfocusing on one part of a large chain that you have very little control over, to feel more in-control.
Once traffic leaves your home network, you are trusting a lot of different groups with your data, whether you like it or not. You’re trusting the DNS provider to send you to the right IP. You’re trusting the AS operators to properly and honestly maintain their BGP routes to take you to the legitimate owner of that IP. If a site is being served on a VPS, you’re trusting the VPS provider not to be reading or altering the traffic. If it’s SSL-encrypted, you’re trusting the CertificateAuthorities involved not to be issuing malicious certs, etc etc…
As usual, there is a grain of truth behind those claims:
Cloudflare offers their own DNS, with stated benefits like filtering out some sites, while resolving CF sites… but some VPNs also set their own DNS, which don’t fully match Cloudflare’s… resulting in some combinations of CF site and VPN, not working. I’d blame the VPN for that, but people’s experience is going to be “everything works, except some CF sites” 🤷
Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.
All non-encryped traffic is considered to be “insecure” for some time now. The whole point of initiatives like Let’s Encrypt, is to remove everyone on the client-server path from the list of entities you have to trust, so it ends up as: client software, client system, CertAuth, server owner, server software.
Ideally, we’d have homomorphic encryption on the servers, but it’s not there yet.
Yes, and this is also true for AWS ALBs and any other hosted reverse-proxies that do SSL offloading/ termination. Hell, it’s even worse for AWS in general, since they also have potential access to your databases and instances, nevermind SecretsManager info that you just directly give them. It’s just such a weird thing to specifically only harp on Cloudflare like that site is.
Besides, the only real threat actor I can see them being worried about with CF is the USFG, since they’re the only ones I could see being able to compel CF to break their customer contracts like this. And if the USFG is your presumed threat actor, and you’re in the US, you’re not going to “out-security” them by avoiding Cloudflare.