What do you think about Cloudflare?

[ghost]

This is a xreference from prism-break, the similar website endorsing privacy-focused software.

mozilla-mobile/focus-android#1743

I think your website need to mention Cloudflare under "Recommended Privacy Resources" - "Information".

[Atavic]

A big company that works with millions of sites, potentially tracking all their users.

[davidtabernerom]

Didn't it had a security breach a few weeks ago?
I remember that, of course, they didn't say a word.

[Hillside502]

https://en.wikipedia.org/wiki/Cloudflare#Criticism_and_controversies

[ghost]

Fun fact: www.privacytools.io is using Cloudflare.

[Hillside502]

https://iplookup.flagfox.net/?ip=104.31.90.13&host=www.privacytools.io
https://www.shodan.io/host/104.31.90.13

[ghost]

#96

[ghost]

Now the company websites are forced to write GDPR compatible privacy policy, what makes me laugh is they - who use Cloudflare to serve websites - are forgetting about Cloudflare MITM thing.

[ghost]

@CHEF-KOCH

"places now a cookie"? Really? I didn't noticed it... Oh ok, I always browse website without cookies anyway. (deny all)

[ghost]

I have a few issues with CloudFlare:

Problem with CloudFlare

CloudFlare is a vigilante extremist organization who takes the decentralized web and centralizes it under one corporate power that controls the worlds largest walled-garden. A very large portion of the web (10%+) that was once freely open to all is now controlled and monitored by one central authority who decides for everyone who can see what web content. This does serious damage to net neutrality, privacy, and has immediate serious consequences:

• Cloudflare has a policy to block all Tor users by default. It's a crude, reckless and unsophisticated (but cheap) way to create the illusion of security. Collateral damage is high. Privacy takes a global hit because Cloudflare has decided what best suits their business to the detriment of everyone else.
• CloudFlare helps spy orgs conduct illegal surveillance two ways:
  • damage to anonymity: Tor users are driven off Tor as a consequence of access inequality of Tor/non-Tor users (which constitutes a network neutrality abuse as access equality is central to net neutrality).
  • centralization of copious data on this scale within reach of any spy org will cause that spy org to foam at the mouth -- and they will get access to it one way or another.
• CloudFlare is a man-in-the-middle who sees all traffic including tunneled HTTPS traffic (and thus raw unhashed passwords!).
• No transparency: as Cloudflare performs a DoS attack on Tor users they obviously do not inform web owners. Web owners are usually unaware that legitimate patrons are being blocked from accessing their site. These businesses are all damaged so that one business can profit.
• The gratis service also raises the question about how they are monetizing all that data they see and collect. They do not disclose to the public how they monetize that data.
• Cloudflare shields criminal webmasters by hiding their IP address from the public. A website involved with crime often has other criminal websites on the same IP, but users who try to protect themselves cannot block the IP address of the malicious site.
• Cloudflare exposes the identity of whistleblowers who complain about the criminal website that Cloudflare shields.
• CloudFlare's immense centralization becomes catastrophic when a single bug emerges, like cloudbleed, which has unacceptable widespread consequences.
• Cloudflare makes heavy use of CAPTCHAs which triggers many ethical problems:
  • Google's reCAPTCHAs compromise anonymity.
  • CAPTCHAs put humans to work for machines when it is machines who should be working for humans.
  • The CAPTCHAs often require the user to execute non-free javascript.
  • The CAPTCHAs are often broken.
    • E.g.1: some browsers that block j/s always give "There was an issue communicating with the captcha provider" on all CF-pushed reCAPTCHAs, and they don't receive the non-j/s CAPTCHA that some other browsers get
    • E.g.2: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
  • The CAPTCHAs are often unsolvable.
    • E.g.1: the CAPTCHA puzzle is broken by ambiguity (is one pixel in a grid cell of a pole holding a street sign considered a street sign?)
    • E.g.2: the puzzle is expressed in a language the viewer doesn't understand.
  • Tor users are driven off of Tor because CloudFlare creates such a hostile environment for them that it becomes impractical to deal with all the CAPTCHAs.
  • The CAPTCHAs entail a connection to PRISM corp Google, giving Google Inc. an opportunity to collect data, abuse it, and profit from it. E.g. Google can track which of their logged-in users are visiting the page presenting the CAPTCHA.
  • The CAPTCHAs block all robots indiscriminately causing collateral damage to good (non-malicious) robots.
  • GUI CAPTCHAs deny service to users of text-based web browsers.
    E.g. CloudFlare's GUI CAPTCHA breaks torsocks lynx 'https://www.simplyrecipes.com/recipes/buffalo_wings/'. CloudFlare effectively dictates that all Tor users must use a GUI browser and in many cases it must also be javascript capable.
• Cloudflare is potentially injecting javascript spyware into the traffic of their patrons to collect data (this is how cloudflare pays their bills).
• CloudFlare deceives website visitors into believing their connection is secure (HTTPS & browser padlock) when in fact the user is MitMd.
• No trustworthiness. CloudFlare has been caught making false statements to the public. CF said: "Why should I trust Cloudflare? You don’t need to. The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers," the first part of which is incorrect. CloudFlare sees all traffic traversing their servers in the clear, regardless of how secure the tunnel to them is. So of course CloudFlare requires your trust. The second statement about certificates is non-sequitur and irrelevant to the question of trust.
• CloudFlare took a seat on the FCC's Open Internet Advisory Committee, and serves its own interest (to influence legislation against net neutrality).
• CloudFlare attacks freedom of expression.
• CloudFlare uses punitive collective judgement as a consequence of mislabeling Tor traffic.
  • "Experts say that group punishment is ineffective, counterproductive, lazy and unethical"
  • CloudFlare's use of this technique is acutely and perversely abusive because they harm potentially as many as 70,000 users in the course of countering just one single bad actor. And worse, unlike typical uses of collective punishment this is not in the slightest a situation where the other 70,000 have any shred of influence over the one malicious user.
  • A study finds that collective punishment is strictly counterproductive.
• CloudFlare deceives users about what the problem is, causing users to blame Tor or their browser. CloudFlare suggests to Tor users who reach the CAPTCHA "If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware."
• CloudFlare discriminates against connections coming from developing countries.

Actions needed

• Document a guideline for reviewers to consider whether a tool relies on or forces users into CloudFlare's walled-garden. It may be over the top to have all CloudFlare relationships trigger condemnation of the tool but it should at least be a strong factor.
• When a recommended app forces CloudFlare on users in any context, there should be a loud and clear anti-feature showing. Specifically, projects for these two recommended apps force users seeking a support page into CF:
  • Wire (Please stop using CloudFlare wireapp/wire-webapp#5716)
  • Signal
• Approve https://github.com/privacytoolsIO/privacytools.io/issues/518 and https://github.com/privacytoolsIO/privacytools.io/issues/779
• Disapprove https://github.com/privacytoolsIO/privacytools.io/issues/711. The whole service is hosted in CloudFlare's walled-garden so Voat should be condemned IMO.
• Find a decent way to measure the CloudFlare results coming from search engines that we evaluate. The measure should not just be a count, but it should also account for rank. A link that is just one slot above another is twice as likely to get clicked.
• Endorse searx instance searxes.danwin1210.me when it stabilizes. Seems to be experimental, but shows great potential for ridding CloudFlare results from view.
• Endorse browser plugins that block or warn of CF sites. One of them redirects to an archive of the CF site which is practical.

Problem with siteground.com

Looks like another malicious player has emerged with reckless false-positives in their anti-bot agenda. Web hosting service siteground is hitting human visitors of their sites with CAPTCHAs (e.g. https://thewimpyvegetarian.com/.well-known/captcha/). Siteground also has the misconception that all bots are malicious. Siteground can run along with CloudFlare to really compound the denial of service to legitimate Tor users. We need to get this problem on the radar as well before this bad player spreads.

[Mikaela]

Isn't Cloudflare access through Tor supposed to be better since their onion service? I don't have anything to say on the other points.

• https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-
• https://blog.cloudflare.com/cloudflare-onion-service/

[Atavic]

I won't touch that cloudflare onion site even with a ten foot pole.

[ghost]

@Mikaela

Isn't Cloudflare access through Tor supposed to be better since their onion service?

Perhaps, if by "better" you mean fewer CAPTCHAs. I've actually come to appreciate the CloudFlare CAPTCHAs because they quickly indicate a site I should avoid. The non-CAPTCHA related privacy abuses still remain for everyone and the CAPTCHA abuses still persist for Tor users who are not using CF's chosen browser. I shit you not, CF is dictating to Tor users which browser they may use -- so cURL, lynx, w3m users are still outright denied service. Controlling which tools users may use is unnecessary. If you visit privacyinternational.org using Tor, you are automatically diverted to a .onion site. CloudFlare could have used that technique which would have been tool-agnostic but they decided to dictate tools to the user.

This is laughable, and actually gives cause to distrust CF:

(from the CF link)

Why should I trust Cloudflare?
You don’t need to.

First of all, you do have to trust CloudFlare because they still see all the traffic (they are still a MitM). That's true of their surface web pages and remains the same with the onion service they describe. They see all passwords in an unhashed form, for example.

(from the CF link)

The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers,

It's ridiculous that they use the SSL cert because it's totally unnecessary for an onion site.

(from the CF link)

Addresses used by the Cloudflare Onion Service
cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion

I get: "This site can’t be reached"

[Atavic]

ReCAPTCHA is a google service. Tor users are abused by this thing, Cloudflare offers - out of thin air - a ReCAPTCHA bypassing option for Tor users. Surely they track those who use their sevice.

[jonaharagon]

We are off CloudFlare. Hopefully we don't take too much of a performance hit. Try it out! https://www.privacytools.io/

[ghost]

Subjecting visitors to CF is worse than subjecting them to bad performance. So it was a good move.

One more anti-CloudFlare change needed: the searx endorsement suggests the searx.me instance. That instance returns CloudFlare results. It should be replaced with searxes.danwin1210.me. The Danwin link randomly picks a decent instance, and then filters the CloudFlare results from that.

I also have some performance optimization suggestions:

• Specify the dimensions of all the images, so the important textual content can render before images are retrieved.
• Link all the graphics to the sites they refer to (to offload the work of your server). PTIO is promoting them, the least they can do is serve their own branded logos.
• Any images that can't be linked to external sites could be isolated to a separate PTIO host. If that host gets bogged down it doesn't matter because the important stuff is served by the server used for the landing page. Although it's likely the bandwidth not the host that will have effect first. You could resolve that by prioritizing traffic from the server that doesn't send images.
• Remove the shit that shouldn't be on the page in the first place:
  • DDG (rationale documented)
  • Signal (rationale documented in ❌ Software Removal | Signal #779)
  • embarrassing PTIO links to Facebook, Twitter, LinkedIn, GitHub under the "Spread the word and help your friends" header. Users of those platforms can find you on those platforms, but there's no good reason to send users there from the PTIO website. One does not "help their friends" by mentioning those walled-gardens in any positive or utilitarian context. Also, the Mastodon link is weird. It should go to a PTIO account to follow.
• Remove the PayPal logo. PTIO may not want to give up PP donations, but they need not promote PP. PayPal is evil so at least play it down. Also make the PayPal font smaller than the font used for bitcoin to subtly imply that bitcoin is preferred.

BTW, I'm impressed with how viewable (and speedy) the page is in lynx. Hopefully that never changes. You could advertise that somewhere on the page to encourage that kind of lean usage.

[jonaharagon]

Image dimensions is something I’ll work on today, I think we’re mostly good on that but there are definitely a few that need those specified.

I don’t really think we should use third parties to host our images. We actually get a performance improvement from hosting them all ourselves with HTTP2, since there’s fewer external requests. Plus, for privacy related reasons I don’t think we should make all our visitors request third party resources where their servers may log traffic. With the current solution we can guarantee that there’s no access logging for web visitors.

When I say we took a performance hit, it wasn’t that bad. Of course there was going to be a difference between a single server in Germany vs a network of hundreds of servers internationally serving our content, but we do have a high performance server and like you said, I think the trade-off was worth it to move off CloudFlare.

I’m pretty happy with the results so far :)

We have our own Searx instance now, I’ll probably just link to that or a list of public instances once we get ours listed in more places.

Regarding everything else, probably best if you open a separate issue for them, like PayPal. Not much I can do about that currently personally.

[jonaharagon]

Any images that can't be linked to external sites could be isolated to a separate PTIO host. If that host gets bogged down it doesn't matter because the important stuff is served by the server used for the landing page. Although it's likely the bandwidth not the host that will have effect first. You could resolve that by prioritizing traffic from the server that doesn't send images.

I didn't read this before but this is probably a good idea. We do have good bandwidth and a great server though so I'm not sure if this will end up being an issue. Something to investigate...

[ghost]

We have our own Searx instance now, I’ll probably just link to that or a list of public instances once we get ours listed in more places.

There are a couple issues with that:

• the PTIO instance is not filtering out CloudFlare results, making it less conducive to privacy than Danwin.
• in light of the above, it will look like a biased or unjustified endorsement

I would say if the PTIO instance is configured to filter out CF sites then self-endorsement is well-earned and easily justifiable. If not, then I think the best move is to list the Danwin searx instance which randomly selects a quality instance and then does the CF filtering on the results. When the PTIO instance seems stable enough, the Danwin operator could be asked to ensure that ptio is among the selection.

There's nothing wrong with mentioning the PTIO searx instance, but it's a disservice to PTIO visitors to not make searxes.danwin1210.me the top recommendation and disclose the CloudFlare anti-feature of the PTIO instance.

(edit)

This could be discussed as a separate issue, but to me the searx endorsement is part of the CloudFlare avoidance remedial action.

Danwin just got complicated. CloudFlare filtering is now off by default for those who use the clearnet site, and it looks non-trivial for users to switch that back. They caved to foolish clearnet users complaining about CloudFlare filtering. But the Danwin onion site still does the right thing.

So the best recommendation for Tor users is to use the Danwin onion, and the best option for clearnet users is probably the PTIO instance.

[jonaharagon]

You're welcome to open an issue at https://github.com/privacytoolsIO/search/issues to continue this discussion in a more relevant repo, but at this moment I don't think the benefits of removing all CloudFlare-using websites from the results (if I understand you correctly) outweighs our main goal of being a feasible search engine for general use. So many sites use CloudFlare that if we filtered them by default our results wouldn't be nearly as generally useful.

I would have to discuss it with @BurungHantu1605, but as far as I'm currently aware our main goal with the search project is to be a privacy-focused (anti advertising, anti logging) Google alternative, not a search engine for returning only privacy friendly results.

[Mikaela]

What do you think about the possibility of sending all network traffic from your phone to Cloudflare? 😆

EDIT: Maybe that is a wrong emoji, I just hope no one gets a heart attack or something on reading the news.

[jonaharagon]

One silver lining is that if you browse the unencrypted Internet through Warp, when it’s safe to do so, Cloudflare’s network can cache and compress content to improve performance and potentially decrease your data usage and mobile carrier bill.

CloudFlare MITM: Now on sites that didn't agree to it.

Edit: well if you're a webmaster and you're so bad at it that you still use http then you get what's coming to you. At least CloudFlare openly admits this is happening with their VPN lol