Cloudflare acts as a front door to many sites and as such your TLS session is terminated at Cloudflare, then CF makes a additional session from themselves to the target site.
This is concerning as that means CF can see all of your data.
Right?? To let your website be susceptible to that kind of act by anyone means that you probably didn't really care about security in the first place, so much as just getting the magic lock icon happy.
Magic lock icon is easy, hard is it to block attacks and being able to do very little about it.
Spoofed packets, server providers not caring what their customers do, many abuse email adresses dont even work.
Keyless SSL would be nice and i'd use it. I have my own keys, but its for Enterprise customers only.
I am not using Cloudflare as i dont like them handling like 80% of all traffic. But as website owner i can understand why someone would still choose them..
Keyless SSL is only available to Enterprise customers that maintain their own SSL certificate purchased from a valid Certificate Authority. Cloudflare does not supply any certificates for use with Keyless SSL.
I’m not part of any Enterprise organization and I’m too poor to sign up for Enterprise level service, and so I am unable to use their Keyless SSL.
Just for example. Sometimes it’s not that we don’t want to but can’t afford to, especially if we’re just Joe Schmoe running a handful of services on a server box.
Once again, I have no issues with Cloudflare myself, and personally have a decent amount of respect for them.
I’m just saying getting access to the Keyless SSL is less easy than you made it sound.
I get that. If you’re not paying for a service, there’s still a price. There are no companies out there doing you any favors, only those that make you believe they do.
Clouflare is okay. Don’t trust anything apparently free ever
Despite being a paying customer, my biggest gripe with them is their lack of concern for freedom of speech. They decided they can “de-platform” sites that they are not aligned with, which is shitty when A) they’ve basically cornered the SMB CDN/DDoS-protection space B) they are fine with these sites in their customer base until a pressure campaign they don’t feel like battling surfaces.
This is referring to the KiwiFarms vs Keffles situation, where Keffles made false claims to Cloudflare about KiwiFarms endorsing/promoting suicide in an attempt to prevent her leaked discord convos from spreading. Cloudflare caved without question and suspended KiwiFarms’ account without warning.
Otherwise, I have personally never had an issue with Cloudflare. But I am still going to look for alternatives because I don’t think it’s cool for companies with that kind of responsibility to bend a knee to bad actors out of fucking convenience.
Kiwifarms was actively carrying out doxxing and targeted harassment campaigns that led to the suicides of multiple people. Whatever your opinion is on Keffals, this is a fact, and it’s what got Kiwifarms taken down, Keffals was just the loudest voice pointing it out.
It sucks to go through “prove you are human” screens that seem to time out half the time. Even worse when they put RSS feeds behind this Cloudflare wall
they inspect packets. They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such
they are used everywhere. If they go down, 30% of the internet goes with them.
Both points are bad. Don’t put all your eggs in one basket. The Internet was created to be run by millions of servers and works best that way. Funneling everything through one company is just a bad idea in general.
They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such
And any organization that utilizes a CDN/security provider, like Akamai, AWS, Fastly, etc. knows that they all do this. They need access to the unencrypted content in order for services like CDN and WAF to work properly.
For the better part of a decade, I’ve used Cloudflare’s DNS servers, 1.1.1.1 & 1.0.0.1, mostly because they claimed it was more secure and slightly faster than say, Google’s 8.8.8.8.
What are the secure-minded folks using these days?
Source? Given that Cloudflare canceled the accounts of The Daily Stormer, 8chan, and Kiwi Farms, and that they otherwise avoid refusing service to any site that’s legal for them to provide service to in the US (including torrent sites, for example), I’m inclined to disbelieve that claim.
If you have to be dragged kicking and screaming by public outcry before you cancel Nazis, you support Nazis. But you know what happened as well as I do, so your framing of events that way is interesting…
If you have to be dragged kicking and screaming by public outcry before you cancel Nazis, you support Nazis.
If the only way you can say that Cloudflare actively supported nazis was because they didn’t cancel them, it sounds to me like Cloudflare didn’t actively support nazis. Why is it so hard to say “Cloudflare didn’t cancel nazis” instead of lying and saying they “actively supported” them?
But you know what happened as well as I do, so your framing of events that way is interesting…
Yes, I do, which is why I’m confused as to why any reasonable person would think that Cloudflare’s actions here are in any way problematic.
Cloudflare considers themselves to be akin to a public utility. Do you think that public utilities should be able to refuse to provide their services to law-abiding nazis? I’m talking phone lines, electricity, gas for heat, water, etc… If so, why? Should it be limited to nazis? How do you ensure that only nazis are prevented from having running water and electricity?
Because ultimately this comes down to a company treating themselves as a public utility, and structuring their processes for determining if they would offer services to a company or individual under that basis, and then, having an established process, being resistant to making an exception to that process to refuse service to a group of nazis. Cloudflare said that there was a huge uptick in the amount of takedown requests that they received after they took down 8chan and The Daily Stormer. If their process were amended to prohibit certain kinds of legal speech, they would face increased pressure to take down even more sites, and not just sites belonging to nazis.
Again, this is all about the ability to have a website on the internet and not about being able to have a platform on social media, Youtube, Spotify, etc… The sites, effectively, are buildings, but the internet is like the land. I’m not saying anyone should be required to let a nazi in their building. Criticizing Facebook for not de-platforming nazis is fine. This is about access to what are effectively essential public services.
I see being able to run a website as an extension of the right to free speech. Because hosting a website on the internet requires the involvement of companies - domain name registrars, DNS hosting services, ISPs and the network, etc. - if you are consistently refused one of these services by these companies, you’re effectively denied this right. If you try to go start up your own domain registrar, you still have to deal with a company - the domain name registry. If you try to start up your own domain name registry, you still have to deal with a company - ICANN. The assets of these companies are protected by the government, and if you were to try to force your site onto the internet, the government would stop you. This probably isn’t technically government censorship, but it serves that same effective purpose. No, it isn’t government directed, but being directed by the market is just as bad, and in some cases, worse.
If you’re fine with a company refusing service in this instance, with the rationale being because they fundamentally disagree with the site’s content, it follows that it should be fine for such a company to refuse service to sites of politicians they don’t like (or who are in a race with one of their bigger customers or donors), anti-fascist forums, far-left and far-right forums, sites providing information on abortions, sites dedicated to open source projects that they or one of their stakeholders don’t like, storefronts for products they dislike, etc…
Maybe you think that would all be fine? I don’t. I think that sounds like something out of a dystopian late stage capitalism short story, and I want nothing to do with it.
If you’re not at least in agreement that it wouldn’t be fine, then I don’t know what to say. Why do you disagree?
If you are in agreement: it follows that access to internet services should generally be treated like access to public utilities, even if the companies aren’t technically considered to be public utilities. Legally prohibiting such companies from refusing service without actually classifying the companies as public utilities would itself be a violation of free speech. But it is still reasonable for them to behave like public utilities.
And given that this is reasonable, saying “Cloudflare supports nazis because they behaved like a public utility and didn’t ban these sites run by nazis, even though there was a huge public outcry” is a nonsensical statement. It’s basically “Cloudflare supports nazis because they did something reasonable, even when nazis were involved.” By that logic, “Cloudflare supports Hillary Clinton because they provide services to her site” is a reasonable statement. Does Cloudflare support every site that they provide services to? No, obviously not. Do they support every site that they’ve refused to honor a takedown request against? Again, no. Why is that answer different when nazis are involved?
I was looking for a quote from the EFF and found this article that covers the topic from Cloudflare’s perspective: www.wired.com/…/free-speech-issue-cloudflare/ - it’s worth a read, IMO.
Anyway, here’s the EFF bit:
The Electronic Frontier Foundation, which has taken a stand that what it calls “intermediaries”—services like Cloudflare and GoDaddy that do not generate the content themselves—should not be adjudicating what speech is acceptable. The EFF has a strong presumption that most speech, even vile speech, should be allowed, but when illegal activity, like inciting violence or defamation, occurs, the proper channel to deal with it is the legal system. “It seems to me that the last thing we should be doing is having intermediaries deputizing themselves to make decisions about what’s OK,” says Corynne McSherry, legal director of the EFF. “What law enforcement will tell you is that it’s better for them to be able to keep track of potentially dangerous groups if they’re not pushed down into the dark web.” She adds: “I want my Nazis where I can see them.”
Another topic the article covers - not in EFF’s words, but in the CEO of Cloudflare’s - is that beyond just the “intermediaries” like Cloudflare making these calls, you have vigilante cyberattackers who DDOS the sites of people they don’t agree with:
Prince spoke about the peril posed by DDoS attacks. We might all agree, Prince argued, that content like the Daily Stormer shouldn’t be online, but the mechanism for silencing those voices should not be vigilante hackers.
I agree with this, as well as with the EFF’s take, and as far as I can tell there simply isn’t a rational criticism of Cloudflare’s resistance to banning The Daily Stormer that doesn’t literally require accepting that free speech isn’t all that important.
I prioritise the safety of my community more than I value trying to conflate free speech with private monopolies acting in their own self interest, especially whilst they’re actively sustaining harm against vulnerable folk.
I’m not talking about the free speech of Cloudflare, aside from like one paragraph. I’m talking about the free speech of law abiding US citizens.
Cloudflare isn’t a monopoly. Why do you think it is?
Cloudflare acted against their self interest by not taking down TDS sooner. It would have been in their self interest from a public image perspective to do so. Why would you suggest otherwise?
Why do you think that both the EFF and I are the ones who are confused here?
I don’t think you’re confused. I think you have different expectations than me.
You value an ideal of free speech that in my mind doesn’t exist, and you think the harm that can be done in trying to attain it is not the biggest issue.
I see it that other way around. I think that private monopolies actively protecting platforms used to spread hate is a bigger issue, because it’s causing real world harm right here and now.
Exactly. There is no such thing as complete free speech. Every implementation of free speech is speech with limits influenced by societal norms. So in my mind, arguing for an ideal that doesn’t and never will exist is a pretty poor reason to sustain harm to vulnerable folk.
So your stance is basically “We can’t be perfect, so why even try?”
Would you prefer a world without the first amendment in the US, for the UN to abandon the idea of freedom of expression as a human right, and all that entails? Or is it just censorship by corporations that you’re cool with?
So your stance is “We can’t be perfect when it comes to implementing free speech, so why even bother defending people’s right to freedom of expression at all?”
Encouraging censorship would hurt more marginalized people than it would help.
I’d prefer a world in which we protect the vulnerable rather than the protecting the folk who are trying to hurt the vulnerable
You think free speech is an unattainable ideal, but when you’re asked to clarify whether you’re talking about government censorship, too, or “just” corporate censorship, you reply with this fairytale nonsense?
Even if we limit the scope of that to just Cloudflare and other internet infrastructure companies, they’d basically have to stop offering their services to anyone to the political right of Bernie Sanders. Not that I’d have a problem with that, but it’s never going to happen. Sure, a single company could do that, but that wouldn’t change the fact that the rest of them don’t.
Being upset about Cloudflare “protecting” nazis is misplaced anger. It’s like being upset because the police stop you from hurting nazis. Like, there are so many reasons to be anti-police, but this isn’t one of them. Being frustrated because they’re in your way is one thing, but saying they’re shitty people because they protect people (even when those people are nazis) is toddler level logic.
Are there things to be angry about with TDS? Absolutely. There’s the nazis. There’s Trump. And there’s the people whose actual responsibility it was to protect the vulnerable - law enforcement, mostly, but government in general here - and who did nothing, as far as I can tell.
No, I think the thing that you’re calling free speech isn’t free speech at all because there is no such thing implemented anywhere that works. A genuine implementation of it would be explicitly more harmful than helpful.
What we have is speech restricted by the norms of our societies. All you’re arguing for is shifting the line to a different (more harmful) place, in the name of hypothetical ideal
And what we have with CloudFlare is a private entity that is virtually a monopoly, sustaining literal hate speech despite the harm hate speech does and doing so for the same reasons you’re here defending them. Because you value chasing an ideal that doesn’t exist over the needs of real people.
It’s also interesting that you conflate “anything to the right of Sanders” with Nazis and other hate groups. The fact that you’re painting my issue with the latter as being equivalent is cheap.
I don’t give a fuck whether you agree with me. I answered the OPs question. You’re not going to magically convince me that actually, hate speech is ok sometimes and should be protected.
Cloudflare is cool now, but what would happen 10 years from now when they get enshittified while handling majority of global web traffics? We would be truly fucked.
Cloudflare has much more impact than other cloud vendors here simply because they MITM their customers by default. Combine that with ever increasing market share, cloudflare has the potential to tap into data not even Google analytics can collect because they’re able to see all unencrypted data following through their reverse proxy. If they decided to up their analytics game, you won’t be able to block their data collection with ublock origin.
Let me tell my personal grievance with Cloudfare. One of the services that Cloudfare dispenses to websites, whether they like it or not, is bandwidth throttling, in the name of safety, of course. If an IP has been flagged by their system to have created spam, sent spam, being part of a DDOS attack and other various offenses, afterwards the Cloudfare service will throttle that IP requests to the sites that use Cloudfare. That’s on paper what it should do, and it sounds reasonable on a surface level. However, this includes wide swaths of residential dynamic IPs, which means that a lot of people get slow internet for the actions committed by a person with whom they have no relation with whatsoever.
Furthermore, Cloudfare has decided to mass impose this status to the entire regional IP block for my country. So, my entire country is deemed as a threat, and doomed to slow AF speeds almost everywhere on the internet. Unless, of course, you own a datacenter and specifically pay Cloudfare to reclassify your static IP addresses to be trusted. This means that in order to use 100% of the bandwidth I pay for to my ISP, use of a VPN is mandatory. Else Cloudfare determines that I don’t deserve anything but dial-up speeds.
This is probably not the solution you are looking for, given your opinion of the company, but I wonder if using their 1.1.1.1 app (which acts as a mini VPN to a Cloudflare endpoint and changes your public IP) would fix that for you. The upside is it’s free, the downside is that it is a Cloudflare-run VPN.
I used to work with a fraud detection system for a payment gateway. The system will automatically flag payments from any Russian and some countries as fraud automatically. This was 4-5 years ago
For me, it’s the blog posts, written with a level of arrogance and condescension that they are “fixing” the limitations of TCP\IP and if you aren’t using them, you’re making the Web worse for everyone
Cloudflare is consistent in their refusal to censor legal free expression by refusing service to those sites. As a result, they serve sites containing offensive, but legal free expression, as well as expression that should be illegal (and may already be - specifically when it comes to). People are mad about this.
To emphasize their refusal to police the content of sites they host, Cloudflare used to simply forward complaints about their customers to those customers. They thought they were making it clear that they were doing this, and maybe they were, but sometimes people miss those sorts of disclaimers and given the subject matter of these complaints, that was a bad process on their part. They haven’t apologized but they have amended their process in the years since.
Did I miss anything?
Now, I get that “free speech absolutist” is a dog whistle for “I’m a white supremacist” thanks to the ex-CEO of a particular social media company, but there’s a difference between
saying it and not doing it, and
actually doing it
And unlike the aforementioned anti-semitic billionaire, Cloudflare is pretty consistent about this. They refuse to block torrent sites as well, and I’ve never heard of them blocking a site that was legal and should have been kept around. (As opposed to immediately blocking the account of the guy who was tracking his personal jet.)
I wouldn’t feel as strongly about this if the examples of corporations that do censor speech didn’t show that they’re consistently bad at it. I’m talking social media sites, payment processors, hosts, etc… If Cloudflare were more willing to censor sites, that would be a bad thing. And they agree:
After terminating services for 8chan and the Daily Stormer, “we saw a dramatic increase in authoritarian regimes attempting to have us terminate security services for human rights organizations — often citing the language from our own justification back to us,” write Prince and Starzak in their August 31 blog post.
These past experiences led Cloudflare executives to conclude “that the power to terminate security services for the sites was not a power Cloudflare should hold,” write Prince and Starzak. “Not because the content of those sites wasn’t abhorrent — it was — but because security services most closely resemble Internet utilities.”
To be clear, I’m not saying that social media sites should stop censoring nazis. I’m saying that social media sites are bad at censoring nazis and just as often they censor activists, anti-fascists, and minorities who are literally just venting about oppression, and I see no reason why that would be different at a site level instead.
When you have a site that’s encouraging harassment, hate speech, cyber-bullying, defamation, etc., or engaging in those things directly, that should be a legal issue for the site’s owners. And on that note, my understanding is that there’s a warrant out for Anglin’s arrest and he owes $14 million to one of the women whose harassment he encouraged.
Cloudflare said they’re trying to basically behave like they’re a public utility. They’re strong proponents of net neutrality, which is in line with their actions here. There are reasons to be suspicious of or concerned about Cloudflare, but this isn’t a great example of one.
Side note: It’s funny to me that the comment immediately below yours says that one of the reasons to distrust Cloudflare is because of a concern that they may have been abusing their power (due to effectively being a mitm) and censoring particular kinds of content.
A measured response to be sure. Thanks for writing it up. I’m definitely not the one who’s going to tell you for sure what CloudFlare should or should not do in this case or any other cases. It’s a tricky business to be in in terms of making those decisions. That said, I do think there is a line to be drawn SOMEWHERE, and because of this they would eventually need to deplatform something. If that signals to the regimes of the world that Cloudflare can be influenced than so be it, but to me (and I think a lot of the people who were going after Cloudflare during this time), Nazi’s (and those sites you mentioned, e.g. Kiwi Farms) are easy to draw lines for. Good thing I’m just a dude on Lemmy and not a high powered CF exec hah!
I think drawing the line at nazis is a good idea in theory, but a very difficult one to implement in practice. For example:
If someone doesn’t self ID as a nazi, how do you determine that they are one?
What if the site’s owner self IDs as a nazi but this particular website is just a bunch of cooking recipes?
Suppose the site owner probably isn’t a nazi, but the site has a bunch of users and a subset of them are creating content that crosses the line, and the site has a hands off approach to content moderation. If the site is 1% nazi content and 99% fine, do you block them entirely unless they agree to remove nazi content? If not, at what threshold does that change? 10%? 51%?
Once you’ve done that and they’ve agreed, do you have to establish minimum response times for them to remove nazi content? If the nazi content isn’t taken down until half the site’s daily visitors have seen it, the content moderation isn’t very effective. But if you require them to act too fast, that could result in many people being refused service because of other bad actors.
The bad actors aren’t even necessarily nazis. If it’s known that Cloudflare refuses service to sites that leaves nazi content up for more than X amount of time, then it becomes feasible to take down a site that allows comments by registering a bunch of accounts and filling it with so much nazi content that the site’s moderation team can’t handle it in time. How do you prevent this?
Do you require them to ban nazis?
If they do, but the nazis just register new accounts, do you require them to detect that somehow? Do you have to build that capability and offer it yourself? Now you’re policing individual users. You’re inevitably going to end up stopping Grannie from registering for an account because of someone else - they jumped on her wifi, compromised a device on her network, or something along those lines.
This is all pretty complicated, and I’ve barely scratched the surface.
The revised line they drew with Kiwi Farms (as well as the “we follow US law” line they already had) is a much simpler one that’s still morally defensible:
“We think there is an imminent danger, and the pace at which law enforcement is able to respond to those threats we don’t think is fast enough to keep up.”
One word you used stuck out to me: “deplatform.” I wouldn’t call this deplatforming. I’m used to seeing that word used to refer to someone being removed from social media, having their YouTube channel shut down, having their podcast removed from Spotify, etc… I mentioned this in another comment on this post, but those situations are fundamentally different, and it follows that the criteria for doing so should be different. In that other comment I also talked a bit about why I think free speech is infringed if you can’t publish a website, but isn’t infringed if you can’t create a Facebook account.
You also might find this Wired article interesting - it has quotes from and background about the CEO of Cloudflare related to the TDS’s removal, some insight into the internal company dialogue when that was all ongoing, etc…
I’m taking a bit more literal interpretation of “de-platform”, which I agree is not the way it has been traditionally used. In my case, if a platform takes you down, you were just de-platformed =). As for the question of “what is a nazi?”, 100% agree in terms of “where is the line”. Yes, there are some very obvious cases that I think 100% of people would identify in the same way, but there is undoubtedly that pesky ol’ gray area (which as your bulleted list makes clear is a non-trivially large area) where things start to get a little more subjective. Sure, it’d be great if companies (like CloudFlare) smell-tested things in the same way I do haha but outside of that, it is no doubt difficult to define.
You won't see it much in the wild, but there have been a few sporadic cases of suspicion where cloudflare may have removed or modified attachment files.
Of course, there's a chance those files were malware or that cloudflare didn't do anything, but for now, there is a theory being formed that all the websites managed by cloudflare can have any of its data modified at will by cloudflare, making it a potential hub for tyranny, censorship and oppression.
Cloudflare seems to incorrectly classify my Internet connection, which is a residential Internet connection going to my house, as a datacenter connection or VPN or something.
Many websites that use Cloudflare give me endless captcha forms. As soon as I solve one, it demands another, and never lets me access the website.
Sometimes I solve one captcha, and then it says I’m blocked forever for sending automated queries, even though I filled it out correctly. The error message is: “You are blocked.”
Sometimes it lets me in after one captcha, but I still resent having to enable Javascript for these assholes just to access a site that doesn’t otherwise require Javascript.
Sometimes Cloudflare adds extra security to certain pages, just for me. The developers of the website didn’t program it to handle this extra security, so the site fails for just me, and the site developers don’t believe me, telling me I have a browser problem (in three different browsers, which I can fix by using a proxy). For example, when the site’s javascript has my browser to do a CORS operation, the first step is the browser sending an OPTIONS request. However, the extra security of the proxy introduced by Cloudflare responds slightly differently from the actual website, so the site breaks.
Cloudflare uses a holistic approach to deciding whether you are a legitimate user or a bot. In other words, they use every single possible piece of data they can get on you, including tracking your visits across other Cloudflare sites. They do discriminate against certain user-agent strings.
Cloudflare completely blocks many Tor users, even from having read-only access to a site.
When you ask Cloudflare why your IP address is blocked, they falsely claim that it’s a setting created by the website admins. I strongly suspect that this setting is something like “use Cloudflare™ Adaptive Security™” and probably doesn’t explain to the site admin that they’re blocking large quantities of innocent users.
Cloudflare has previously used Google Recaptcha, which has a ton of problems (tracking, accessibility, training AIs that will make my life worse).
It’s partly just their sheer size. The internet continues to become a worse place as it gets more and more centralized, and Cloudflare is part of that.
They are the biggest because they provide the overall best and essentially fastest level of DDoS, geoIP block, and packet-inspection malware protection of any provider on commercial hardware short of utilising spooky predictive DARPA machine learning algorithms that ride the razors edge of sapience on government funded terawatt supercomputer clusters. They are expensive and you get what you pay for.
That’s exactly why many of us dislike cloudfare. They’ve maneuvered themselves into a “too big to fail” position. Seems to be the goal of big corps these days.
Add comment