Why Cloudflare Is a Threat to the Internet Privacy

[aguysomewhere]

1. Cloudflare handles approximately 20% of all the traffic on the internet. And it's growing fast. In 2017, it was 10%. [1], [2]

2. It's impossible to use Cloudflare proxy without giving up encryption of data. They are a man-in-the-middle that has access to unencrypted information of all the traffic they proxy. (Yes, even with Full-Strict/Keyless SSL)

3. Of the remaining 80% of internet traffic, 43% comes from Netflix, Google, Amazon, Facebook, Microsoft, and Apple, none of which seems to be using Cloudflare, which makes Cloudflare the ultimate tool to break encryption on distributed servers. Only 37% of the internet traffic is routed outside these major tech companies. [3]

4. In July 2021, a random guy discovered a vulnerability on Cloudflare's cdnjs that allowed a complete takeover of the CDN, which is estimated to be used by 12.7% of websites. The NSA has a whole division dedicated to discovering and exploiting zero-day vulnerabilities on systems. Even if Cloudflare is not willingly feeding unencrypted traffic to the NSA, it is a single point of surveillance that, if compromised, breaks the whole encryption of a good portion of the internet. [4], [5]

5. Cloudflare follows a freemium pricing plan. In 2016, Cloudflare's CEO Matthew Prince said in an interview that only 4% to 5% of the websites they protect are paying customers. The cost of maintaining Cloudflare infrastructure for the remaining 95% of customers that use it for free is unclear, as Cloudflare does not run ads on the sites it protects. [6]

6. In the same interview, he mentions that the initial impetus for Cloudflare came after an acquisition by the Department of Homeland Security of his previous project, Project Honeypot, in 2008, which demonstrates that the government was at least aware of it since the beginning. [6]

---

*Bibliography:*

[1] https://twitter.com/AxelrodG/status/1447938954758705155

[2] https://www.cloudflare.com/press-releases/2017/cloudflare-introduces-argo-a-virtual-backbone-for-a-faster-more-reliable-internet/#:~:text=Cloudflare%20handles%20more%20than%2010%20percent%20of%20all%20HTTP/HTTPS%20Internet%20traffic%2C

[3] https://www.sandvine.com/blog/netflix-vs.-google-vs.-amazon-vs.-facebook-vs.-microsoft-vs.-apple-traffic-share-of-internet-brands-global-internet-phenomena-spotlight

[4] https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/

[5] https://en.wikipedia.org/wiki/Tailored_Access_Operations

[6] https://www.bbc.com/news/business-37348016

[userbinator]

Cloudflare is also a threat to internet freedom. Use anything other than official sanctioned ("supported") browsers and software/hardware and you'll be considered not a human according to them.

[ranger_danger]

Even if you use an up to date, supported browser, any setting you change which makes it harder for them to fingerprint you, also automatically considers you a bot, and many have complained of getting endless captcha loops they can't overcome.

[LightHugger]

Been getting stuck in constant captcha loops lately on waterfox and it's unclear what i did, if anything at all, to cause it, since the loops tend to go away for a week or two before returning for a few days and repeat.

I'm pretty sure i didn't do anything, and they just randomly decide to brake check people with adblockers and the like even if you disable them after.

[jiggawatts]

I have the opposite problem: Cloudflare allows completely private hosting, allowing an endless parade of phishing attacks to remain anonymous and unpunished.

Every day I get at least one spam SMS with a link in it. That link is invariably registered with Cloudflare with "hostmaster privacy" and hidden behind a Cloudflare CDN so there is no way to track down the owners.

People have tried to contact Cloudflare to block these criminals, but Cloudflare forwards all complaints to /dev/null.

Behaviour like this seems pro-freedom, but it is the diametric opposite of the type of Internet we used to have in the 1990s where people were people, and bad actors could be named and shamed.

CloudFlare is pro-bot, pro-phish, pro-crime, and pro-spam.

[pornel]

5 is misleading. This isn't a typical model where paying customers subsidize the rest.

Cloudflare makes money from the free traffic by caching it. Caching dramatically reduces the amount of data that needs to be transferred over the backbone, which saves ISPs a ton of money, and improves latency for their customers.

From S-1 filing, under "Our Business Model" section:

https://www.sec.gov/Archives/edgar/data/1477333/000119312519...

> Given the large customer base we have and the immense amount of Internet traffic that we manage, we are able to negotiate mutually beneficial agreements with Internet Service Providers (ISPs) that allow us to place our equipment directly in their data centers, which dramatically drives down our bandwidth and co-location expenses.

[ranger_danger]

How is that "making money"?

[pornel]

From deals with ISPs that benefit from the caching of the traffic. The whole world fetching stuff from us-east-1 is an inefficiency that Cloudflare fixes, so the more customer traffic Cloudflare can cache or generate directly from its edge network, the better deals it can make with ISPs.

The peering and co-location partnerships also have a secondary effect of expanding Cloudflare's network, which allows Cloudflare to sell services on top of that, at large scale, with low latencies.

[fuzzfactor]

Advertising is the answer for some of this.

If the big advertisers would correlate the reduced reach of their campaigns with the increased prevalence of Cloudflare and their obstacles to user access, they should be able to drive the market to alternatives which preserve access to the entire world.

There's no way they should pay as much to advertise on sites handled by Cloudflare as it is worth to reach the whole internet.

Sooner or later each percent that Cloudflare grows, will represent a resulting percent less that it would make sense for an advertiser to pay when supporting the website.

[01101101]

The units here are important. When Cloudflare cites the 20% metric, they are referring to this: https://w3techs.com/technologies/overview/proxy

This is the percentages of websites using various reverse proxy services. This, however, is different from the 43% of internet traffic coming from Netflix, Google, Amazon, Facebook, Microsoft, and Apple metric. That is a traffic weighted metric (not # of websites).

As many of Cloudflare's customers are tiny little websites with no traffic, its misleading to say "only 37% of traffic is routed outside these major tech companies"

[Equally]

May I ask why this is a word-for-word repost of the same post made about this three years ago? Has something changed?

[superkuh]

I appreciate it. I didn't know about [6],

>"Cloudflare's roots go back to 2004 when Mr Prince and Cloudflare co-founder Lee Holloway were working on a computer industry project they called Honey Pot.

>The idea was that people with websites signed up for free, to install software which then tracked people who sent unsolicited emails."

Cloudflare has become much worse over the last 3 years due to increased adoption and default deployments by government services like congress.gov and institutions like science.org. These websites have been effectively blocked for millions of people in a multi-year on-going denial of service by cloudflare. I can't run the required bleeding edge spyware javascript so I don't get to access my own government's sites.

[sillystuff]

> Cloudflare has become much worse over the last 3 years due to increased adoption and default deployments by government services like congress.gov and institutions like science.org.

> These websites have been effectively blocked for millions of people in a multi-year on-going denial of service by cloudflare.

This is a great way to frame the issue. This is a DoS. But, it is a DoS against the client. And, the operators of sites that choose to front with cloudflare et al, given the choice of DoS against their servers or flipping the bird to a portion of their users, have chosen to make their own lives easier.

It is not just Cloudflare, though. My credit union uses Akamai who for a period of several months would terminate my connection during the TLS handshake, if I tried to connect from a connection tethered to my phone (cloudflare hates tethering/CGNAT too; cloudflare kept me from accessing my health dept's website during the pandemic from a tethered connection [my only Internet access at home]).

[rustcleaner]

I exclusively only touch the internet through Tor or one of a small set of privacy VPNs. Cloudflare drives me crazy over Tor because my preference is to run 'Safer' mode: that web assembly is disabled and javascript is less accelerated. That causes verification loops for cloudflare, and lawyer offices all seem to use the same canned hosting template. I think CF is doing this because it may allow them to grope the device better if webassembly is enabled.

All that's needed is a minimum of 36 independent boolean values to identify you in the global population. 72 is more than enough to gain high confidence in birthday attack problems at 36 bits. How many hardware-unique bits can be siphoned with web assembly and javascript?

[ranger_danger]

Does it matter? More people need to know about this, not everyone saw a post from 3 years ago. https://xkcd.com/1053

[nerdjon]

Number 3 doesn’t add up if we look at AWS. Some estimates I can find are AWS is at that number alone.

Especially given that they supply resources to 3 of the other companies in the list. I would love to see other reports on those numbers.

[ranger_danger]

People are also sleeping on the pervasiveness of AWS Cloudfront and ELB which is the exact same thing as Cloudflare.

[Tamer]

And it definitely is a treat to accessibility. RSS accessibility!

[beretguy]

Also can’t use some websites with JavaScript disabled.

[Aeolun]

By this measure any SSL proxy service is a threat to internet privacy? For cloudflare it’s just a matter of scale?

[Dylan16807]

The scale is what makes it a threat. Too much behind the same gates.

[ranger_danger]

Yes exactly.

[SeanAnderson]

"Cloudflare handles approximately 20% of all the traffic on the internet. And it's growing fast."

Is it bad this just makes me want to invest in them? :s :(

[brigadier132]

Why not do a simple google search before posting something like this? It would've taken less time than posting what you wrote which is completely not based on fact.