
Election Cybersecurity: Preparing for the 2020 U.S. Elections - chmaynard
https://blog.cloudflare.com/election-cybersecurity-preparing-for-the-2020-u-s-elections/
======
dopylitty
Claims about raw numbers of attacks on internet facing services always seem a
bit dishonest.

Anyone who has ever attached a public IPv4 address to a server knows that they
are immediately hit with drive by attacks of all sorts because it's just not
that hard to attempt attacks against literally every possible IPv4 address.

It would be nice if CloudFlare could indicate whether the attacks they're
claiming in this post are targeted or are just run of the mill drive by
attacks.

Raw numbers don't really mean anything. How do the numbers of attacks against
campaigns and election sites compare to those against other sites of similar
reach? They do compare Senate and House campaign sites but I don't know if
those differences are more likely to be due to how the drive by attackers
prioritize their work (eg if a site appears on Twitter more often because a
Senate campaign has a broader reach does it lead to more attacks)

Overall this post implies the attacks are related to the election but I don't
see any real data indicating that they are targeted.

~~~
gazelleeatslion
Host a bunch of campaign sites - many using the program talked about here.

It would be cool to have more precise numbers and neat stats on more specific
attacks but as long as I'm protected I don't really care.

Regardless of that...

I'd argue the reality is it's nearly impossible, expensive, or just plain
risky to host any high-profile website without Cloudflare today (using their
campaign offering or not). Between security and random traffic spikes it's
simply an awesome / killer / the absolute best deal. All clients must go on
Cloudflare for me.

The only other option is to go 100% static - ultimate security and speed -
which also has its trade-offs.

Cloudflare actually doesn't offer a pure static option even with their
election protection program. The ability to just go "pure static" doesn't
exist to my understanding.

E.g.: You can try to mimic "fake static" by turning on 100% HTML Page Cache
on, Firewall rules to block non GET/HEAD requests. This still subjects you to
cache busting techniques to hit origin (/?fbid=1, /?fbid=2, /?fbid=3, etc...).
This is because ignoring query strings and pure HTML cache only would only be
possible using Workers or an Enterprise plan with Custom Cache Keys - both
which are not offered under their campaign program.

The best work-around would be rate-limiting but that still exposes origin and
has it's trade-offs.

Google offers an election program [1] which is more the pure cache = pure
security philosophy. Way, way less flexible though. Just some thoughts.

1:
[https://protectyourelection.withgoogle.com/intl/en/](https://protectyourelection.withgoogle.com/intl/en/)

