
Is Cloudflare Safe Yet - rammy1234
https://iscloudflaresafeyet.com/
======
ceejayoz
> Deploying RPKI is not as easy as flipping a switch as some sites would like
> to imply, it requires very careful planning, which can take months or years
> (in case equipment needs to be replaced and upgraded).

So? The assertion is "they're not secure", not "it's easy to become secure".

> While this is generally necessary to leverage the use of features like
> static file caching, it also means Cloudflare gets to see the billing
> details and possibly payment information of customers shopping on a
> Cloudflare protected e-shop.

I tend to trust Cloudflare with this info more than I trust the website itself
and their 83 different unpatched WordPress plugins.

~~~
mwcampbell
I think the more important point, which I agree with, is that Cloudflare
shouldn't be using this scare tactic, especially in the middle of a pandemic.

~~~
ceejayoz
Could you explain why security matters less during a pandemic?

~~~
toomuchtodo
You don't break critical infrastructure when it's needed the most, when what
we have today is working "well enough" until a window of time presents itself
when improvements can be made.

You manage risk through balancing security and business requirements. You
mitigate the risk you can, you accept the risk you can't (or choose to defer).

Disclaimer: I work in risk. I have these conversations daily. When Cloudflare
first published their RPKI marketing site, I thought it was an important issue
until doing further research, and have since walked back my personal opinion
(which was admittedly overzealous about RPKI initially) on the severity of the
issue and the the timeline necessary for action to be taken.

~~~
ceejayoz
They've been deferring for a long time.

The RKPI RFC is from 2012. Cloudflare's been publishing blog articles like
"RPKI - The required cryptographic upgrade to BGP routing"
([https://blog.cloudflare.com/rpki/](https://blog.cloudflare.com/rpki/)) for
years now.

~~~
toomuchtodo
And? If a central authority (or statute) doesn't dictate implementation,
connectivity providers have the ability to defer forever. Customers have
accepted the risk and deemed it acceptable if their provider does not support
RPKI. It's their dollars to spend on connectivity, not ours.

~~~
ceejayoz
> Customers have accepted the risk and deemed it acceptable if their provider
> does not support RPKI.

That's a silly assertion. What percentage of residential ISP customers do you
think are aware _at all_ of RPKI?

Cloudflare's "is BGP safe" page is intended to highlight the ISPs that are
deferring RPKI. If you claim customers are making an educated decision on
whether RPKI is necessary, you shouldn't have an objection to the site's
existence.

~~~
toomuchtodo
It's a silly assertion to think most ISP customers would care about RPKI, even
if made aware. Gmail works? Netflix works? Facebook works? Zoom works? Carry
on. Prove me wrong! I would love to be wrong. People don't even care about
PATRIOT act renewals, it is _highly unlikely_ they're concerned about the
implementation of cryptographic primitives for authenticating routing updates.

"Did you know China could poison routing tables and see all your data?" "I
don't do anything I care about them seeing." This is from a real conversation
with your average non-tech individual. It is not a technology issue (today,
you could use VPNs [WARP] and cryptography to create a mesh from end users to
Cloudflare to server side endpoints and fail closed when BGP routing gets
hijacked temporarily anywhere in the mesh), it is a privacy advocacy issue.
Encouraging people to care is the hard part.

~~~
ceejayoz
That's moving the goalposts.

It may be that customers don't care when made aware - Cloudflare seems to
think at least a few will, but I tend to agree many won't. "Customers have
accepted the risk" was simply a laughable assertion.

~~~
toomuchtodo
Customers use their connectivity, today, as is, with the knowledge they have
(and BGP has not changed in decades). That is accepting the risk (although I
could see how my tangent about user education diverged from the core of our
argument, mea culpa).

If Cloudflare wants to go through the marketing exercise and isn't putting
unnecessary workload on other providers, I take no issue.

------
zymhan
This is cute but utterly unconvincing.

I guess someone at one of the "insecure" companies listed at
[https://isbgpsafeyet.com/](https://isbgpsafeyet.com/) got a little sore?

~~~
mwcampbell
Is it not plausible that this is just a concerned person speaking out? Why go
straight for the most cynical take?

~~~
zymhan
I mean they literally ripped off the header design of the original Cloudflare-
run BGP site. That alone makes it clear they're responding that original post,
and not out of some random desire to inform people of CloudFlare's design
issues.

~~~
mwcampbell
The fact that they're using smart campaign tactics doesn't imply that they're
a competitor firing back rather than a concerned person taking advantage of
the opportunity to draw attention to the things that concern them.

~~~
sgammon
is it you

are you “they”

~~~
mwcampbell
No. I was just responding to what I think is an excess of cynicism toward an
unknown individual.

~~~
zymhan
Oh please, the "is cloudflare safe" site is peak cynicism. Not sure how you
can look past that point and then call everyone else a cynic.

------
oars
"By using a VPN application like WARP, all you are doing is shifting who is
able to read your traffic to someone else."

Isn't that the case with all VPNs? One of the most commonly VPN use cases is
to create an encrypted tunnel between your connection and another server (VPN)
so that it looks like your traffic is originating from that server.

Which VPN(s) doesn't allow another server to read your traffic? I thought a
VPN connection has to have a VPN server which does this?

~~~
michaelhoffman
That is the case with all VPNs, but that is not commonly understood by people
without technical expertise who have heard that a VPN will increase their
security.

------
hyperpape
The natural reading of the URL is that the author will expose some surprising
way that being a customer of Cloudflare is unsafe.

Instead, there's a mixture of the well-known (but valid!) MITM concerns and a
hodgepodge of other crap. It would be better titled "my complaints about
Cloudflare" but that's not good enough clickbait.

This deserves to be flagged.

------
cpitman
How is the "Man in the Middle" concern different from any other CDN, like
Akamai? At this point, I assume any major web presence is fronted by a CDN.

~~~
gunn
It seems to be based on a site by cloudflare:
[https://isbgpsafeyet.com/](https://isbgpsafeyet.com/)

------
shirshak55
I trust cloudflare more than my ISP. And regarding dns I trust next dns over
1.1.1.1. And I trust 1.1.1.1 more than 8.8.8.8 which is ran by ads company. I
would like to thanks cloudflare for their service.

------
r1ch
I'm a bit surprised to not see criticism of their SSL options. For a security
company, Cloudflare makes it incredibly easy to set up insecure configurations
to your origin. There are four SSL options to choose from, but only one is
actually secure and it usually defaults to one of the insecure options.

------
godman_8
This website is wrong in so many ways. Cloudflare isn't perfect and too much
centralization is an issue but the arguments in this are wrong and emotional.

"Cloudflare is shielding cybercriminals" So? Criminals use many good services,
it doesn't make the service bad.

"Scaring internet users into thinking their ISPs are insecure in the middle of
a global pandemic" ISPs ARE insecure because of this. The global pandemic has
nothing to do with this. Do we get mad at CVEs all of sudden during a
pandemic?

"Falsely advertising their VPN application" It can be safer depending on the
situation. If you need model closer to zero-trust (still not zero-trust
though) use Tor.

~~~
judge2020
To add:

> Cloudflare is shielding cybercriminals

Cloudflare has an abuse form
[https://cloudflare.com/abuse](https://cloudflare.com/abuse) \- CF also
doesn't prohibit you from filing police reports with your local law
enforcement, which CF will cooperate with upon receiving contact.

> Scaring internet users into thinking their ISPs are insecure in the middle
> of a global pandemic

[https://hn.algolia.com/?q=bgp](https://hn.algolia.com/?q=bgp)

------
botto
I guess no one read all the way to the copyright

> While this site is a parody, it may contain factual information. :) The
> author has no affiliation with Cloudflare, Inc.

~~~
marcrosoft
This is just so they don’t get sued into oblivion.

------
detaro
funnily enough, apparently Cloudflare did also accept invalid routes, at least
from the client-side?
[https://twitter.com/Benjojo12/status/1251538757595148291](https://twitter.com/Benjojo12/status/1251538757595148291)
(entire thread is IMHO a good take on this)

------
sgammon
this is ridiculous and misleading

no CloudFlare is not decrypting traffic

my lord as if a VPN tunnel is such a bad thing

------
edf13
Why flagged?

------
sgammon
That’s a lot of words for

“I’m unable to secure BGP at my shit ISP and now I blame cloudflare for my
ineptitude and bad press”

------
cagenut
people who have strongly negative opinions about cloudflare are so confusing
to me. literally everything they do has been done by akamai for a decade, and
if you combined akamai and cloudflare and fastly and the next five biggest
CDNs combined you still wouldn't even come close to touching the scope of what
Amazon, FB, Google, Apple, and MS do.

Its like someone freaking out at whitecastle over the dangers of fast food and
the environmental impact of beef. You're not necessarily wrong... just your
aim is so wierd.

