
Cloudflare’s service’s questionable practices - signa11
https://www.devever.net/~hl/cloudflare
======
gkoberger
I really hate this framing. The title is an old meme, but to me it always
feels like a false way to present your case by making it feel more "official"
than it really is. I'd rather it be titled something like "Here's why you
should be careful when using Cloudflare" or "Cloudflare runs into issues when
using Tor or disabling JavaScript". The framing shuts down all debate, and
ignores that it's mostly just considered harmful by the author. (more:
[https://meyerweb.com/eric/comment/chech.html](https://meyerweb.com/eric/comment/chech.html))

I personally love Cloudflare. It's made a ton of stuff a lot easier for me as
a developer. Sure, there's some downsides... but that's true with any service.
(And a lot of the complaints are opt-in features that the web developer
enabled)

It seems the author only has problems with Cloudflare almost completely
because he uses Tor. Unfortunately, most Tor traffic is malicious (94%, by
Cloudflare's count), and the whole point of Cloudflare is to prevent malicious
attacks.

Anytime you do something for privacy (block ads, disable JS, use Tor),
unfortunately things won't always work exactly how you expect.

Lastly, it ends with a weird conspiracy theory... "It is probably a US
Government-attached intelligence agency". Okay.

~~~
tyingq
I worry about Cloudflare, but for different reasons. They are supposedly 10%
of Internet traffic now, and probably much higher if you net out video and
other things they aren't currently trying to gain marketshare in. Just the
general monoculture worry around security, reliability, etc. Especially since
they seem to front a lot of the smaller, independent web sites that I like.

~~~
xwdv
Makes for a great investment though, and the stock is currently below IPO
price with earnings coming up Nov 7.

I’d probably buy now.

~~~
xwdv
CloudFlare up today almost 8% after my recommendation.

------
judge2020
> Essentially, Cloudflare by design randomly perpretrates denial of service
> attacks on users, yet at the same time Cloudflare paradoxically advertises
> itself as a service to mitigate DoS attacks.

I guess he's trying to be snarky here, but it's obvious their business is to
prevent DoS attacks against the server by malicious clients.

I imagine the extremely large majority of clients [fully-featured modern web
browsers] can get past the captcha (or JS challenge), therefore it's only a
'DoS attack against the user' in the small amount of situations where the
user's client/browser doesn't have the technology required to solve the
captcha (or JS challenge). If lynx or other non-JS browsers had a surge in
popularity and CF's enterprise customers complained, you can assure they would
have a solution out within a week that would not require JS or cookies.

~~~
pergadad
There was another discussion a few weeks ago about how often in particular
people from developing countries face captchas. Essentially cloudflare knows
first and second class citizens of the internet, and sites protected with
cloudflare will feel good in Western Europe and US but might require captchas
at every corner and are not necessarily sped up if you happen to be sitting in
India or Nigeria.

It's a rather typical blindness of US (and to a lesser degree EU/AU/.. )
companies, which by design or accident care mainly about US and other rich
country users.

~~~
judge2020
It's surely a difficult problem to even comprehend without being in that
situation, but the CF ip reputation systems don't flag certain ASNs or IP
blocks just because of the location. Maybe there's less security and unpatched
RCEs happen often, maybe NAT'ing hundreds of users behind an IP is common
place (making a bad actor taint the IP reputation for 99 other users), maybe a
good amount of their users install things like the Hola VPN (where your
computer turns into a VPN) or a rasberry Pi devices that also turns your
computer into a "residential IP VPN" for extra cash. Regardless, if the
automated threat detection systems see 100 IPs in a /24 block perform
questionable requests, chances are that block or full ASN is going to get the
boot.

Maybe that's the problem, the current scale of the internet and of human
civilization means it's nearly impossible to use fairly-accurate humans for
these types of things; the only option for managing something that works for
the entire world is by turning to error-prone computers that we can only bet
on someday being as good as humans at making decisions with the full context
provided.

------
judge2020
About to read the article but "Cloudflare considered harmful" sounds like it's
a news publication reporting on a well-known organization or government making
a statement about CF being harmful. Based off skimming this, it looks like a
personal opinion and would better be titled "I consider Cloudflare to be
harmful".

~~~
ronnier
[https://en.wikipedia.org/wiki/Considered_harmful](https://en.wikipedia.org/wiki/Considered_harmful)

------
stevenicr
A write up like that and he did not mention the cloudlfare policy to inspect
the traffic and log the words read / said and send info about things people
have read / said to various gov agencies..

I must assume that he does not know this, and if this guy doesn't, then how to
calculate the odds that X percent of Y (how many people are sharing what they
read through cloudflares pipes everyday?) - how many people don't know they
are being spied on and info about them is being sent to others because a host
is routing through cloudflare?

------
big_chungus
I've got to wonder why the author blames cloudflare for blocking tor. Site
operators have to use cloudflare, and they do because blocking tor is one of
the easiest ways to reduce spam. Tor is good for privacy, but not great for
the people running the sites. What makes him think that people wouldn't switch
to another service? It sounds like he's pushing for tor acceptance, but
phrasing it poorly.

~~~
wolco
People are not using cloidflare because they block tor. Most are not using
them for dos protection.qThey are using them for a variety of other reasons so
they may not be aware of the situation.

~~~
xyz-x
Like their free DNS service that supports DNSSEC, Rotor (CDN JS optimisation),
Let's Encrypt integration out of the box, low latencies where the users live,
etc

~~~
cnst
If you really care about the low latencies, you might want to not pull up
megabytes of JavaScript libraries to simply render up a few bytes of text.

I have a single server on another continent, yet my pages load several times
faster than any of these Cloudflare-powered websites served from another part
of town.

Let's Encrypt itself is an artificial construct that your homepage would
hardly benefit from, and where Cloudflare reaps the most benefits from by
having it be a selling point that noone outside of commercial entities ought
to need in the first place.

------
jiveturkey
absolute nonsense.

websites in fact should stop using cloudflare, however the rant displayed here
is irrelevant.

