
Cloudflare CEO on whether Airtel is sniffing data packets to block websites - harshilmathur
http://www.medianama.com/2016/07/223-cloudflare-ceo-matthew-prince-airtel-sniffing-data-packets/
======
yoo1I
TL;DR:

> Cloudflare is a proxy. [...] We don’t have any idea why this particular
> customer chose to do that, but that’s the customers decision.

Or in other words:

> "We are just a proxy, we are not responsible for anything".

\--
[https://news.ycombinator.com/item?id=12092188](https://news.ycombinator.com/item?id=12092188)

... it's getting a bit old hearing CloudFlare have the same response every
time someone raises an issue with them.

------
apeace
Title is clickbait.

The only important/interesting quote from the article:

> That particular customer had set up their configuration in such a way that
> the connection from Cloudflare back to the customers origin was not passed
> over an encrypted link. Clouldflare has the ability to pass that over an
> encrypted link. We don’t have any idea why this particular customer chose to
> do that, but that’s the customers decision.

~~~
gkop
And it's Cloudflare's decision to expose the endpoint as HTTPS, suggesting to
visitors that it's a secure endpoint when Cloudflare knows that it is not.

~~~
johansch
It's each website's decision to use (or not use) Cloudflare. It's thus also by
extension each website's decision to expose the site over HTTPS.

~~~
gkop
For sure. From the perspective of a visitor to the site, you see the padlock,
it should be secure. Cloudflare makes it extremely easy to disguise an
insecure endpoint as a secure one. In fact, Cloudflare does this for free! It
harms visitors.

~~~
rakoo
... And it's the customer's decision to leave the cloudflare->upstream link in
the clear. Just like it was Google's decision to add and remove SSL between
the frontend server and the backends.

Cloudflare is _part_ of the customer's website, it's not some random third-
party that happens to be there on the path to the HTTP client.

------
jballer
This title is misleading and borderline incorrect. He accepts that unencrypted
traffic to specific IPs can be intercepted in accordance with a government
order. He does not accept that all unencrypted traffic can be sniffed, or that
any encrypted traffic can be decrypted.

~~~
harshilmathur
> MediaNama: As far as I understand, they wouldn’t know the IP address of the
> host server?

> Matthew Prince, Cloudflare: They should not. That is true.

> MediaNama: So the only way they can understand what to block via this route
> is by sniffing every packet?

> Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t
> have a satisfactory answer at this point. _But you are correct, that is what
> I infer._

------
aravindet
For those who missed the background to this, CloudFlare’s Indian ISP was
modifying the response from the upstream server to their proxy servers; Unable
to detect this, CloudFlare serves the fake response to users under an
authentic SSL certificate for that domain.

An interesting aside: CloudFlare is likely inadvertently exporting Indian
censorship to neighboring countries like Sri Lanka, Nepal and Bangladesh.

------
rm2889
Can someone explain this to an encryption dummy? The 'customer' the CEO is
talking about, who chose to not encrypt traffic from cloudfare back to the
origin is the PirateBay? So airtel could be sniffing all the unencrypted
packets going from cloudfare to other cloudfare customers if the content is
stored in cloudfare's india data centers?

------
harshilmathur
TL;DR:

MediaNama: So the only way they can understand what to block via this route is
by sniffing every packet?

Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t
have a satisfactory answer at this point. _But you are correct, that is what I
infer._

------
apecat
The headline provided is hardly a fair description of the content of the
article. Matthew Prince, CEO of Cloudflare, just states the technical facts of
how a https->http proxy works in the context of present day surveillance.

One might argue that Cloudflare’s UI should be a bit more forthcoming and warn
customers against blindly turning on what they call "Flexible SSL", which is
the issue here. I’m of the opinion that this behavior creates a false sense of
security for end users.

A few days ago, I made this humble argument as a reply to John Graham-Cumming,
@jgrahamc, an industry rockstar who works at Cloudflare.
[https://news.ycombinator.com/item?id=12094057](https://news.ycombinator.com/item?id=12094057)

Flexible SSL is Cloudflare’s term for enabling SSL from the proxy servers to
the client, when no encryption is present in the connection back to the origin
server. This can protect against things like ISP level snooping, or code
insertion and curious local network admins. But it undermines the perceived
benefits of https, without the end user knowing.

I personally choose to never activate Cloudflare's SSL without origin SSL, for
the reason I stated above: regular people trust that "green lock" in their
browser.

But then, there are those who argue that any SSL use through something like
Cloudflare muddies the water, as a service like this, acts as a Man in the
Middle out of necessity. Furthermore, CDN providers like Cloudflare are by
their very nature entrusted with a lot of data which they could mine for
nefarious purposes, or leak to local authorities. Another black box to trust,
sadly.

This matters for a lot more people than one might assume. One of the central
points of CDNs is of course that they try to find the closest/fastest Point of
Precence/data center. And now, unfortunatelty, my residential ISP here in
Helsinki, Finland (TeliaSonera) routes me to Cloudflare’s new Moscow PoP/data
center most of the time.

Previously, my Cloudflare traffic got routed to their Stockholm PoP, as is
still the case with other local ISPs I use at work, on mobile etc. For
TeliaSonera, Moscow just happens to be the best route at the moment.

This, in turn, causes me to feel slightly more creeped out about potential
Russian mass surveillance targeting than I did previously about the Swedes,
Germans and other Western actors. Just my personal preference. Also, one would
have to ask how Cloudflare will handle Russia’s new, totally batshit anti-
crypto legislation ( [https://www.theguardian.com/world/2016/jun/26/russia-
passes-...](https://www.theguardian.com/world/2016/jun/26/russia-passes-big-
brother-anti-terror-laws) )

In this case, I’m in luck, because CEO Matthew Prince recently said that
Helsinki, Finland will get its own PoP "very soon"
([https://blog.cloudflare.com/brussels/](https://blog.cloudflare.com/brussels/)
).

But all of this if of course something to keep in mind for internet users,
that their traffic might take unexpected routes, through areas with totally
batshit laws. You can check which Cloudflare PoP you are served by currently
through the url below. "Colo" marks the data center, named after the closest
airport. [https://www.cloudflare.com/cdn-
cgi/trace](https://www.cloudflare.com/cdn-cgi/trace)

With all this said, I’m still loyal user and customer of Cloudflare’s. Despite
the inherent problems, and the ongoing issues Tor user face.

I would go as far as to say that Cloudflare is something of a dream machine
for someone like me who supports a bunch of websites, varying from small to
quite heavy on traffic, while still having other work to attend to.

Combining Cloudflare and basic disk based caching found in CMSs, you really
can do things like viral web content very cost efficiently. And you get a
little help against automated CMS vulnerabilities without paying for their
full DDoS protection.

