
How We Extended CloudFlare into Mainland China - eastdakota
https://blog.cloudflare.com/how-we-extended-cloudflares-performance-and-security-into-mainland-china/
======
song
> Baidu's regulatory expertise also helped to solve what previously seemed
> like an insurmountable problem. They developed a process whereby ICP license
> applications could be automatically submitted on behalf of CloudFlare
> customers. This removes the burden of individual customers having to
> navigate local licensing requirements.

Translation: "Baidu's regulatory expertise" means "Baidu's guanxi and
relationship with key decision makers in the country that invested and will
profit from the company growth". It's always funny how corruption gets renamed
to better sounding words like "expertise".

~~~
phn
Why is the relationship with key decision makers considered corruption?

I get it's not "expertise", but I don't get why it's corruption either.

~~~
song
It's corruption because the relationship usually involve the key decision
makers having either stock in that company or being rewarded financially in
one way or another.

------
bpolverini
One can only imagine what kind of Faustian bargain Cloudflare had to concoct
in order to make this all legal.

Once Baidu and the PSB have managed to extract enough useful intellectual
property from Cloudflare, it will only be a matter of time until they find a
reason to block Cloudflare and replace it with a domestic service that can be
even more tightly controlled.

Cloudflare is phenomenally competent, but Matthew Prince is likely in for a
serious surprise that has nothing to do with technological innovation and
everything to do with sociology and a different culture.

~~~
carterehsmith
Hmmm. Many people have this perception that Cloudflare sells "protection" to
DDOS "victims", while providing a comfy hosting place for DDOS "providers".
Good business, selling weapons to two opposed groups.

~~~
Dylan16807
That's such a weird way to look at it. They offer DDOS protection to anyone
and everyone, and they don't offer anything that could be used to perform or
relay DDOS.

~~~
carterehsmith
According to some reports, they totally do. E.g. from
[http://krebsonsecurity.com/2015/08/stress-testing-the-
booter...](http://krebsonsecurity.com/2015/08/stress-testing-the-booter-
services-financially/)

" Finally, the researchers observed a stubborn fact about these booter
services that I’ve noted in several stories: That the booter service front-end
Web sites where customers go to pay for service and order attacks were all
protected by CloudFlare, a content distribution network that specializes in
helping networks stay online in the face of withering online attacks. "

~~~
Dylan16807
1\. They offer DDOS protection to _everyone_.

2\. That's the front-end. It's not performing or relaying DDOS attacks.

CloudFlare is not in the business of deciding who is good or bad, legal or
illegal. They make sites faster, and keep sites online.

They're not selling weapons, they're selling medical services to everyone.

And they have a nice free tier.

~~~
carterehsmith
1\. How is that good? Personally, if I learned that one of my customers is
selling DDOS-as-a-service, or other illegal stuff, I would drop them right
away. Would you not?

2\. Splitting hairs here - I never said that CF itself is performing or
relaying DDOS attacks. But CF helps DDOSers stay up & in-business. This is
kind of important for DDOSers as they tend to try and eliminate competition by
DDOSing competitors, plus there are whitehats trying to DDOS DDOSers (lol
here). CF helps them stay up. I can't imagine that you approve of that kind of
stuff - that is, protecting illegal activities.

~~~
Dylan16807
Are you a court? Then you don't always know what's illegal. Why not let the
legal system decide?

It's not splitting hairs. A medicine dealer is a far cry from an arms dealer,
even if they are selling to "both sides".

I totally approve of protecting people from attacks, even bad people. I don't
want burglars to have their houses broken into. I don't want kidnappers to get
kidnapped.

I'm sorry you can't imagine me.

~~~
carterehsmith
First, there is a "trading with enemy" act. So, if CF is a US-based company
that provides "safe harbor" to ISIS (check the Wikipedia page), it is illegal.

Also, DDOS is illegal pretty much anywhere, last I checked. Do you have any
pointers to claim otherwise?

Last, this "medicine" thing is cute, but they don't sell medicine, otherwise
they would be regulated by FDA and they would need to answer some tough
questions about their "medicine" (like, does it work?), and that would be the
end if it, so no, it is not a "medicine". It is software-as-a-service.

~~~
Dylan16807
A group like that has been officially declared off-limits, which is letting
the government do the governing, and completely consistent with not trying to
interpret the law. DDOS is pretty clear, but a lot of behaviors are not, and
CloudFlare does not want to be judge and jury. They will follow legal rulings
but they will not make them.

You're taking the analogy a bit too literally when you bring in the FDA. Their
DDOS protection clearly works, and the FDA would not say "oh some people
inflict the flu on others, you don't get to give them flu shots".

They are providing something that is entirely defense against illegal
activity. If selling safes to burglars keeps them from being burgled, so be
it.

------
alphang
Is CloudFlare's desire to extend into the lucrative Chinese market going to
cause reduce service for Hong Kong's pro-democracy customers?

[http://www.forbes.com/sites/parmyolson/2014/11/20/the-
larges...](http://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-
cyber-attack-in-history-has-been-hitting-hong-kong-sites/)

------
MichaelGG
How is their universal SSL stuff being handled in China? Is there a separate
root they use? Since certs are shared (with lots of SANs) if my site is
sharing a cert with one that opts-in to China access, does that mean the
private key for that cert is now available to China?

~~~
eastdakota
We're using Keyless SSL when HTTPS goes live inside China. That means we can
handle HTTPS without any keys being stored inside China.

------
pakled_engineer
>Although we may not be able to announce certain content from within China, or
any other country in which certain content may be prohibited, we continue to
serve it across the Internet from the rest of the network.

Does this mean that the CPC can now have 2 factor censorship? If they get past
the great firewall they now have to get past Cloudflare too "We're sorry, this
content is not available in your country as per request of Ministry of Public
Security".

------
philip1209
If Cloudflare is not MITMing SSL in China unless you explicitly allow it, do
caches still serve from there? I guess the scenario I am wondering about is
whether javascript caches could hypothetically be poisoned by a malicious
actor even if SSL traffic is still not technically being MITM'd at these
servers.

------
rurban
I kind of find it funny that CloudFlare who occasionally protects their
customers from getting DDOS'ed by probable Chinese state actors, now gets
behind the curtain and will now have to find new ways to protect their
customers getting DDOS'ed from inside if they publish content which the
Chinese authorities don't like. I guess it's easier now for them to take it
down without resorting to warfare. But then again, this content will not be
permitted inside. So it will stay the same. Maybe it will change now from ICMP
over clever javascript bombs to DNS attacks. Which is how CloudFlare protects
their domains.

------
micah_chatt
I've never paid much attention CloudFlare's datacenter map before, but I'm
quite surprised to not see anything in India or near Egypt/Israel.

~~~
zhemao
A lot of it has to do with whether local ISPs and utility companies are
reliable enough to get satisfactory availability. I once worked at a company
that operated a few Indian PoPs and we always had trouble with them. Sometimes
we would simply lose all connectivity to them.

------
a_c
> After a survey of our customer base, we determined that more than 99% of our
> customers’ websites are locally available in China today.

Since they censor most foreign website, I bet average chinese users doesn't
even aware of the existence of overseas website

------
needcaffeine
This alone will get me to sign up for CloudFlare enterprise, assuming that
getting an ICP license is actually easy to do.

What are the advantages of CloudFlare over say...ChinaCache, which promises
hundreds of edge locations inside mainland China?

~~~
aembleton
Foreign companies (unless they have a Chinese subsidiary) cannot apply for an
ICP.

[https://support.cloudflare.com/hc/en-
us/articles/209714777](https://support.cloudflare.com/hc/en-
us/articles/209714777)

~~~
needcaffeine
That's correct. ChinaCache overcomes this by submitting the request using a
proxy entity that you pay for every month. It all really comes down to money.

------
microsage
Interestingly, the linked article isn't actually available inside of mainland
China at the moment. Maybe they're not running their own blog through the
China-enabled portion of their CDN?

~~~
tellarin
Works fine for me since the story was posted. In Beijing here.

------
ck2
Hey cloudflare, how can you do all these impressive things yet your dns editor
ui is so bad?

Try exporting your dns and then importing, compare the mess it makes on what
should be a simple zone file, TXT records are slashed, records are out of
order, TTL is changed, and the columns are so narrow you cannot even inspect
the records for errors.

------
aianus
Chinese Internet infrastructure is so backwards it's kind of funny.

~~~
dang
> _China is so backwards it 's kind of funny._

It breaks the HN guidelines to make slurs against anyone's country here.
Please don't do that again.

~~~
aianus
I'm sorry you took it that way. Replaced China with Chinese Internet
infrastructure.

