> Baidu's regulatory expertise also helped to solve what previously seemed like an insurmountable problem. They developed a process whereby ICP license applications could be automatically submitted on behalf of CloudFlare customers. This removes the burden of individual customers having to navigate local licensing requirements.
Translation: "Baidu's regulatory expertise" means "Baidu's guanxi and relationship with key decision makers in the country that invested and will profit from the company growth". It's always funny how corruption gets renamed to better sounding words like "expertise".
It's corruption because the relationship usually involve the key decision makers having either stock in that company or being rewarded financially in one way or another.
One can only imagine what kind of Faustian bargain Cloudflare had to concoct in order to make this all legal.
Once Baidu and the PSB have managed to extract enough useful intellectual property from Cloudflare, it will only be a matter of time until they find a reason to block Cloudflare and replace it with a domestic service that can be even more tightly controlled.
Cloudflare is phenomenally competent, but Matthew Prince is likely in for a serious surprise that has nothing to do with technological innovation and everything to do with sociology and a different culture.
Yes, it's dishonest for them to describe China's censorship regime as "regulation". Like any dictatorial regime, China's censorship is fundamentally "lawless" in the sense that there's no codified statement of what can and can't be said. Rather China maintains a constant threat that saying anything critical of the regime may result in sanctions, often retroactively.
And if anyone references the US, the NSA's surveillance regime has the same lawless quality despite the fig leaf of (secret) courts. We can at least be happy the US doesn't have all the overt repressive mechanism of China - yet.
Hmmm. Many people have this perception that Cloudflare sells "protection" to DDOS "victims", while providing a comfy hosting place for DDOS "providers". Good business, selling weapons to two opposed groups.
That's such a weird way to look at it. They offer DDOS protection to anyone and everyone, and they don't offer anything that could be used to perform or relay DDOS.
"
Finally, the researchers observed a stubborn fact about these booter services that I’ve noted in several stories: That the booter service front-end Web sites where customers go to pay for service and order attacks were all protected by CloudFlare, a content distribution network that specializes in helping networks stay online in the face of withering online attacks.
"
1. How is that good? Personally, if I learned that one of my customers is selling DDOS-as-a-service, or other illegal stuff, I would drop them right away. Would you not?
2. Splitting hairs here - I never said that CF itself is performing or relaying DDOS attacks. But CF helps DDOSers stay up & in-business. This is kind of important for DDOSers as they tend to try and eliminate competition by DDOSing competitors, plus there are whitehats trying to DDOS DDOSers (lol here). CF helps them stay up. I can't imagine that you approve of that kind of stuff - that is, protecting illegal activities.
Are you a court? Then you don't always know what's illegal. Why not let the legal system decide?
It's not splitting hairs. A medicine dealer is a far cry from an arms dealer, even if they are selling to "both sides".
I totally approve of protecting people from attacks, even bad people. I don't want burglars to have their houses broken into. I don't want kidnappers to get kidnapped.
First, there is a "trading with enemy" act. So, if CF is a US-based company that provides "safe harbor" to ISIS (check the Wikipedia page), it is illegal.
Also, DDOS is illegal pretty much anywhere, last I checked. Do you have any pointers to claim otherwise?
Last, this "medicine" thing is cute, but they don't sell medicine, otherwise they would be regulated by FDA and they would need to answer some tough questions about their "medicine" (like, does it work?), and that would be the end if it, so no, it is not a "medicine". It is software-as-a-service.
A group like that has been officially declared off-limits, which is letting the government do the governing, and completely consistent with not trying to interpret the law. DDOS is pretty clear, but a lot of behaviors are not, and CloudFlare does not want to be judge and jury. They will follow legal rulings but they will not make them.
You're taking the analogy a bit too literally when you bring in the FDA. Their DDOS protection clearly works, and the FDA would not say "oh some people inflict the flu on others, you don't get to give them flu shots".
They are providing something that is entirely defense against illegal activity. If selling safes to burglars keeps them from being burgled, so be it.
The bargain is probably something like: "Customers using our China POPs give us money. We like money."
And is it thought that China lacks the resources to infiltrate CloudFlare? The KGB compromised the CIA and FBI over many years for paltry sums (under a million). If China really wanted to extract IP they can certainly do so. While operational security (like HSMs and procedures) might stop people from walking off with key material, I find it really hard to believe companies can stop adversaries from walking off with source code, know-how, technical plans - things that employees need access to.
How is their universal SSL stuff being handled in China? Is there a separate root they use? Since certs are shared (with lots of SANs) if my site is sharing a cert with one that opts-in to China access, does that mean the private key for that cert is now available to China?
It seems possible that the censors don't need the private keys because they somehow get access to symmetric keys used to terminate the connection. That would be bad, but at least doesn't affect users outside China.
(To be clear, this is pure speculation; I have no actual knowledge of such things.)
>Although we may not be able to announce certain content from within China, or any other country in which certain content may be prohibited, we continue to serve it across the Internet from the rest of the network.
Does this mean that the CPC can now have 2 factor censorship? If they get past the great firewall they now have to get past Cloudflare too "We're sorry, this content is not available in your country as per request of Ministry of Public Security".
If Cloudflare is not MITMing SSL in China unless you explicitly allow it, do caches still serve from there? I guess the scenario I am wondering about is whether javascript caches could hypothetically be poisoned by a malicious actor even if SSL traffic is still not technically being MITM'd at these servers.
I kind of find it funny that CloudFlare who occasionally protects their customers from getting DDOS'ed by probable Chinese state actors, now gets behind the curtain and will now have to find new ways to protect their customers getting DDOS'ed from inside if they publish content which the Chinese authorities don't like. I guess it's easier now for them to take it down without resorting to warfare.
But then again, this content will not be permitted inside. So it will stay the same. Maybe it will change now from ICMP over clever javascript bombs to DNS attacks. Which is how CloudFlare protects their domains.
A lot of it has to do with whether local ISPs and utility companies are reliable enough to get satisfactory availability. I once worked at a company that operated a few Indian PoPs and we always had trouble with them. Sometimes we would simply lose all connectivity to them.
That's correct. ChinaCache overcomes this by submitting the request using a proxy entity that you pay for every month. It all really comes down to money.
Interestingly, the linked article isn't actually available inside of mainland China at the moment. Maybe they're not running their own blog through the China-enabled portion of their CDN?
Hey cloudflare, how can you do all these impressive things yet your dns editor ui is so bad?
Try exporting your dns and then importing, compare the mess it makes on what should be a simple zone file, TXT records are slashed, records are out of order, TTL is changed, and the columns are so narrow you cannot even inspect the records for errors.
Translation: "Baidu's regulatory expertise" means "Baidu's guanxi and relationship with key decision makers in the country that invested and will profit from the company growth". It's always funny how corruption gets renamed to better sounding words like "expertise".