Back when I was a freshman in college, I built and maintained a video game strategy wiki. It was popular at the time, and the modest ad revenue kept me fed. I put a lot of work into it and invested back into the website.
I was fortunate enough to be able to go on an overseas trip to China during my first college summer break. The phone and Internet service was spotty, but I was too busy exploring to care. When I got back home, I discovered much to my dismay that my domain name had been transferred away without my consent.
As it turns out, one of my old Internet "friends" had access to an administrative account at my registrar without my knowledge. They transferred a handful of my domains to their own private account and continued to run the website as if it had been their own. They moved the database, code, and everything. (I had allowed them access to the server, so it wasn't unexpected that this was within their capability.)
Being a college kid, I wasn't able to think of lawyers or legal avenues to get it back (not could I afford them), so I wrote my "friend" out of my life and took it as a hard lesson learned about privacy and security. And trust. Definitely learned a lot about trust.
FWIW, it's still online today and probably brings in a thousand dollars a month in ad revenue.
Interesting. Just watched a Ben Horowitz interview containing the paraphrase quote "it's all rainbows, smiles and sunshine until someone stabs you in the back."
People tend (not always) have habit of changing when valuations increase, another reason trust and relationships pre-venture are more valuable for when things get interesting.
Consider it a cheap lesson overall about gradual ebb/flow of trust, and that people's (mis)behavior either self-selects them in or out of the running for future opportunities... their punishment is their lives.
It's perceived risk/reward opportunity for getting away with something (ethics)... better to test a potential cofounder beforehand (know them well before) than find out later with random founders that could be crooks. Plus, having overlapping social ties with cofounders, investors, customers, etc. tends to reduce trust and risk issues because their reputation means something.
Another thing I say: a contract or any agreement is only as good as relationship on which is written.
now that you're a registrar, will you respond to abuse reports about scammers' domains being resolved by your DNS servers by at least showing that you've understood the problem instead of a generic "We R a ReverseProxy Company, u no?".
I know that; I've said so in my abuse report. That wasn't the problem.
They always forward those abuse reports onto the original hosting provider. What more can they do? They're not really obligated to do anything other than that.
Let me preface this thusly: I understand you are a reverse proxy. Do not try and explain this to me again. I've heard it so many times by now, when it really wasn't necessary for you to explain it to me again - or on the first place. Really I understand.
Furthermore, as per your FAQ[0] regarding phishing, you do NOT intend to actually stop proxying, you intend to MITM the website and insert some sort of warning.
But to come back to the original complaint: In addition to being a reverse proxy, you also run nameservers. I do not care why and how you do that. Fact is you do.
These your nameservers are authorative ( as in 'dig -t ns example.com') for domains that are exclusively used for scam websites which you DO NOT HOST OR PROXY. You just provide DNS.
Is there _any_ way you would consider stopping to do that ?
Please don't ask me to go through your support channels again. I've tried. They didn't manage to understand the problem or didn't manage to make it clear that they have.
Please forgive me for playing devil's advocate, but I can't resist the urge to jump in here -- why should they provide you with a free (!) consumer security solution? It sounds like they were trying to give you a hint by telling you that they're a reverse proxy, but I'll put it very clearly: they are a reverse proxy for paying customers, not a consumer security solution for the general public.
They offer a domain name management service, not a DNS security service. Complaining to CloudFlare that they're not offering you a free security service would be like complaining to OpenDNS that they're not offering a domain name management service.
You wouldn't repeatedly harass Dun & Bradstreet and complain that they don't provide you with a free (!!!) consumer credit report, why do you feel so entitled to do the same to CloudFlare? Unless you've entered a consumer security contract with CloudFlare that I'm unaware of (which is totally possible), I'm afraid that you might just be feeling entitled.
"Consumer Security Solution"? Your advocating is pretty devilish indeed
I think you are misunderstanding what's going on and it seems you are not aware that dealing with network resource abuse is a normal thing in the running of an internet service - at any level. There are many legitimate uses of network resources and some which aren't: spamming, hosting illegal content (for whatever value of illegal), running botnets and so on. Each organization and jurisdiction sets their own rules about what is and isn't allowed on their resources which their customers have to abide by. And usually they share a way to report abuses to them. (See, the companies who hosted the spammers who sent out the link to the domains in question have already responded by shutting the spambots down.)
And indeed CloudFlare does have these policies in place, which you can clearly read on the link shared by jgrahamc above.
This particular issue is concerning a situation which isn't directly addressed by the rules already in place, and I am well within my rights to ask them to remedy this.
And if I was aware that customers of Dun & Bradstreet were selling data they received by Dun & Bradstreet on the black market to the Yakuza, be sure that I would let them know about it repeatedly.
You keep emphasizing that I want something for free from them, au contraire, I am providing them with a free service by letting them know they're system is being used by criminals to commit crimes.
There is an expectation in the web hosting industry that when a bad site (child porn, phishing, etc) pops up on your network, you take it down. CloudFlare effectively shields who is hosting the site so that you can't pressure them into taking it down. An entire cottage industry of bulletproof hosting companies has popped up that actively advertise CloudFlare protection.
I used to work on an extremely large free DNS provider. Even though the service was free, we were still obligated (morally and by our upstreams) to take down malicious sites.
Refusal to sell a domain to a scammer can help the world. Refusing to resolve a domain is kind of pointless, and I want a DNS server to tell me the truth.
See the problem is getting at the actual perpetrators. You are surely correct, the further down the line they can be stopped the better. But due to they way these scammers operate it becomes difficult to impossible to reach them.
One action that increases the cost of criminal organizations is then to deny them usage of resources of legitimate companies. All these usually have an AUP which prohibits certain activities.
And I am with you, a DNS resolver should tell the truth. What I am asking CloudFlare to do, is to not accept certain customers in the first place, so that they don't get to use the CloudFlare authorative DNS servers.
Obviously this works best if hosting providers do the same thing.
Actually I hear DNS is often used with cloud APIs as a way to have botnets and trojans contact the mothership for things like instructions or wiring payment to decrypt drives, etc. It used to be they were at the same domain names, but folks got wise and started banning domains, so now they use domain name "trials" and random domain names to resolve to changing IP addresses at scheduled intervals. Or at least that's how I remember hearing it described. So DNS is as critical to botnets/bad guys as anything else is online.
Also, since registries are global, all it takes is one country refusing to follow the rest of the world in trying to block spammers from registering domains, and DNS resolution becomes part of the solution. Of course they could go elsewhere but at least CloudFlare wouldn't be part of the problem.
Given the extensive debunking of the security of all existing registrars in the post, I'd really love to know who CloudFlare were thinking of when they said
"There are plenty of great mass-market registrars."
Shortly after they said (I'm paraphrasing here) "we've just explained why your current registrar is insecure, but this shiny new secure service isn't for you, pleb!"
They offer an "audit your registry" service, which is great, but they have zero suggestions for good alternatives if you're not front page news.
I bet that product is more expensive than we think. They can only afford to offer this as a feature of their enterprise product. But as a standalone offering I'm guessing it would cost more ($300-500?) than most people would be willing to pay for registration. Just speculating.
If they charge less than ~10k per year they're probably doing themselves disservice. My bet is on anywhere between 30k and 50k per year. Possibly more, you'll have to contact your account manager who knows exactly what's in your wallet.
If like to vote this up. I think that all of us (as individuals) would like a 'lite' version of this.
I want my domain to pass all those checks, and have 2FA protecting my account, but I don't care about the multiple permission to transfer since I'm just one person.
I also do care that there isn't some social engineering backdoor, where anyone can call support and answer a few questions about me (that might be ready to find) and reset my password. There are far too many services that are susceptible to such an easy hack.
I can agree with this. Namecheap is fairly secure as far as a general, affordable registrar is concerned. I had trouble accessing my account because I didn't have very specific information that was difficult for me to track down in my emails. They also supported DNSSEC and Algorithm 13 before it was an option on CloudFlare, meaning I was able to take advantage of that day one.
We're thinking of offering a "lite" version of Registrar in the future, likely bundled with the paid version of our core service. Won't have all the bells and whistles of the "enterprise" version we launched this week, but it will be more secure than anything you can get from mass market registrars.
I see this play as a funnel to their high end CDN and DDoS services.
Being in the industry, it only makes sense for them to target big business. They're likely disinterested in low margin domain renewals. Their real bread and butter is the high LTV customers with deep pockets who have upper management requesting "security" and "encryption" because of all of the recent "hacks" in the news.
Long term, they'll probably change their tune and start to target SMB if it works out well. It's far easier to pick a niche segment and deal with far less customer support as you're dealing with lower volumes of conversions.
It's about providing comprehensive security for our high-end clients. We are building a portfolio of products that give people protection up and down the stack.
It is the Akamai model. Get a customer in the door, keep selling them new addon services every chance you get. Then when a competitor comes along they aren't "feature competitive."
The best magic trick Matthew Prince has pulled thus far is convincing the folks that work for him that they are doing something noble.
Anyone understood why should I use CloudFlare instead of e.g. Namecheap? I consider myself a security minded folk. Heck, I even suggested the idea of what later became universal SSL to Matthew on Twitter, after HeartBleed happened - funnily enough he called it "dumb money" - luckily, dumb money is still money ;-) and he apparently changed his mind --> https://twitter.com/mobiplayer/status/474617969780469760 kudos for reconsidering.
If you have many hundreds of thousands/millions of dollars a day lost if your DNS is redirected, you might want to consider Cloudflare as your registrar. I wouldn't be shocked to hear that they charge 4 figures to register a domain with them though. (I didn't see any pricing)
In the article they noted that MarkMonitor (Who I've used myself), is more focussed on managing online brands, and the registrar element is a sideline. Also - MarkMonitor can be pretty pricey - I'm wondering if CloudFlare is price competitive with them?
But yes, I agree - if I had to recommend to a fortune 500 today where to go to manage your domain safely, it would be MarkMonitor. I guess we'll see how CloudFlare stacks up over the next few years.
And CloudFlare is destroying user's abilities to use TOR in any meaningful way.
What we get when we hit a CloudFlare backed page: CAPTCHA, after CAPTCHA, after CAPTCHA. And not only that, but it's Google's reCaptcha, which many of them are nigh unsolvable.
Worse yet, if we leave any sort of comments, we get served another CAPTCHA, which destroys the comment we tried to make. Their failing systems end up silencing us.
We want you to lessen up on serving CAPTCHAs on everything: respond when you see real abuse from that TCP session, and not 'just because we're TOR users'.
When on TOR, the "() I am A Human" doesn't show up. Instead, you get the reCAPTCHA 2 jibberish words. Unfortunately, many of what you're given aren't readable at all.
Now, you get that CAPTCHA every page you load that uses Cloudflare. And it's just terrible. They're breaking the 'Net for TOR users.
1. Disabling javascript while using Tor is probably a good idea, because it removes a lot of potential risks from the equation. risk vs convenience I guess.
2. In theory yes, in practice that doesn't seem to be the case, with people reporting captcha-loops etc. And everything that allows CF to reliably reidentify the user is at the same time a potential vulnerability of the user.
3. Or they could implement less drastic measures and still protect their customers (e.g. what risk does a GET request against a cached site really pose that requires a captcha?).
It's a sliding scale and not obvious what the "best" solution is. There are good arguments in both directions, and Cloudflare is important enough that they IMHO should think further than "what's easiest for us". They seem at least to be somewhat receptive towards arguments about this.
1. I've tried JS on and off, in Tor Browser, and in a proxied stock firefox.
2. No. It's a crapshoot. Sometimes it does, but about >75% of the time, it goes into CAPTCHA loops.
3. There's plenty of things that could be done to alleviate this issue :
One, they could set up their own .onion service, and redirect TOR users to it. And that would rate-limit any potential TOR-user based damage.
Two, since sessions are per TCP, just slow the TCP down accordingly. That's standard practice for things like tarpits and the like.
Three, there's no need for CAPTCHAs on a HTTP GET, if not done in a harassing manner. But this basis is on being in a "Bad IP list". POSTs are a whole different story.
Congrats to everyone at CloudFlare who made this happen!
Is there a list of TLDs which are supported somewhere? When I last looked (years ago), only Verisign provided registry locking and the other registries weren't showing any signs of coming out with similar products.
I am a publisher located in Europe and my life's work is all in one .com domain. I often wonder how secure the ownership of a domain is and if there are any steps necessary to secure it. My registrar requires a signed document to transfer domains. By post or scanned. But how secure is that? How would they know if I sent the document or somebody else?
And what if somebody hacked the registrar? Are there global mechanisms to undo wrongful domain transfers?
> located in Europe and my life's work is all in one .com domain.
As a non-US citizen you should definitely move to another TLD entirely. US asserts jurisdiction over .com/.net/.org and has been known to seize such domains at will even if they have no ties to the US. You would have little recourse without great difficulty.
As a non-US person myself I will therefore personally never hold such a domain.
National TLD's would be a good choice but there's also .eu which I reckon would also be a safe choice. They also do not publish WHOIS information for privately held domains.
People rarely consider this when purchasing domains (which jurisdiction they fall under) but it's an important issue in my opinion.
The CloudFlare Registrar would auto-renew your domain a year in advance, aggressively lock it and prevent transfer, and allow you to require multiple people in your organisation to approve significant changes.
Any registrar that is selling you a domain for $10 per year is making such razor thin margins that they cannot do more than the minimum and rarely enforce doing that with diligence.
I was rather pleased that one of my domains ultimately is managed by an arcane human process involving actually dealing with a bureaucracy... this slows everything down so much that it's hard to achieve anything at all. It was entirely accidental, the domain has a .sm TLD and that municipality is tiny.
What CloudFlare are effectively doing is using a highly bureaucratic and formal process to ensure the domains are safe and secure, to mitigate the risks involved. That your organisation can shape the policy you want is also a benefit, you can ensure only the real decision makers get to authorise changes.
I work with Kloudsec [1], and we're a developer-centric CDN platform, and we're moving on an entirely opposite direction from Cloudflare. If Cloudflare is Apple, think of Kloudsec as Linux. Rather than bundling everything as a "magic" product, as you can do with Cloudflare today in this flow
1. Buy domain from CF
2. Automatically, CF is your DNS
3. Automatically, CF is your CDN in a single toggle
4. Automatically, CF is your WAF
We think that
* there is danger to internet neutrality when a monopoly arise out of a single data-trafficker
* that we cannot do everything well
--
Kloudsec says come use our CDN for free. And if you like, you can choose to enable optional plugins. Be it the automatic SSL provisioning (via LE), or our WAF.
But hey, if you don't like it, come build apps on top of our CDN too. Apps like a better PageSpeed, a better WAF, etc. These apps can be a Nginx module, things that you can export to your own build if you scale, or leave the infrastructure [2] to us.
On your pricing plans page [0], there's a misleading statement that Cloudflare's free tier doesn't provide DDoS protection, but Cloudflare's pricing and feature page [1] states that the free tier does come with basic DDoS protection. Whether or not there's a difference in the type of DDoS protection provided by Kloudsec, this feels deceptive.
For what it matters, CloudFlare protected my site against a 200mbps layer 4 attack on the fre plan. That's a small attack but it's great for a free basic offering.
And yesterday we (CloudFlare) protected a free customer against a 400Gbps (that's not a typo) Layer 3/4 attack. DDoS protection should be free at any volume and our scale is allowing us to make that a reality.
Looks good! Just beware that you don't give away too much for free though. A free plan is a good idea, but you've got to be fiscally sustainable and people are less trusting of services' longevity now because of the recent sustained wave of shutdowns.
FWIW It feels spammy to me for the top comment in a story about Cloudflare being someone pushing a competitor they work for. It's one thing to bring up the "too many eggs in one basket" concern, but doing so while pitching your company, on a story that isn't about you, just .... rubs me the wrong way.
These are valid reservations, especially CF MITM-ing half the Internet, but I have much more trust in CF doing things well than I do in other registrars except companies like Google who already only do it on the side.
Domain registration is a thin margin business which probably cannot support serious security efforts on its own.
I'd be surprised if they didn't. There's a markup at which it'd be very economical to be a broader registrar. Future upselling is worth pulling users away from other registrars. Some of them will compete against CloudFlare sooner or later. Google's headed that way.
Interesting that the domain security tool fails my domains for not having registrar lock enabled. The most interesting part is that Gandi sets clientTransferProhibited but not clientUpdateProhibited or clientDeleteProhibited. I wonder if there's a way to get these enabled; there doesn't seem to be an option.
Those statuses (what Cloudflare calls registrar locks) are more aimed at giving registrars a way to prevent the registrant (or anyone else) from making changes to a domain. It's commonly used during disputes over domain ownership, for example.
Transfer lock, 2FA on your account, protection of the AUTH code (should be encrypted at least, or not stored at all at best) and a registrar with a support team that is resistant to social engineering hacks is sufficient for most domain owners.
If you require complete security, registry lock is the way to go as it prevents changes to the domain from the top down. It would protect you from something like a bad actor with access to your domain through the registrar's system.
That said, it's a real pain when you actually want to make a change since there's very specific protocols to follow. And you have to pay extra for it since the registry charges to apply the lock.
Some don't appear to have it at all (1&1), some offer an option to SMS a code (godaddy/namecheap), a few offer integration with something like Authy/Google Auth.
>>And it still does not disable social engineering as attack option.
It's better than what I see from other registrars. It is not perfect. You, of course, are in control of the answers to the challenge questions, they don't have to be the truth.
I switched to Google Domains a while ago for personal use. It's a bummer that yet another important thing is centralized in my Google account, but seeing as Google already handles critical things (email --> account resets), I don't introduce an additional vulnerability by hosting my domains with them. Hopefully, by now, their two factor situation is sufficient, and their manual processes of sending scans of passports undergoes sufficient scrutiny. Anybody have any information on this? How strong is Google account security these days?
I'm a little surprised they would emphasize "not for the masses" since Cloudflare's mission has historically been for the masses.
I'd love to see a new, modern registrar without all the inanities. I'm always surprised at how many companies still use GoDaddy. This is super-old but I bet still directionally accurate: http://joel.franusic.com/domain-profiler/ycombinator.html
We're still for the masses, but this specific service is not. If you look at our plans you'll see that there are different levels of service depending on how much you pay us, this particular service is for the very high end.
Hmmm, I have my 30 most important domains on register.com, hundreds elsewhere. Register.Com is not exactly cheap, but I felt more secure. I'm a little miffed with the results of this security test tool for those register.com domains (failing 3 out of 5 tests). Are these results truly valid (ie something to worry about) and if so, am I to blame for not enabling certain options at register.com?
MarkMonitor and CSC domains appear to be the safest in my experience, but they also charge thousands of dollars and require you to call them to make changes. But the margins on domain registrations are so thin, you can't really expect a good price and security.
Just as another security precaution on top of it, do they support private registrations so that people can avoid exposing individual credentials in the WHOIS records? There are a lot of company's who currently have attorney's offices handle domain registration as well as corporate registrations just for that specific purpose.
ah yes, the CDN that propmpts about 200 captchas per day on my end because I use a vpn... I was not aware this company was used so extensively until they started doing those annoying redirects.
From what I gather, it requires an Enterprise plan, which has no fixed price. Could just be a free part of the plan considering the price tag of an Enterprise plan.
CloudFlare claims there enterprise plans start at $5,000 USD a month, but this is not really true. Most customers who have a business plan and pay $200 a month negotiate deals for a lot less. Especially now that Akamai is dropping their pants to the mid market. You can essentially get on Akamai or Incapsula for less than what CloudFlare charges for their plans. This is what I did. I ended up with much better WAF services and less deviation on performance.
I was fortunate enough to be able to go on an overseas trip to China during my first college summer break. The phone and Internet service was spotty, but I was too busy exploring to care. When I got back home, I discovered much to my dismay that my domain name had been transferred away without my consent.
As it turns out, one of my old Internet "friends" had access to an administrative account at my registrar without my knowledge. They transferred a handful of my domains to their own private account and continued to run the website as if it had been their own. They moved the database, code, and everything. (I had allowed them access to the server, so it wasn't unexpected that this was within their capability.)
Being a college kid, I wasn't able to think of lawyers or legal avenues to get it back (not could I afford them), so I wrote my "friend" out of my life and took it as a hard lesson learned about privacy and security. And trust. Definitely learned a lot about trust.
FWIW, it's still online today and probably brings in a thousand dollars a month in ad revenue.