Hacker News new | comments | show | ask | jobs | submit login
Is Cloudflare a honey pot? (crimeflare.com)
30 points by phantom_oracle 221 days ago | hide | past | web | 13 comments | favorite

Going by their homepage, the site that posted this doesn't like anybody. Also, they make a huge song and dance about people "hiding" behind cloudflare, however:

Registry Registrant ID:


Registrant Organization: WHOISGUARD, INC.

yeah, whatever...

The same server also hosts a site with this fine page: http://www.namebase.net/books52.html suggesting AIDS is a bio weapon engineered by the USA. Given that they appear to have been designed by the same person with unlimited access to MSPaint, version Windows 3.1, I think it is safe to assume this is by the same people.


Even if the original idea (which btw, the origin story was shared on TechCrunch when they launched, was maybe even on their about page, etc.) was from this honeypot project, CloudFlare is a different beast. Moreover, there's now the company-wide "we'd all have to be in on it" perspective. If you read through the posts from folks like jgrahamc and others, you'd hopefully conclude that selling visitor data would be much less interesting than their actual business.

Still, begs the question: what value do they get from their "Free" customers? Is it simply a freemium model based on getting conversions OR do they extract value from front-ending those smaller sites? Seems like the latter for sure... but that doesn't make it a honeypot.

Cloudflare makes money by charging our customers for the service we provide. Turns out that lots of people pay us for that service and that money is much greater than the cost of running the service.

Here's the important thing about those FREE customers: many of them turn into high-paying customers later. For example, it is very common for CIO/CTO at $BIG_CORP to quietly test their personal blog on a Cloudflare FREE plan and we have no idea they are doing it. Later CIO/CTO uses that experience and decides to spend $BIG_DOLLAR from $BIG_CORP with Cloudflare.

Even if it isn't true, it's not an unreasonable theory.

From what I could find, it looks like they're still under 300 employees, and not everyone "would have to be in on it." Only the search team.

I know CDN services are meant to be fast and they try to minimize any type of slowdown, but many still keep logs and preform analytics. Also, employees often sign NDAs.

I don't know how CloudFlare SSL termination works, but I remember Akamai had SSL off-loading and they could, in theory, control payloads.

This author needs to provide direct evidence for some of the testable claims. Here are the cookie names, here is some of the Javascript and you can find the stuff here in the source code. Without that it's just conjecture, but it's still not outside of their capabilities.

And the executive team, and the team dealing with Finance, and probably much of SRE (someone is going to notice those logs or the things derived therein are being shipped out), etc.

I assume the MITM-SSL complaint is about their "Flexible SSL" which as they admit is not as good as SSL end-to-end but better than nothing.

Note: I have no affiliation with CloudFlare (I just dislike unsubstantiated attacks).

I think that "someone is going to notice" is a fair assumption when you look at the rate of log messages on https://blog.cloudflare.com/more-data-more-data/

There's a CloudFlare engineer who posts prolifically here on HN; he's denied that they sell data of any kind numerous times. I think it's safe to take them at their word without proof otherwise? https://news.ycombinator.com/item?id=12830120

You think it's safe to take the word of an anonymous stranger on the internet?


There is nothing particularly dangerous about accepting claims from strangers on the internet at face value. I don't use their service, so I'm not going to be harmed by anything he says if he is lying or if he is telling the truth. If I decide later to use their service or if he says something that seems false or misleading when taken at face value, I can adjust my level of skepticism accordingly.

You can create "value" without needing to sell your data. By offering free services to small sites they can gather more data on browser profiles, attack patterns, attackers, etc. which they can use to improve their techniques, tuning, intel, analytics, etc.

Still, I would assume by signing their ToS you are agreeing to some hefty terms.

/me turns up the snark.

Equating John Graham-Cumming to a random engineer has, on HN at least, about the same weight as equating PG to a financially succesful blogger. The statement is factually accurate but deliberately ignores the wider context.

Yes - I'm painfully aware that I just used the halo effect as a weapon. But the fact is that provenance and pedigree matter.

It's definitely an organizational "SPoF" a-la Lavabit in that govts can lean on it, attempt to squash it, try to hack it, etc., whereas distributed solutions like i2p and BitTorrent are harder to strangle.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact