Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare is a threat to Internet Privacy
18 points by aguysomewhere 3 months ago | hide | past | favorite | 5 comments
1. Cloudflare handles ~20% of all the traffic on the internet. And growing fast, on 2017 it was 10%.

2. It's impossible to use Cloudflare proxy without giving up encryption of data. They are a man-in-the-middle that have access to unencrypted information of all the traffic they proxy. (Yes, even with Full-Strict/Keyless SSL)

3. Of the remaining 80% of internet traffic, 43% comes from Netflix, Google, Amazon, Microsoft, and Apple, none of which seems to be using Cloudflare, which makes Cloudflare the ultimate tool to break encryption on distributed servers. Only 37% of the internet traffic is routed outside these major tech companies.

4. On July 2021, a random guy discovered a vulnerability on Cloudflare's cdnjs that allowed complete take over of the CDN, which is estimated to be used by 12.7% of the websites. NSA has a whole division dedicated to discover and exploit zero-day vulnerabilities on systems. Even if Cloudflare is not willingly feeding unencrypted traffic to NSA, it is a single point of surveillance that, if compromised, breaks the whole encryption of a good portion of the internet.

5. Cloudflare follows a freemius pricing plan. On 2016 Cloudflare's CEO Matthew Prince said in an interview that only 4%~5% of the websites they protect are paying customers. The cost of maintaining Cloudflare infrastructure for the remaining 95% of customers that use it for free is unclear, as Cloudflare does not run ads on the sites it protects.

6. On the same interview, he mentions that the initial impetus for Cloudflare came after an acquisition by the Department of Homeland Security of his previous project, Project Honeypot, in 2008, which demonstrates that the government was at least aware of it since the beginning.

Errata: On reason number 3, the string "Facebook," was cut out from the text when I posted the thread, I only noticed it now and I can't edit it anymore. This seems to be some kind of algorithm from Hacker News, as the thread was originally supposed to be named "6 Reasons Why Cloudflare is a Threat to Internet Privacy", and was transformed after submitting, too.

20% is misleading actually. Now lot of people should know what BGP is all about since the Facebook downtime incident.

The way Cloudflare reaches this penetration is through BGP peering routers they have installed all over the world. If you look up in how many facilities they are located in then you realize they are basically running extensive spy network all over the world.

Even if you visit some website that has got nothing to do with Cloudflare then there is a pretty big chance(I assume 20%?) that by the magic of BGP routing this website request might be passed through Cloudflare AS BGP node and you will be tracked


BGP explanation by Cloudflare itself: https://www.cloudflare.com/en-gb/learning/security/glossary/...

I see. I'd imagine they can't break encryption of data of the traffic they route through BGP, as they do with the reverse proxy, right?

It would be good to know how many traffic goes into the proxy, to have an accurate understanding of their plain traffic capabilities.

Maybe you are right, but nobody here in HN will agree with you because they are quite happy with the generous free tier provided by Cloudflare and because they think they can easily change providers if thing gonna bad with Cloudflare.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact