I'd still like to know what happened with that domain that got put into pendingDelete with a false positive a couple weeks ago, but, besides that, I'm very bullish on Cloudflare. I think there's a massive amount of opportunity to capture underserved markets in tech right now due to subscription fatigue and increasing prices. More reasonable pricing could do well in the low end of some markets and having a platform like Cloudflare that can scale to $0 makes it much more practical to start thinking about building for some of those markets.
Cloudflare solves a real problem that's impossible for anyone small to solve for themselves and getting to ignore all of that complexity makes it practical for people to build things they couldn't even consider before. Cloudflare is adding value way beyond any risk they're creating by acting as a proxy.
Easy - you’re trusting someone, true, but it’s likely not the same person that someone else is trusting.
With Cloudflare, pretty much everyone is trusting the same party. Compromising Cloudflare compromises everyone.
I dunno if that's true. I mean I can name 5 companies and generally speaking narrow it down to the owner of the hardware (or the owner of the owner of the hardware) or at the very least a company with enough resources that if they want your content they can take it.
PS. also unclear where else I can get similar services - no affiliation with them, just to run a small website.
There is no damage done by potential attacks. Damage is done by actual
attacks. I am not simply being pedantic. The damage done by blocking
users and the leaking of data via TLS proxying seems very real. One
cannot make comparisons between actuality and potentiality.
No real difference AFAICS, it's a general problem of poor
cybersecurity education and quick/cheap solutions. I certainly don't
mean to single out Cloudflare alone on that point.
Blocking traffic at your edge means that by the time you're able to evaluate traffic and take action it has already consumed your bandwidth. Cloudflare is able to protect aspects of their internal network and customer properties with their filtering but they need a tremendous amount of bandwidth and anycast in order to do it in the first place.
CloudFlare has settings to allow Tor traffic, etc. If some website does not work, users need to contact owner of that website to change settings so that it would work. If it's accessibility issue, speak about it to someone that can help with contacting website owner.
Many use CloudFlare to protect from huge amount of attacks, DDoS, etc.
Of the remaining three quarters that don't work, they fall into two
categories. Those that gatekeep using CAPTCHAs are inaccessible using
a text based browser, so I skip those. The remainder just block my
requests. About half of all those are Cloudflare.
While I constantly curse Cloudflare and consider them an "enemy" of
ordinary web users who just want to browse with the dignity we have a
right to, they are not the only bad guys in town by a long shot.
They are just one more sign of an increasingly hostile web. Google,
Twitter, and some parts of the Apple and Microsoft estates are hostile
to privacy conscious users too.
For the most-part I consider these self-excluding barriers a kind of
feature to stop me wasting time on creators and services that are
ambivalent or ignorant about how to present themselves accessibly on
People don't block Tor users because they are antiprivacy. They block Tor users because Tor users are abusing their site and their is no way to tell a good Tor user from a bad Tor user so they are forced to add restrictions to all Tor users.
By adopting the same fingerprint as other Tor users you have to prepare for being punished as one.
One could be weak natured and claim to be a "victim of discrimination"
(but then ironically the problem is indiscrimination), or entitled and
say Cloudflare and site owners should do a better job. Both seem
indignant and unhelpful.
The problem is obviously complex.
Optimistically, better education of small site operators might help
them understand that when they employ a service like this they are
excluding significant numbers of the kind of people they might want
visiting. I think they should know that, and so supporters of
Cloudflare ought not try to muddy the waters or blame those who want a
better experience on the web.
On the other hand, some sites really don't want visitors who value
privacy, and that's fair enough too. Cloudflare etc provide a very
effective service for excluding us.
Looking at it from a hoster's point of view, if 0.05% of your traffic comes from X, but 80% of your security issues also come from X, the wisest investment of their time and money is to just block X and move on with their life.
A bouncer outside of a bar also keeps people out, handles everyone's identifying information, etc.
On AWS you can get your DNS, load balancers and EC2 instances directly protected from DDoS attacks by Amazon but it's $3,000 a month with an annual commitment ($36,000 / year) + outgoing usage rates at about 5 cents per GB with AWS Shield Advanced. Although to be fair with Cloudflare in the enterprise world you'll end up being about equal to AWS' prices, but for a smaller business coming up with 36k / year isn't feasible. That could be more than your entire business makes.
One small example, everyone is aware cloudflare is down sometimes, but if you ever get even lightly DDOSed, your uptime on cloudflare is likely to be much higher than without.
Or put differently, why are ISPs hostile entities against which web traffic must be protected, but CDNs and hosting providers are just fine?
[you] -> [cloudflare] -> [website]
As far as I know yes, in order for them to provide their firewall service they need to be able to decrypt your traffic to filter on headers, cookies or response payload.
It also means you're probably paying double the TLS handshake performance costs because both Cloudflare and your origin server will very likely have its own set of SSL certs.
> And as others noted, they are not the only players in the path of serving your data.
There are other hops in the path to serve your data but it's just moving your encrypted bytes over the wire, decryption doesn't happen in each hop.
The internet is a cesspool of malicious traffic.
I was wondering why my Lets Encrypt certs weren't auto-updating, and it's because in my recent upgrade to my primary firewall I hadn't setup an incoming port forward for port 80 (because, ironically, everything is served via 443 these days). But Lets Encrypt requires incoming port 80 for its domain ownership verification - or at least the option I'd setup, which was the easiest at the time.
I decided to log (to view) the traffic coming in to port 80, and it was a relentless stream. It'll still be a relentless stream now, but it's all bouncing off the external wall rather than an internal one.
Same with port 25, and that's gotta be open if you want to receive email. I was actually looking forward to what Cloudflare will do with email protection from their recent acquisition. If I see many repeated attempts at connecting to port 25, I block the full /24 permanently.
Anyway, ICYMI, the link was to a mirror of the 'deCloudflare' git repo (that you can find with google)
Isn't that what DNS filtering means?
(Unironic +1 for Gitea too)
(And some criticism like blocking Tor or some bots is valid and I agree with that)
10/10 for irony.
I do not use Cloudflare for my own services; unfortunately some others do, and I cannot usually avoid it if they do.
(Also, the quotation attributed to Adolf Hitler is disputed by Wikiquote.)