Hacker News new | past | comments | ask | show | jobs | submit login
The Great Cloudwall (disroot.org)
74 points by bratao on June 19, 2022 | hide | past | favorite | 44 comments

Cloudflare provides an immense value for small sites. Doing DDoS protection with specialized firewall hardware was one of the most expensive things you could do, so it wasn't really affordable for lots of people. They win by solving a problem. I believe that the issue of Cloudflare as a man-in-the-middle is a smaller issue for people running websites than the damage done by potential attacks.

The argument about Cloudflare being the man-in-the-middle has always confused me. Yeah, it makes sense if you're big enough to run your own data centers, but for most smaller sites you're trusting someone to host it, so how is Cloudflare any different than some other random provider?

I'd still like to know what happened with that domain that got put into pendingDelete with a false positive a couple weeks ago, but, besides that, I'm very bullish on Cloudflare. I think there's a massive amount of opportunity to capture underserved markets in tech right now due to subscription fatigue and increasing prices. More reasonable pricing could do well in the low end of some markets and having a platform like Cloudflare that can scale to $0 makes it much more practical to start thinking about building for some of those markets.

Cloudflare solves a real problem that's impossible for anyone small to solve for themselves and getting to ignore all of that complexity makes it practical for people to build things they couldn't even consider before. Cloudflare is adding value way beyond any risk they're creating by acting as a proxy.

> but for most smaller sites you're trusting someone to host it, so how is Cloudflare any different than some other random provider

Easy - you’re trusting someone, true, but it’s likely not the same person that someone else is trusting.

With Cloudflare, pretty much everyone is trusting the same party. Compromising Cloudflare compromises everyone.

> Easy - you’re trusting someone, true, but it’s likely not the same person that someone else is trusting.

I dunno if that's true. I mean I can name 5 companies and generally speaking narrow it down to the owner of the hardware (or the owner of the owner of the hardware) or at the very least a company with enough resources that if they want your content they can take it.

So the real problem seems to be that they are a monopoly? But how is that their fault? they invented the low-cost CDN market, before them we mostly just had Akamai that hosted Wimbledon-size websites and streams for $$$$.

PS. also unclear where else I can get similar services - no affiliation with them, just to run a small website.

> the issue of Cloudflare as a man-in-the-middle is a smaller issue for people running websites than the damage done by potential attacks.

There is no damage done by potential attacks. Damage is done by actual attacks. I am not simply being pedantic. The damage done by blocking users and the leaking of data via TLS proxying seems very real. One cannot make comparisons between actuality and potentiality.

How is this any different than AWS/Azure/GCP (e.g. cloud functions) MITMing your users' connections? If it's not your hardware, it's not your encryption keys.

> How is this any different than AWS/Azure/GCP

No real difference AFAICS, it's a general problem of poor cybersecurity education and quick/cheap solutions. I certainly don't mean to single out Cloudflare alone on that point.

While their hardware helps in terms of their costs and scale the real challenge is the bandwidth.

Blocking traffic at your edge means that by the time you're able to evaluate traffic and take action it has already consumed your bandwidth. Cloudflare is able to protect aspects of their internal network and customer properties with their filtering but they need a tremendous amount of bandwidth and anycast in order to do it in the first place.

That disroot article is just FUD. See https://www.cloudflare.com/trust-hub/privacy-and-data-protec...

CloudFlare has settings to allow Tor traffic, etc. If some website does not work, users need to contact owner of that website to change settings so that it would work. If it's accessibility issue, speak about it to someone that can help with contacting website owner.

Many use CloudFlare to protect from huge amount of attacks, DDoS, etc.

I use Tor and a text based client for web browsing for better privacy. That also means I do not allow javascript. Some sites are not usable. About a quarter of those that will not work require javascript (they won't work at all with it disabled). Most sites do work fine without javascript. Since I don't use "social media" only about five percent of all websites fail because of javascript.

Of the remaining three quarters that don't work, they fall into two categories. Those that gatekeep using CAPTCHAs are inaccessible using a text based browser, so I skip those. The remainder just block my requests. About half of all those are Cloudflare.

While I constantly curse Cloudflare and consider them an "enemy" of ordinary web users who just want to browse with the dignity we have a right to, they are not the only bad guys in town by a long shot.

They are just one more sign of an increasingly hostile web. Google, Twitter, and some parts of the Apple and Microsoft estates are hostile to privacy conscious users too.

For the most-part I consider these self-excluding barriers a kind of feature to stop me wasting time on creators and services that are ambivalent or ignorant about how to present themselves accessibly on the web.

>While I constantly curse Cloudflare and consider them an "enemy" of ordinary web users who just want to browse with the dignity we have a right to

People don't block Tor users because they are antiprivacy. They block Tor users because Tor users are abusing their site and their is no way to tell a good Tor user from a bad Tor user so they are forced to add restrictions to all Tor users.

By adopting the same fingerprint as other Tor users you have to prepare for being punished as one.

I understand how it works. I simply don't "agree" with it. But then I wouldn't, being the innocent party at the sharp end of arbitrary "punishment".

One could be weak natured and claim to be a "victim of discrimination" (but then ironically the problem is indiscrimination), or entitled and say Cloudflare and site owners should do a better job. Both seem indignant and unhelpful.

The problem is obviously complex.

Optimistically, better education of small site operators might help them understand that when they employ a service like this they are excluding significant numbers of the kind of people they might want visiting. I think they should know that, and so supporters of Cloudflare ought not try to muddy the waters or blame those who want a better experience on the web.

On the other hand, some sites really don't want visitors who value privacy, and that's fair enough too. Cloudflare etc provide a very effective service for excluding us.

I don't think the "punishment" is arbitrary. I think it is the result of a tragedy of the commons situation (the commons being Tor in this case).


Looking at it from a hoster's point of view, if 0.05% of your traffic comes from X, but 80% of your security issues also come from X, the wisest investment of their time and money is to just block X and move on with their life.

Perhaps, but they're not forced to treat Tor users trying to view a public page on their website the same as Tor users trying to post a comment/login to an account/etc.

Cloudflare isn't for web users, it's for websites. Anecdotally, I just downloaded the Tor Web browser at default settings, hit connect and went straight to my Cloudflare protected website. No problems whatsoever. Could I configure Cloudflare to block Tor? Absolutely. But I could do the same with Cloudfront, Akamai, Fastly, NGINX, Varnish, pretty much anything.

A bouncer outside of a bar also keeps people out, handles everyone's identifying information, etc.

What is the solution or alternative for really good DDoS protection plus some type of WAF?

On AWS you can get your DNS, load balancers and EC2 instances directly protected from DDoS attacks by Amazon but it's $3,000 a month with an annual commitment ($36,000 / year) + outgoing usage rates at about 5 cents per GB with AWS Shield Advanced. Although to be fair with Cloudflare in the enterprise world you'll end up being about equal to AWS' prices, but for a smaller business coming up with 36k / year isn't feasible. That could be more than your entire business makes.

OVH has DDoS protection, and using OpenResty as a WAF works well for me. I have a hundred(ish) lines of Lua code to handle attackers that get through OVH. I think most people could manage with a similar setup because most DDoS attacks are not very sophisticated (you're basically dealing with `ab -c 1000 -n 1000000 nickjjswebsite.com` from a bunch of hosts on DigitalOcean and Linode that some teenager hired a guy on Fiverr to execute so he wouldn't have to do his homework assignment).

An alternative is to sell a product which does not require constant phoning home.


Cloudflare isn't software as a service so much as infrastructure as a service.

That does not help with DDoS of website. Even if it's information only website, or all of it is FOSS, if there is DDoS, it's not possible to use that website at all during DDoS.

CloudFlare also writes a lot of Open Source code https://github.com/cloudflare/

This seems to throw lots of issues out, but no solutions. People aren't using cloudflare for no reason.

One small example, everyone is aware cloudflare is down sometimes, but if you ever get even lightly DDOSed, your uptime on cloudflare is likely to be much higher than without.

I don't think the person takes into account ANY of the benefits of CloudFlare.

So, dumb question: Why is TLS pushed so heavily if everyone is expected to use a CDN anyway, which would be in a position to see and modify all traffic?

Or put differently, why are ISPs hostile entities against which web traffic must be protected, but CDNs and hosting providers are just fine?

IMHO it's because ISP is a much more broad term. When I connect from my University, I have to either use TLS or trust every step of the network from whatever commerical ISP they use, to the whole network infrastructure they built to the building, to the other devices using the same router as me. When I trust Cloudflare, my data is encrypted whenever it's not directly in their hands eliminating those other steps.

I got a 500 or 404 error.


They should've used Cloudflare =)

"You are connecting to Cloudflare and all your information is being decrypted and handed over on the fly" - wait, really?

Yeah, because your TLS connection is with cloudflare, not the site's servers. The traffic flow looks something like this:

    [you] -> [cloudflare] -> [website]

> "You are connecting to Cloudflare and all your information is being decrypted and handed over on the fly" - wait, really?

As far as I know yes, in order for them to provide their firewall service they need to be able to decrypt your traffic to filter on headers, cookies or response payload.

It also means you're probably paying double the TLS handshake performance costs because both Cloudflare and your origin server will very likely have its own set of SSL certs.

Decryping is ephemeral though. No request body gets stored, except in RAM. Malicious operators etc, well that's always a possibility, but they supposedly have controls for that. And as others noted, they are not the only players in the path of serving your data.

The TLS handshake itself is independent of how things get stored. It takes time to set up a secure connection. There are processes in place to help reduce that time for follow up requests in a short period of time (typically within the same session) but it's still CPU time and network time. Having to do this twice (Cloudflare's SSL cert + your origin's cert) is doubling those times. It could be tens of milliseconds or even hundreds since the network is involved (round trips to your server).

> And as others noted, they are not the only players in the path of serving your data.

There are other hops in the path to serve your data but it's just moving your encrypted bytes over the wire, decryption doesn't happen in each hop.

Not knowing if you are being sarcastic. Yes, like any TLS-terminating proxy.

It might come as a suprise to many, but yes.

Having recently upped my visibility of traffic incoming from the internet, I have to agree with the sentiment that Cloudflare are providing a useful, worthwhile service, and the reason that they've grown to the extent described is that they do a very good job at it, and outran their competitors by a wide margin.

The internet is a cesspool of malicious traffic.

I was wondering why my Lets Encrypt certs weren't auto-updating, and it's because in my recent upgrade to my primary firewall I hadn't setup an incoming port forward for port 80 (because, ironically, everything is served via 443 these days). But Lets Encrypt requires incoming port 80 for its domain ownership verification - or at least the option I'd setup, which was the easiest at the time.

I decided to log (to view) the traffic coming in to port 80, and it was a relentless stream. It'll still be a relentless stream now, but it's all bouncing off the external wall rather than an internal one.

Same with port 25, and that's gotta be open if you want to receive email. I was actually looking forward to what Cloudflare will do with email protection from their recent acquisition. If I see many repeated attempts at connecting to port 25, I block the full /24 permanently.

Huh, assets are still loading:


Anyway, ICYMI, the link was to a mirror of the 'deCloudflare' git repo (that you can find with google)

Site appears to be down. Cloudflare Always Online™ would help immensely here.

Seems to 404 or 500 for me. Someone’s not ironically DDOSing this, are they?

"And their DNS service,, is also filtering out users from visiting the website by returning fake IP address owned by Cloudflare, localhost IP such as “127.0.0.x”, or just return nothing."

Isn't that what DNS filtering means?

The Illuminati strikes again (but only on mobile?)


(Unironic +1 for Gitea too)

Of course the ideal solution would be to throw DDoSers and botneters into jail instead of relying on DDoS protection, but that for some reason is a problem

(And some criticism like blocking Tor or some bots is valid and I agree with that)

>500 error

10/10 for irony.

I dislike Cloudflare for many of the reasons mentioned here. I did not know all of the things that they mentioned there, but some of them I did know. There are other problems too, though. (However, some of the problems listed there perhaps can sometimes be avoided, like other comments on here will mention.)

I do not use Cloudflare for my own services; unfortunately some others do, and I cannot usually avoid it if they do.

(Also, the quotation attributed to Adolf Hitler is disputed by Wikiquote.)

Applications are open for YC Winter 2024

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact