If you try to find evidence that Cloudflare mitigates fraud and abuse, you'll mostly find anecdotal evidence (sites that have been attacked and moved to Cloudflare, mostly) plus information and claims provided by Cloudflare, which is unverifiable. The problem is that nobody protects us, the Internet, from Cloudflare.
Cloudflare will happily take money from and host (yes, host - they host, in spite of their rather stupid and completely disingenuous assertions that they don't) spammers and scammers. They do all the time, and they have no intention of changing that any time soon.
If you forward phishing spam to abuse@cloudflare.com, guess what? Nothing happens. You get an automated response, but they do nothing about it. They expect you to visit a web page that has all sorts of intentional problems (intentional because they've been pointed out to Cloudflare and Cloudflare hasn't addressed them for years) that make the process arduous and time consuming. For one, they don't have "spam" as an abuse type. For another, even though they now literally host web content, and even though they're a domain registrar, if you don't paste in a URL pointing to a site hosted by their proxying product, then you can't submit your form. This means there's literally no way to complain to Cloudflare about domains for which Cloudflare is in WHOIS and SOA records, and for whom Cloudflare hosts DNS. The fields are limited to some particular size (2,000 characters? I forget exactly), and have issues where if you paste more than a certain amount of content but less than the hard limit, you can't submit the form. If you try to use the form more than once a minute or two, IT'S RATE LIMITED and you can't submit the form. Imagine that - they need to protect themselves from human-speed abuse reporting.
In other words, it's REALLY hard to use their site to report abuse to them, and they know this, and it's intentional, unless we want to believe that they just suck at understanding how to make a web page that works.
If they get enough complaints about a given phishing domain, they eventually take action, but it'd be after several days, which is more than the lifetime of a typical phishing campaign. In essence Cloudflare is one of the most popular phishing and spam-promoted hosting platforms because of Cloudflare's intentional foot dragging and claims to want to "protect free speech".
They got on my shit list years ago when they told me - not kidding - that they couldn't just take down a Bank of America phishing site when it was pointed out to them because of "free speech". In other words, they don't want to set a precedent where they can apply the tiniest modicum of common sense and take down phishing sites which any reasonable human on the planet can unambiguously recognize as fraud.
Bottom line: Cloudflare tells the world that there's SO much bad stuff out there, and you'll get in trouble if you don't use their products, and that's mostly true if you want to run phishing and spam-promoted web sites, so scammers and spammers use Cloudflare and are protected from those of us who would report those spammers and scammers.
For all the companies and individuals who use Cloudflare, many are fooled in to thinking they need Cloudflare when they don't and are just making their sites problematic for much of the non-western world while helping a wanna-be monopoly re-centralize the Internet around a for-profit company that has a history of profiting from scammers and spammers.
If anyone thinks Cloudflare legitimately protects the Internet by mitigating fraud and abuse, I'd be very interested to see evidence that doesn't come from Cloudflare that shows this.
1) not using DoS / DDoS protection, or using any number of hosting services that have this built in, or using a service that doesn't marginalize large parts of the world in the name of "security". DoS / DDoS attacks are not as common as Cloudflare would want you to believe.
2) use literally any other registrar / DNS service / hosting platform. You then won't need to worry about whether people all over the world will be getting CAPTCHAs on ever visit because of where they live or what browser they choose to use.
They don’t only offer DDoS protection, but also a WAF (Web Application Firewall), and if you run commodity software, attacks are very common.
I know this because I manage a WordPress site fronted by a different WAF, and I can see in the logs that malicious bots are trying to pwn the site basically 24/7.
(and before you say ‘patches’ – yes, but defense in depth is a thing, and you don’t always have the luxury of vendors with good security practices.)
Yes, Wordpress is attacked incessantly. It's designed to be actively hostile to security, so yes, a firewall that helps ameliorate is a good thing.
However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.
But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
WP core isn’t bad, the problem is when you’re the ops guy and you get handed an installation with 30 plugins.
Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.
> Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.
Cloudflare will happily take money from and host (yes, host - they host, in spite of their rather stupid and completely disingenuous assertions that they don't) spammers and scammers. They do all the time, and they have no intention of changing that any time soon.
If you forward phishing spam to abuse@cloudflare.com, guess what? Nothing happens. You get an automated response, but they do nothing about it. They expect you to visit a web page that has all sorts of intentional problems (intentional because they've been pointed out to Cloudflare and Cloudflare hasn't addressed them for years) that make the process arduous and time consuming. For one, they don't have "spam" as an abuse type. For another, even though they now literally host web content, and even though they're a domain registrar, if you don't paste in a URL pointing to a site hosted by their proxying product, then you can't submit your form. This means there's literally no way to complain to Cloudflare about domains for which Cloudflare is in WHOIS and SOA records, and for whom Cloudflare hosts DNS. The fields are limited to some particular size (2,000 characters? I forget exactly), and have issues where if you paste more than a certain amount of content but less than the hard limit, you can't submit the form. If you try to use the form more than once a minute or two, IT'S RATE LIMITED and you can't submit the form. Imagine that - they need to protect themselves from human-speed abuse reporting.
In other words, it's REALLY hard to use their site to report abuse to them, and they know this, and it's intentional, unless we want to believe that they just suck at understanding how to make a web page that works.
If they get enough complaints about a given phishing domain, they eventually take action, but it'd be after several days, which is more than the lifetime of a typical phishing campaign. In essence Cloudflare is one of the most popular phishing and spam-promoted hosting platforms because of Cloudflare's intentional foot dragging and claims to want to "protect free speech".
They got on my shit list years ago when they told me - not kidding - that they couldn't just take down a Bank of America phishing site when it was pointed out to them because of "free speech". In other words, they don't want to set a precedent where they can apply the tiniest modicum of common sense and take down phishing sites which any reasonable human on the planet can unambiguously recognize as fraud.
Bottom line: Cloudflare tells the world that there's SO much bad stuff out there, and you'll get in trouble if you don't use their products, and that's mostly true if you want to run phishing and spam-promoted web sites, so scammers and spammers use Cloudflare and are protected from those of us who would report those spammers and scammers.
For all the companies and individuals who use Cloudflare, many are fooled in to thinking they need Cloudflare when they don't and are just making their sites problematic for much of the non-western world while helping a wanna-be monopoly re-centralize the Internet around a for-profit company that has a history of profiting from scammers and spammers.
If anyone thinks Cloudflare legitimately protects the Internet by mitigating fraud and abuse, I'd be very interested to see evidence that doesn't come from Cloudflare that shows this.