The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.
They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.
The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.
In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.
This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.
> You can not block your users from visiting Cloudflare or AWS IP ranges
Iam pretty sure reddit does. I recently needed to rewrite/patch my tumblog backend software that uses yt-dlp to download reddit videos because reddit blocked the ip ranges of hetzners dedicated servers.
I circumvented this by downloading the videos on the client via javascript and upload it to my server.
> The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.
I guess that's a consequence of law enforcement being completely unable or unwilling to actually tackle online crime (as long as it's not inconveniencing a large corporation in very specific domains such as copyright).
Why bother with bulletproof/etc hosts or sketchy domain registrars when you can use a mainstream one and get away with it?
The potential downside in my eyes is that regulators won't want to wait for the underlying issues to be solved and will instead opt for more aggressive identification. The worst case scenario is if the whole internet became like Facebook, requiring an account that's inextricably linked to your real identity just to view anything.
Getting a bit tired of these headlines about malware "delivery" via link shorteners or similar. Yeah, guess what - people can host files on the internet in various ways, what a shocker.
This isn't a link shortener - this is a tunnel so that a user sees they're connecting to cloud flare, even though on the back-end they are landing somewhere nefarious. The end-destination is completely hidden from the end-user (and any security stack their corporation may have in place).
I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.
That's mildly valid. We can have some expectations for Cloudfare, but not that they outright police everybody that uses their service.
At the same time, this is exactly some variation of the "random people have put malware on random internet locations" scare the GP was talking about. If "malware somewhere on the internet" is a problem, we have to fix what turns it into a problem, because we just won't fix this one.
If certain subdomains keep getting subverted, a valid response is to block all those subdomains, in this case *.trycloudflare.com. It's like IP ranges of countries that don't bother with policing malicious activity.
The consequences for Cloudflare and it's legitimate users might be anything but mild.
Krebs on Security shared data on absolute and relative phishing abuse by top-level domain in a recent post.
Yes, .com has the highest absolute number of phishing domains, but it also has the overwhelmingly highest number of registered domains period. The relative prevalence is only 24.2, as compared with 2nd-ranked (by absolute score) .top, with a phishing domains core of 422.7. That's still not the highest listed, which is .lol at 577.5.
If you're looking at relative benefit vs. harm from blocking, blocking TLDs with a higher relative (abusive vs. legitimate) domains score gives an additional security benefit.
Reputation-based scoring by TLD, domain, ASN, or basis is likely to become more prevalent over time. We've already been doing that for email for over a quarter century, with the Spamhaus Project being founded in 1998 (it reports abusive email domains).
The operative word being most registrars. If you look at the list of registrars commonly used by bad actors, you can find a list of registrars that are either non-responsive to abuse complaints, or only take action after n days.
What is easy and has limited impact on your own operations will be done. Blocking *.trycloudflare.com is easy on entire fleets of servers and firewalls and has limited impact for, e.g., a company network.
> Imagine trying to use the internet like an end user or a webdev if you couldn't use cloudflare.
Anecdote: i've been an internet end user for 30-ish years, an active FOSS developer for most of that time (with no small amount of web dev), and have never once intentionally used CloudFlare (only indirectly, by visiting sites which use it). Not because i'm especially "into privacy or paranoid," but because it's never once been necessary.
> have never once intentionally used CloudFlare (only indirectly, by visiting sites which use it).
And there is the problem. Too many sites are behind Cloudfare, so if you want to block Cloudfare for your organization, your employees will start complaining that the "internet doesn't work".
I have a small dedicated server with OVH that I use as a wireguard based VPN sometimes. The amount of sites that become unusable because of Cloudflare blocking me is insane. The inverse would be true if I blocked Cloudflare.
Not just TLDs. I've seen whole Class A networks blocked after a DDoS, based on the affiliation to a particular (not small) country. Like with covid, you just need a small reason and suddenly, all the freedom in the west goes to hell.
And let's also not conflate policing the good old internet with policing today's internet. There is still freedom that could be lost, but it's hard to see for all the trackers and malware.
But you can bet your ass we block newly registered domains and have an active list of domain reputations - your brand new .com or your axuuasck32213mczo.com malware domain isn't getting through any decent security tool.
If Cloudflare lets this continue, it's only a matter of time before trycloudflare.com's reputation puts them on block lists everywhere.
Must or mustn't they filter customers is a matter of law.
However, putting the responsibility to mitigate this problem in its entirety is very inefficient and ineffective. If Cloudflare would have a team dedicated for this effort, bad actors would simply switch providers, beating $200k/year effort by couple clicks.
Notice that the malware ultimately takes effect when the user executes the file.
This sounds more like an interaction design problem that should be solved in the OS level; the OS interface is one of the logistical bottleneck for the malware delivery path.
Everyone running a service on the internet has a responsibility to prevent abuse of that service. They should all have and monitor an abuse@ address where they accept notifications about problems they're causing others and they should act on those notices within a reasonable amount of time. When someone fails in that responsibility they should/will get blocked.
I hadn't heard of trycloudflare.com before, but it's blocked on my network for now. If I need to, I can re-evaluate that later.
Anyone running a service online can get caught off guard and be taken advantage of by scammers and assholes. It's an opportunity to shore up your security and monitoring. The bad actors will eventually move on to abuse easier targets and that's fine. When they do that doesn't invalidate the work someone put into making sure their service wasn't being repeatedly/routinely used to harm others.
That responsibility only goes as far as other people are willing to block them for not doing it. There's no law of the internet that says you have to, but if your customers can't access your service because their ISP or whatever blocked you, that's when it's your responsibility to yourself to clean it up. If you're too big to block, then it's OK to ignore abuse.
The internet is a community. Some people in a community feel that they have no responsibility to anyone but themselves, which is why we need laws and regulations.
We want service providers on the internet to police themselves and make sure that they're not turning a blind eye to crimes taking place right on their own servers because the alternative is that laws and regulation come into play. There's an argument that internet companies that are too big to block could still be negligent, an accessory to crimes, liable for the very real and significant damages the poor management of their service enabled just so that they could save a little money, etc.
Just like with banks, there are people who would say that if a company is too big to fail/be blocked then they are too big to exist and should be broken up.
Personally, I'd rather that a service provider just do a better job keeping their corner of the internet clean, keeping the people who use their services safer, and preventing their services/equipment/IP space from being used to carry out criminal acts.
In the end it'd improve their service, improve their image, make the internet a safer place, and as a bonus it would force criminals to waste their time looking for the a new company who'll be too cheap/lazy to kick them off their services. Hopefully they'll eventually end up only being able to find ones that the rest of us feel we can block.
The internet _was_ a community. Now it's a wall of commercial property, riddled with victimising criminals and advertisements that watch you. There are still some communities in there, but the bulk of it is a set of actors with no social interests in common with the users.
The abuse mechanism you describe exists in theory, but... commercial.
There is community between the NOCs of tier 1 ISPs, but they mainly care about routing.
In your picture, I'm imagining, say, CenturyLink stomping on a retail ISP, and I question whether this pans out like swatting. Can I get someone taken down by abusing abuse reports?
> I question whether this pans out like swatting. Can I get someone taken down by abusing abuse reports?
Not generally, no. Typically, abuse departments at ISPs don't blindly cut off people's internet access just because someone complains. They require evidence (server logs, message headers, etc) and there will be an investigation as well as multiple communications between an ISP and a user being accused of violating the ISP's terms of service. The same is true when the issue is between ISPs and their upstream providers. Keep in mind too that for both ISPs and upstream providers, everyone is naturally and strongly incentivized to not cancel the accounts of the customers who pay them.
There is one situation where false reports can get someone taken down. DMCA notices have this potential. ISPs can face billions in fines if they refuse to permanently disconnect their customers from the internet based on nothing more than unproven/unsubstantiated allegations made by third party vendors with a long history of sending wildly inaccurate DMCA notices. So far, media companies have been winning in courts and ISPs have been losing or (more often) settling outside of court. Everyone is still waiting to see how the case against Cox ends (https://torrentfreak.com/cox-requests-rehearing-of-piracy-ca...)
There is a solution for this at the OS level. It's domain names, validated through DNS. Those let the user decide if they trust the other side of a connection.
Here cloudflare is showing they should nt be trusted, but because they are so big, we can't act on that. Blocking them would be bad, mocking them is the second best option.
It isnt really "putting the responsibility to mitigate this problem in its entirety" on them so much as it is "putting the responsibility to mitigate this problem * on their service * "
Large software companies seem to enjoy passing the buck in recent years if it might impact their profitability which is fine but to say the could not do anything about it incorrect. It may not be feasible to do so an still operate the service but that doesnt mean it isnt possible.
That said, they're also using the "utility argument" - just as your phone provider won't screen you at every call you make, your electricity provider won't lock your supply until you authenticate use for non-nefarious purposes , your ISP won't content-filter, Cloudflare also says they won't police per-use other than when under explicit legal mandate (court injunctions). That's fair enough, at least to me.
Sure, but in this instance, they're offering an anonymous service. Just require a sign-up and a captcha, like you do for all of your other products, FFS. Are they on drugs? Do they want more botnets, to drive DoS mitigation sales?
Either discontinue the service, or serve each pipe from a subdomain that encodes the original source. Something that lets security tooling block known bad sites, without having them block a lot of legitimate sites.
DNS filtering, WAFs and curated naughty lists were never more than duct tape at best. I'm sure they are effective, but they don't approach the problem of vulnerable software or end users who download and execute untrusted software. At worst, they created an incentive for alarmist companies to scare users into using their half measures rather than comprehensively addressing the problem.
You can't report it to Cloudflare in any meaningfully straightforward way and expect them to take it down. Even if you go through Cloudflare's incredibly laborious and intentionally problem riddled abuse complaint process, and even if they take down one instance, bad actors can make thousands or tens of thousands (or more), so reporting this does effectively nothing.
Cloudflare is enshittifying the Internet once again.
(I don't care if this gets downvoted by CF fans - not a single one will engage meaningfully about any point asserted here)
Like I said, how is it different from Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly or a million similar services anyone can set up in a matter of minutes? If someone shares a random URL and you click on it and download and run an executable on your computer, the server that hosted the file isn't the one to blame.
Most sites are better about preventing and handling abuse of their service. When a service makes it difficult to report abuse to them, or fails to act on the abuse reports they get, they are the ones to blame.
Scammers and assholes will always exist. It's the responsibility of everyone operating a service on the internet to make sure that their service isn't acting as a safe-haven for those criminals and bad actors.
Google is somehow worse than cloudflare is. I heard recently that Google won't even accept an abuse complaint for docs.google.com unless you create and sign into a google account.
You can report a link that points to content on Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly. Do you think that links pointing to any of those services are in any way anonymous?
You report Google Drive links to Google, Dropbox links to Dropbox, OneDrive links to Microsoft, S3 links to Amazon, WeTransfer links to WeTransfer, MegaUpload links to MegaUpload, and Bit.ly links to Bit.ly.
Apocryphally saying "they all suck at this but Cloudflare sucks most" is just moaning. Any free/near-free hosting or caching service can be used to distribute malware. Mail services have been used to push malware for decades, and while many of them filter content, that's a cat&mouse game a determined malactor will occasionally win.
Are they really "so much worse" than anyone else ?
(ex-CF so pillory me for ex-cusing my ex-employer; as said, to me, "all cooks use water")
First, their abuse reporting page has issues. The amount of data allowed to be pasted is very limited and won't allow the full content of most spam. If you paste the full amount, you can't submit, and you won't know why - you have to go and remove some content. It's rate limited so that even a human reporting multiple items has to sit and wait. You're forced to provide a URL that points to Cloudflare servers, meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS. They have a CAPTCHA on the abuse reporting form. I could go on, but it's tedious.
This company spent YEARS saying that they don't "host" anything, and they still play games in that their abuse reporting doesn't reflect any of the offerings that've been added in the last several years. They don't even have a category for spam!
So yes, they are "so much worse" than anyone else. They actively skirt responsibility.
> meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS
Yes there is: registrar-abuse@cloudflare.com
> This company spent YEARS saying that they don't "host" anything
Yes, for their "proxying" service, they take no action when it comes to that, all they will do is forward the report to the hosting provider.
> They don't even have a category for spam
Use the general category or abuse@cloudflare.com
> It's rate limited so that even a human reporting multiple items has to sit and wait. [...] They have a CAPTCHA on the abuse reporting form.
Yes, I agree. I reported hundreds of ".pages.dev" sites (hosted by their Cloudflare Pages service), the form restricts it to 1 unique domain per report, so I had to make hundreds of individual reports but they did take them down.
> they are "so much worse" than anyone else
I don't agree with this, in my experience they have taken action on some reports meanwhile some other companies have done nothing (DigitalOcean (Doesn't deal with any of my reports, known for being infested with bad actors, now they're the first ASN I block when I'm setting up a firewall), AWS (their customer spammed me for months, tried telling me the email didn't originate from them, but it did.), Dynadot (will not do anything without court orders, warrants) )
I don’t think you know how the internet works if you think you can police every single URL. Ok now I’ve hosted malware on 121.23.65.89. What are you going to do?
> and any security stack their corporation may have in place
I mean if the security stack misses that (forgivable) but then allows this:
> When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file
Just downloading a LNK or VBS file should be a massive red flag. Whoever decided that it was a good idea to hide file extensions from people by default was an idiot.
Completely agree. And over the years I have found it sad how many people (some who considered themselves computer experts) I had to explain what extensions are, why they are needed, how to make them show, and etc.
> I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.
But you're not the customer, you're the consumer.
Are they pitching themselves as safer for the consumer?
Well no, it's more like _ubiquitous tunneling service grants anonymous sign-up and thereby disguises origin and commingles traffic that Was Authenticated Somewhere with traffic that Could Be From Anyone, with the effect of opening a hole in your first line of defense_.
If you merely want to be edgy, then well done. Otherwise, a piece of advice, start by understanding the problem.
> No one was insane enough to blame the CD-RW and flash drive manufacturers.
cloudflare isn't acting like a CD-RW or a flash drive. They're acting like a storefront that sells fraudulent flash drives that say they're 1TB when they're actually 200MB, or don't work at all when you plug it in, or worse catch fire. A storefront that refuses to take the faulty products off the shelves when customers complain, refuses to stop selling merchandise they sourced from criminals, and refuses to do even basic due diligence to make sure the products they sell are legitimate.
People who operate stores have a responsibility to make sure that merchandise they sell to consumers isn't fraudulent and harmful. Companies offering their services online also have a responsibility to make sure that those services aren't being used to push fraudulent and harmful content onto consumers and that they aren't acting as safe-havens for criminals.
I can, as a google admin, block links from outside the org; or, as a non-google admin, block google docs. The business may decide not to block, but if I have good SIEM then I can still do something, possibly inspect the file before it hits the user's desktop.
I can't block cloudflare, unless I'm willing to block half the internet. If I try to do additional inspection, I've got huge amounts of noise and I'm going to make the internet unusably slow.
Whatever differences exist between a publicly accessible google drive and an innocuous seeming link to a cloudflare owned domain that takes users to a random malicious server without warning, we can be reasonably sure that those differences are meaningful because these scammers are flocking to the cloudflare service instead of using google drive.
Something about this cloudflare service is really attractive to these scammers in way that google drive isn't. Maybe it's because these scammers just haven't discovered how great google drive is as a malware delivery platform, but I suspect that they have.
Now maybe all the attention on how google drive became the hottest place in town to spread malware caused google to get off their ass and do something about the abuse of their online service, and it's become a less hospitable place for criminals than it used to be. Or, maybe google has continued to neglect their responsibility to keep criminals off their service and it's the public who have just gotten more suspicious of the links to google drive in their inboxes making google drive campaigns less effective and its the novelty of cloudflare tunnels that makes them so effective. Maybe it's just easier to create cloudflare links that don't require accounts than it is to keep creating google drive accounts.
Where it matters most though, there really isn't much difference between the two services. Both have a responsibility to keep their services from being used to facilitate crime. Both should respect RFC 2142, but don't. Both can eventually get around to removing links to malware after you report it to them enough while doing basically nothing to stop that same malware from going right back up again at another URL/account. Both have more than enough resources and talent to be doing a much better job at internet abuse handling than they have been. They both just don't care enough to bother.
I quite like the status quo. I don't want Cloudflare or Google to block the files I'm trying to download just because they got a bunch of reports from clueless people or bots.
I want both to behave like dumb pipes. They don't have enough context to make any decisions like the ones you described. Ideally everything would be end to end encrypted so it'd be impossible for them to make the decision for me.
> I don't want Cloudflare or Google to block the files I'm trying to download just because they got a bunch of reports from clueless people or bots.
Lots of scammers don't want Cloudflare or Google to block the files they're trying to trick people into downloading either. There are people who feel the same way about spam, that no service provider should have right to block or even flag messages as spam for anyone else. Thankfully, most people disagree and want service providers to act on abuse complaints instead of acting as safe-havens for criminals.
Even dumb pipes need to be maintained when they start carrying something toxic/harmful that isn't supposed to be there. These are nothing like dumb pipes though. They're watching everything you and everyone else does with the service and logging it all. They're collecting every scrap of data they can while we interact with these services and they're happy to use that data when they think it'll put money in their pocket, but much less interested in using it to prevent the harm being done.
It isn't hard to find this stuff. These types of scammers are not usually very subtle. In this case they're linking to .LNK and .VBS, but scammers using these kinds of services are doing things like repeatedly uploading the exact same malware infected file, or not even bothering to modify their phishing sites each time they reupload them, or using the same keywords/broken english in their spam, etc.
These companies could automate checking to see what's at the other end of a generated link, or run a quick AV scan on an uploaded file, or to look for domains that are registered with misspellings of banks and online shopping companies, or to see if the hash of recently uploaded content matches something they recently had to take down because it violated the law and/or their own ToS/AUP.
I'm not even suggesting that they take something offline immediately if they find something, just flag it for review by an actual human with eyes and a brain and have enough humans available that it doesn't take long before that review happens. Make it easy for people to send reports of internet abuse. It's not hard to act like responsible members of the internet community, it's just takes work.
> In this case they're linking to .LNK and .VBS, but scammers using these kinds of services are doing things like repeatedly uploading the exact same malware infected file
It sounds like you advocate for proxy servers to inspect traffic at the application layer. Is that right?
In the OSI reference model, the communications between systems are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.
> It sounds like you advocate for proxy servers to inspect traffic at the application layer. Is that right?
In most cases you wouldn't need one. a URL shortener service can see what people are linking to. A webhosting company can see everything on their own servers. In the specific case of cloudflare and this particular product they may or may not need to. I notice that they do reserve the right to monitor and inspect any traffic on the Cloudflare network.
This text is non-responsive to the question. Maybe your purpose is to practice typing? Just because a company "can" do something doesn't mean that they will devote the resources to perform it.
I don't think I've ever seen an abuse report to anyone have a direct consequence. Phishing URLs I've reported never get added to any phishing lists, malware reports seem to go to /dev/null, and reporting spammers to their hosting services/registrars only seems to increase the amount of spam received.
Cloudflare should do better, but so should the entire industry. I get why companies selling security software report on this stuff, but this stuff is just a consequence of the internet allowing inbound connections sometimes.
The takeaway from this isn't "Cloudflare bad", but "block trycloudflare.com in your DNS server unless your devs use it for some reason". Same with Ngrok and any other dev tool like that.
I find it bonkers that we have settled on a design for browsers under which merely clicking a link is enough to expose you to a malware threat.
It's like we received the good advice:
> don't eat things you can't identify
but somewhere along the way we got our wires crossed so now it's
> don't look at things you can't identify
But we're still acting like only an idiot would ever fail to adhere to this perfectly reasonable advice, when actually it's a recipe for having users with no idea what a real threat actually looks like.
Much better would be if you can safely click all links (just don't, you know, run it or whatever the dangerous action is) so that you can annotate what you find there as either threatening or trustworthy--the better to help out your peers.
Well, hyperlinks, SMTP, browser scripting (less so): these things come from a time when the internet was a community, not a venue for crime. The first viruses were from clever under-socialised children. It was a playground and everyone was safe.
Now we regret our naivety, but it's too late to take a systemic approach. It's all grandfathered in.
I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.
TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.
Isn't this what happens to every free quick tunnel product? Was kinda just waiting for this to play out. ngrok had nice zero friction tunneling when it came out but then they had to put everything behind a sign-up flow due to the same sort of abuse.
I would be disappointed in the attackers if it didn't. Free end-to-end encryption without any accountability tying it to a user? It's begging for abuse.
I guess this is why we can't have nice things on the internet (in this context, nice things from Cloudflare). Did you know you could send emails for free from Cloudflare (https://blog.cloudflare.com/sending-email-from-workers-with-...)? Well, now you couldn't. The sunsetting probably was not Clouldflare's fault, but it's more or less similar: nice service, abused.
For a long time, Cloudflare had a feature where you could "preview" custom CSS and HTML intended for use with their custom error pages. Basically, the preview feature just took CSS and HTML in a query string and then displayed it on cloudflarepreview.com/....
I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.
The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".
Then they fixed it by adding a JWT token to the URL (and no bounty paid).
I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.
When it comes to "nobody wants to spend enough money to do moderation and anti-abuse well", it makes me wonder: Whatever happened to early PGP-era ideas that we'd somehow establish new webs of distributed trust and distrust of online identities?
I guess we sorta kinda have a little of that in the form of social-media accounts that get "trusted" based on the number of followers and their followers' followers and bots all the way down, etc. Or PageRank and SEO exploitation.
Society better figure something out soon, because with all these ultra realistic deepfakes coming up, we better have a way for people to establish whether the source is authentic or not.
Cloudflare has been infamous among sysadmins and threat hunters for over a decade [1,2] now for having an almost-nonexistent moderation program. Their services have been routinely abused by malicious actors for years [3,4,5,6,7] They've arguably been the single largest commercial provider for criminals globally over that time period, including non-tech criminals like drug traffickers and actual terrorists [8,9], to say nothing of aiding and abetting war criminals [10].
In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]
They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.
It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.
If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.
> They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
And equally so is whoever they trust to provide the hardware to host their website on. Most of the time, it's someone else.
(edit: Your last source is laughable. Some real conspiracy theory shit)
And what do you reckon the chance is that Azure and AWS and GCP are extracting ephemeral TLS session keys for every inbound HTTPS traffic stream bound for their customers, and decrypting every single stream?
The chance that cloudflare is getting access to all incoming traffic in plaintext is 100%.
Didn't mention anything about chances. If these companies wanted they could decrypt all traffic and it's easier than how you said (just swap out a web server binary or something). Although i must admit cloudflare has a worse track record
His last source is a word for word excerpt from a BBC article about Cloudflare, with the information coming directly from their reporter talking to the founder of Cloudflare. As far as I can tell the only thing the site he linked to added was they underlined some phrases.
When you say it is conspiracy theory shit (CTS) do you mean that what the text says is CTS, or do you mean that whatever inference the site that copied the text from the BBC is trying to get you to infer from their underlining is CTS?
The latter. For example, what is "tracked them” (going off memory here) even supposed to imply? Log the spammer email address and send it off whereever (which most mail services do), says the context. Just looks like a poor attempt to make cf look bad, unlike the others which cite real incidents
Your sources are ass man. Yah newsflash, CF is a hosting site and people make phishing pages. This shit is true with literally any cloud provider today that’s relevant on the internet.
The difference is, legitimate non-criminal providers don't flagrantly ignore abuse reports, but thanks for leading with a petty criticism of my citations rather than refuting the core of my argument, which you can't do.
Original title was "Threat Actor Abuses Cloudflare Tunnels to Deliver Rats", and even if I knew about malware through Cloudflare tunnels, it got my hopes too high.
I thought this was a terrible pun about using tunnels to deliver rodents, not delivering remote access trojans. I don't know which I would have liked better
There’s actually a (really superb) Rust library/program for creating reverse tunnels over TCP, that’s called Rathole [0]. We used it [1] at my last startup and were mildly worried that one day we’d need to explain to a security auditor why we had a dependency called “rathole…”
If history is any indication you can probably keep having the nice thing, because CF tends to look the other way when bad actors abuse their infrastructure.
I think we both know that bad actors can spin up new Cloudflare accounts a few order of magnitudes faster than the courts can take action against just one.
It's not much of an ask to at least keep DDoS providers out, even from a free speech absolutist position it's a stretch to say that DDoS should be protected speech.
Is that so unreasonable? If I agree to forward someone's mail you would probably expect me to do some basic sanity checks in order to establish whether I am likely to be forwarding IRS documentation or anthrax. Why does the internet always get a pass on established societal norms?
Depends on if you're ok with the tradeoffs of KYC as they require comprehensive identity verification, and depending on service changes to structure to adhere to a per-person account model.
Malicious actors could spin up new accounts whether or not CF bans malicious accounts without a court order. Requiring a court order would have no bearing on CF's ability to prevent duplicate accounts.
That sort of court order would end this entire product feature. You can't have accountless tunnels if you have to be able to bar specific individuals or organizations.
Cloudflare has been in front of _every_ phishing site targeting my org for the past year. Their response to reports is always "we're just a pass through, not our problem". The attackers know that CF won't take action against them, and that using CF will slow down any response or takedown request.
Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.
You instead want to be talking to browser and search engine providers and reporting there, as well as your government for illegal activities.
They aren't a passthrough, though. That wouldn't be a valuable service. They're providing a service to criminals that assists them in fraud, and refusing to take any action when notified. It adds hours or days to a takedown process. It's like they're standing outside the mall handing the bike thieves branded hacksaws.
We've had better luck getting random Moldovan ISPs to shut down service than we've had in getting CloudFlare to give a damn.
They are quite literally a MITM passthrough. The example you used doesn't make any sense either, it would be more like them handing everyone hacksaws and you getting mad at them over the fact some people are using them for bad things.
Again, get a court order and they'll take action. They are legally required to. Random Moldovan ISPs don't operate at the scale CF does, no wonder they were faster. Probably also easier to bribe as well ;)
> Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.
Well, if at least the Big Five (CF, Akamai, AWS, GCP, Azure) could get their shit together and cooperate against the bad actors, using netblocks against hostile IP ranges (both egress and ingress) could start making sense again.
I find that the domain registrar takes action more often than not (I guess because they're bound to ICANN's regulations), then the moment the domain is stopped Cloudflare sends an automated e-mail saying that they don't host the website because the DNS records stopped resolving.
Legit load testing services like loader.io require you to prove you own the site you are targeting, yes. "Stressers" let you point their orbital laser at whatever you want, they might say it's only meant for use against your own servers but that's just an ass-covering pretense.
DDoS providers and other for-profit miscreants are incentivized to DDoS each other into oblivion, and Cloudflare is the only one of the giant mitigation providers who are willing to protect them from their competition. There are bulletproof alternatives like DDoSGuard but their network is absolutely nowhere near as expansive as CFs is, nor is it free to use, nor do they have enough legit customers to rule out blocking their entire ASN in a corporate filewall to stop phishing attacks. CFs share of the blame is for making bad actors lives much easier than it should be.
so report them? this is like complaining that their domains are registered by GoDaddy, or their packets are delivered through the Internet by hurricane electric, or their local power company keeps their lights on
From what I've heard, if you send an abuse report to Cloudflare they just forward it to the owner of the service you are reporting, without redacting any personal information you provided, opening you up to reprisal. They won't actually do anything unless legally mandated to.
>They won't actually do anything unless legally mandated to.
This is a good thing, and pretty refreshing compared to the kafka-esque scenarios that Google and others offer when shutting down entire businesses based on the whims of some blackbox AI detection system or fraudulent DMCA notice.
Just because a few bad actors cause harm shouldn't mean everyone should be losing rights and giving up bits of their freedom because someone ruined it for everyone else.
Didn't matter what it is: weapons, or fireworks, or even the right to code. Sacrifice of everyone's rights and freedom to choose all in the name of reducing the odds of something happening seems odd. The very regulation of what someone can and can not do, while it might theoretically reduce risk (an argument for correlation not causation exists here) can't possibly oughtweigh the fact your restricting people free will and autonomy. The constant regulation and restriction of thing is our life only stifle innovation, act as barriers to entry, and force the creativity out of peoples lives.
Original title has “RATs”, but that seemed to have gotten edited/autocorrected away when it got to HN. Because, damn, that’s a hack I want to read about.
They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.
The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.
In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.
This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.