A typical website behind Cloudflare
|Industry||Internet, Content Delivery Network|
San Francisco, California,
|Matthew Prince (CEO), Michelle Zatlyn (COO)|
|Services||Reverse proxy service|
|Revenue||US$287.02 million (2019)|
|US$−107.95 million (2019)|
|US$−105.83 million (2019)|
Cloudflare is an American company locating in San Francisco, specializing in distributed reverse proxy service for websites. A disturbingly large portion of the world wide web is served from their network. Cloudflare owns more than 80% of CDN market share and 36.2% of the first Google search results are using Cloudflare.
Cloudflare is in a prefect position to monitor a very large portion of all web traffic. The number of its users are growing each day.
Wikipedia edited by employee of Cloudflare
Public DNS servers
Cloudflare's anycast DNS servers can be used by anyone.
- 126.96.36.199 and 188.8.131.52 on IPv4
- 2606:4700:4700::1111 and 2606:4700:4700::1001 on IPv6
- Family DNS
Cloudflare offers free DNS hosting and have more than 12 million customers.
You need a second level domain ("apex host") for Cloudflare. Third level domain ("sub domain") such as "not-poss.linuxreviews.org" will not be accepted by Cloudflare.
- BSD and many GNU/Linux distribution overrides that and disables DoH in the distribution-specific packages.
Cloudflare is very popular among website owners because they do provide several real benefits for free. First of all, they do a lot of caching which offloads servers that are actually hosting a site. More importantly, Cloudflare's network (AS13335) is large and well connected.
Cloudflare is connected to over 230 Internet exchanges and they have direct peering with more than 580 different networks. Few, if any, traditional server hosting companies have anything which comes close. A website using Cloudflare's distributed reverse proxy network will feel (and actually be) faster for a very large part of the worlds Internet users.
AMP pages from web hosts behind Cloudflare are served directly from Cloudflare's network.
- Cloudflare suffered an outage which lasted a mere 27 minutes in July 2019.
It was later revealed that it was caused by a invalid regular expression somewhere in the code. 12 million websites were unavailable during this half-hour long event.
- In 2020, a German court forced Cloudflare to delete a customer over copyright accusations even though the proximate DNS provider of that customer was allowed to further serve that customer. Cloudflare provides some anonymity, because the real IP (DNS A-record and SOA-record) of a webserver is hidden behind the Cloudflare DNS records.
Cloudflare is a extremist organization that takes the decentralized web and centralizes it under one corporate power who dictates terms in the world's largest walled-garden. A large portion of the web (10%+) were once freely open to all but are now controlled and monitored by a single central authority who decides for everyone who may access what web content. This does serious damage to net neutrality, privacy, and has immediate serious consequences:
- Cloudflare mounts mutlifaceted attacks on privacy
- Cloudflare is a man-in-the-middle who sees all traffic including usernames, unhashed passwords, and financial data within the HTTPS tunnel. This is done surreptitiously. Cloudflare sees all the traffic.
- Cloudflare sees all traffic to and from the database of the Psono password manager. Even if Psono has an extra layer of encryption for cloud-stored passwords, Cloudflare still sees the password in the clear when supplied to the service that the user is logging into. If a user has multiple accounts, Cloudflare is given enough information to associate the accounts together. If a user uses an IP address for Psono that differs from the IP of the site they're logging into, Cloudflare can additionally associate IPs together to identify a Tor user or VPN user.
- Cloudflare has a policy to block all Tor users by default. It's a crude, reckless and unsophisticated (but cheap) way to create the illusion of security. Collateral damage is high. Privacy takes a global hit because Cloudflare has decided what best suits their business to the detriment of everyone else. The impact is not only privacy while visiting the Cloudflare site. Cloudflare has proliferated to the point that users opt to abandon Tor entirely because solving 50+ CAPTCHAs every day is wholly impractical. For a user to be effectively forced to abandon Tor is a colossal loss of privacy.
- Cloudflare helps spy orgs conduct illegal surveillance two ways:
- damage to anonymity: CF deployed an anonymity compromising Google reCAPTCHA from 2009 to mid-2020. Apart from the direct compromise by the CAPTCHA, Tor users are also driven off Tor in droves as a consequence of access inequality of Tor/non-Tor users (which constitutes a network neutrality abuse as access equality is central to net neutrality).
- centralization of copious data on this immeasurable scale within reach of any spy org will cause that spy org to foam at the mouth -- and they will get access to it one way or another.
- ISPs collect data on their own customers and exploit it for profit in the US. Under Obama it became illegal for an ISP to sell data collected on their customers without express consent. Trump reversed Obama's policy in 2017. In the absence of legal protections, Tor serves as a technical protection from ISP snooping. Cloudflare's attack on Tor users facilitates privacy abuse by ISPs.
- The gratis service also raises the question about how CF is monetizing all that data that's exposed to them (which every CF user carelessly increases). They do not disclose to the public how they monetize that data, but what CF cannot hide is that they seek to hire a machine learning data scientist with big data expertise for their marketing department.
- A CF customer who became increasingly concerned with CF's unchecked power deleted their account. Two months after CF confirmed that the account was deleted, the customer received an email from CF, proving the account had not been deleted.
- When a user solves a CAPTCHA, CF is paid a cash reward via Paypal, a privacy abuser who shares customer data with 600 companies.
- Cloudflare is a man-in-the-middle who sees all traffic including usernames, unhashed passwords, and financial data within the HTTPS tunnel. This is done surreptitiously. Cloudflare sees all the traffic.
- Cloudflare takes away software freedom
- CF restricts how users may use their software by rendering the web dysfunctional for some browsers.
- Cloudflare diminishes network neutrality -- Access Equality is the centerpiece of net neutrality, while CF yields widespread access inequality.
- Cloudflare took a seat on the FCC's Open Internet Advisory Committee, and serves its own interest (to influence legislation against net neutrality).
- Cloudflare discriminates against connections coming from developing countries.
- Cloudflare discriminates unfairly against Tor users, those who use non-graphical browsers, and those who deploy beneficial robots.
- Cloudflare also discriminates against people with impairments and disabilities (details in the human rights section)
- Cloudflare's detriment to human rights
- CAPTCHAs put humans to work for machines when it is machines who should be working for humans. The labor violates the 13th amendment of the US Constitution due to involuntary servitude. The most perverse manifestation is when a citizen attempts to access a government service such as voter registration, and they're forced to solve a puzzle, the labor of which compensates Cloudflare instead of the laborer.
- CF discriminates against people with impairments and disabilities
- CF attacks robots that help provide an alternative user interface for users that are impaired or handicapped. This attack violates some WCAG 2.0 principles mentioned in the next table regardless of the role of CAPTCHA (which itself violates WCAG 2.0 principles).
- CF imposes a proprietary "hCAPTCHA," which violates several WCAG 2.0 principles:
|WCAG Principle||How the Principle is Violated|
|1.1: Provide text alternatives for any non-text content so that it can be changed into other forms people need, such as large print, braille, speech, symbols or simpler language.||hCAPTCHA wholly relies on graphical images. There is no option for a text or audible puzzle.|
|1.2: Time-based media: Provide alternatives for time-based media.||hCAPTCHA has an invisible timer that the user cannot control.|
|1.3: Create content that can be presented in different ways (for example simpler layout) without losing information or structure.||When a user attempts to use |
|2.1: Make all functionality available from a keyboard.||The hCAPTCHA does not accept answers from the keyboard.|
|2.2: Provide users enough time to read and use content.||If you don't solve the hCAPTCHA puzzle fast enough, the puzzle is removed and the user must start over. Some puzzles are vague and need time to ponder that exceeds the time limit.|
|3.1: Make text content readable and understandable.||When the CAPTCHA says "select all images with parking meters", how is someone in Ireland supposed to know what a parking meter in the USA looks like? When the CAPTCHA says "click on all squares with a motorcycle" and shows an image of an apparent motorcycle instrument panel, it's unclear if that qualifies (it could be a moped). Another image showed a scooter with a faring that resembled a sports bike. Some people would consider it a motorcycle. When the CAPTCHA said "click on all squares with a train", some of the images were the interior of a subway train or tram. Some people consider a subway to be a train underground, while others don't equate the two. The instructions are also sometimes given in a language the user doesn't understand.|
|3.2: Make web pages appear and operate in predictable ways.||It's unpredictable whether the IP reputation assessment will invoke a CAPTCHA and also unpredictable whether a CAPTCHA solution will be accepted. The time you have to solve the puzzle is also unpredictable.|
|4.1.: Maximize compatibility with current and future user agents, including assistive technologies.||When a user attempts to use |
- Cloudflare inflicts customers and web users with excessive vulnerabilty to exploits.
- Cloudflare's immense centralization becomes catastrophic when a single bug emerges. The degree of damage is acutely heightened when over 10% of the web is subject to vulnerabilities on Cloudflare. The enticement for malicious hackers to find a zero-day is also greatly heightened as a result of the widespread scale of impact. Cloudbleed was a vulnerability that had serious widespread consequences. Even a simple accident at Cloudflare like a one-line erroneous regular expression brought down a huge segment of the web on July 17th, 2020. August 11-12: "Cloudflare went down and took over Discord and some game program (which proxies packets through Cloudflare)."
- A tragedy of the commons has manifested. Website owners are baited to act independantly in their own self interest by using Cloudflare at no charge-- but each website that becomes part of Cloudflare shrinks the ethical decentralized web while incrementing the size of the centralized walled-garden which inflicts harm to everyone collectively. Each website owner only perceives Cloudflare as solving their problem but unwittingly they create a host of new problems for everyone else. It's a selfish move that occurs on a much larger scale than the quantity of selfish personalities because most of Cloudflare's patrons are kept in the dark as to the harm they're contributing to.
- Cloudflare's proliferation is a product of the Tyranny of Convenience. They've made it so easy for website owners to proxy their website that a rapid spread exacerbates the tragedy of the commons.
- Cloudflare is detrimental to availability
- The CAPTCHAs are often broken.
- E.g.1: some browsers that block j/s always report errors communicating with the captcha server on all CF-pushed CAPTCHAs
- E.g.2: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
- The CAPTCHAs are often unsolvable.
- E.g.1: the CAPTCHA puzzle is broken by ambiguity (is one pixel in a grid cell of a pole holding a street sign considered a street sign?)
- E.g.2: the puzzle is expressed in a language the viewer doesn't understand.
- The CAPTCHAs block all robots indiscriminately causing collateral damage to beneficial (non-malicious) robots.
- GUI CAPTCHAs deny service to users of text-based web browsers. E.g. Cloudflare's GUI CAPTCHA breaks
- Cloudflare uses punitive collective judgement as a consequence of mislabeling Tor traffic.
- "Experts say that group punishment is ineffective, counterproductive, lazy and unethical"
- Cloudflare's use of this technique is acutely and perversely abusive because they harm potentially as many as 70,000 users in the course of countering just one single bad actor. And worse, unlike typical uses of collective punishment this is not in the slightest a situation where the other 70,000 have any shred of influence over the one malicious user.
- A study finds that collective punishment is strictly counterproductive.
- Cloudflare's detriment to democracy
- CF impedes petition signing on change.org, moveon.org, and actionnetwork.org. Voters who are blocked by CF's access restrictions are effectively denied participation in democratic processes.
- CF blocks voters from accessing information about candidates published on sites like www.opensecrets.org.
- Voter suppression: CF impedes voter registration, disenfranchising voters in 8 US states (16% of voter registration sites).
- Cloudflare's censorship and reduced access to educational material
- Cloudflare restricts access to scientific papers.
- Universities outsource ebooks to Proquest, a Tor-hostile Cloudflare site. RUC is an example of a university that closed their library during the pandemic, while online access to books is subject to Cloudflare's terms and privacy abuses. Proquest's blockade violates several clauses in the ALA Library Bill of Rights, undermines the ALA Freedom to Read Statement, and undermines paragraphs 1-3 and 6 of the ALA Code of Ethics. More specifically, the ALA states in their encryption guidelines that "library vendors should work towards ensuring that all their websites and online services communicate securely over the web by using encryption." and that libraries should "enable users to remain anonymous and avoid both commercial and government surveillance."(emphasis added) Proquest's use of CF also undermines several parts of the Library Privacy Guidelines for Vendors.
- ACM's Digital Library is jailed in Cloudflare's exclusive walled-garden despite ACM's intent to be "open" during a pandemic. The perverse affect is that privacy-seekers are subject to CF's privacy abuses when attempting to access a paper about privacy abuse.
- Cloudflare attacks freedom of expression.
- When a review exposed Cloudflare's doxxing of whistle blowers, CF censored the review.
- Cloudflare is a burden on the environment
- Images account for the most significant burden on Internet bandwidth and power consumption as a result. Naturally the most ecological web users are those who do not download images (robots, users of text browsers, and users who disable image retrieval). Because robots tend not to download images, anti-robot algorithms target all image-free sessions as robotic. Cloudflare consequently attacks the most ecological users on the web.
- CF forces transmission of copious bandwidth-wasting images in order to supply CAPTCHAs.
- Cloudflare stifles innovation and culture. Robots are a crucial component to innovation. CF's attack on robots means people can't even use wget to download files. As a consequence, mp3 files (for example) can only be downloaded one at a time by manually clicking on each file. An immeasurably broad range of innovations depend on robots to provide capabilities that are not economically viable with manual labor. Many robotic innovations are created for the sole purpose of improving the usability of user interfaces that are either poorly designed for all users or the design overlooks the needs of some users.
- False statements, deceptive practices, and poor character of Cloudflare
- No transparency[citation needed - https://www.cloudflare.com/insights/]: as Cloudflare performs a DoS attack on Tor users they obviously do not inform web owners. Web owners are usually unaware that legitimate patrons are being blocked from accessing their site. These businesses are all damaged so that one business can profit.
- False errors are displayed when j/s is disabled.
- Cloudflare deceives website visitors into believing their connection is secure (HTTPS & browser padlock) when in fact the user is MitMd.
- Cloudflare has been caught making false statements to the public. CF said in their FaQ: "Why should I trust Cloudflare? You don’t need to. The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers," the first part of which is incorrect. Cloudflare sees all traffic traversing their servers in the clear, regardless of how secure the tunnel to them is. So of course Cloudflare requires your trust. The second statement about certificates is non-sequitur and irrelevant to the question of trust.
- Cloudflare deceives users about what the problem is, causing users to blame Tor or their browser. Cloudflare suggests to Tor users who reach the CAPTCHA "If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware."
- Lack of human decency -- CF's mean-spirited CEO displays schadenfreude amid the grief his company has caused innovative people who use the web non-maliciously.
- Ironically, Cloudflare spams people (despite their spam-mitigation purpose). Customers (former and current) as well as people who never used CF are receiving spam from Cloudflare. Customers receive spam from CF without express consent and possibly contrary to privacy policies. This is deceptive because spam mitigation is one of Cloudflare's selling points.
- Cloudflare outsourced video surviellance to a supplier of poorly secured cameras, which were compromized
- When a large profit-driven tech giant uses a non-profit fund raising platform to solicit donations to feed their own staff at events, it's clear that professionalism is in short supply at Cloudflare Inc.
- Cloudflare asks those who anonymously report illegal conduct on their websites to reveal their true identity. Yet CF has a history of doxxing whistle blowers and making them into victims. Instead of apologizing in the child porn case, the CEO (Matthew Prince) said the whistle blowers should have used fake names. (see "Cloudflare shelters criminals" below)
- Cloudflare shelters criminals
- CF protects pro-ISIS websites from attack.
- CF protected a website that distributed child pornography. When a whistle blower reported the illegal content to CF, CF actually doxxed the people who reported it. Cloudflare revealed the whistle blowers' identities directly to the dubious website owner, who then published their names and email addresses to provoke retaliatory attacks on the whistle blowers! Instead of apologizing, the CEO (Matthew Prince) said the whistle blowers should have used fake names.
The creepy thing about Cloudflare is that unlike other tech giants (mainly Google, Facebook, and Microsoft), Cloudflare insidiously hides their own presence from the websites they've compromized. The world's entire online population is interacting with Cloudflare and most are entirely unaware of Cloudflare's presence. The sneaky way that they operate enables their growth to go unchecked and uncontrolled. There are tools to help those users avoid Cloudflare.
|Claire||Claire is a Google Chrome extension that turns orange if the current page is on the Cloudflare network. Clicking on the icon will show additional information about the page.|
|Privacy Pass||The Privacy Pass extension provides users with the ability to create and sign cryptographically blind tokens for websites that support the Privacy Pass protocol. The extension generates passes containing cryptographically "blinded" tokens that are signed by the web server when a challenge page is solved.|
|Decentraleyes||Cut out the middleman by providing lightning speed delivery of local (bundled) files to improve online privacy.|
|Block Cloudflare MITM Attack||This add-on blocks Cloudflare sites or redirects to a non-Cloudflare mirror of the target site so you can read the content. It comes in Chromium and Firefox versions.|
|Are links vulnerable to MITM attack?||This add-on scans the links on the page you are viewing and tags those that lead to Cloudflare, so you know before clicking if the site should be avoided. It comes in Chromium and Firefox versions.|
|Ss||This is the search engine. It's fed by quality sources and filters out CloudFlare sites, so you avoid the risk and inconvenience of having MitM traps littered throughout search results.|
|Detect Cloudflare||This add-on adds an icon to the toolbar which indicates whether the current page uses Cloudflare. Detection is performed by analyzing the response headers of all requests.|
|True Sight||Easily find out which content delivery networks are serving you content on behalf of web servers.|
|onionflare||Prevents Cloudflare CAPTCHAs on Tor via Firefox. This extension adjusts Firefox's request behavior (in particular the headers) to look more like the Tor Browser, so that Cloudflare sends the alt-svc header and no one has to bother with CAPTCHAs anymore.|
|Which Cloudflare datacenter am I visiting?||Add an icon to show whether the site you're visiting is on Cloudflare. If so, which datacenter you are hitting.|
|Crimeflare Public DNS||This is the public DNS resolver which filters out Cloudflare response. Supported protocols are DNS-over-HTTPS and DNS-over-TLS.|
For more tools and comprehensive guidance in defending yourself and others from Cloudflare, cloudflare-tor is useful.
- 그레이트 클라우드 월 (codeberg.org/crimeflare)