On Cloudflare

Foreword

Cloudflare is a threat to online security and privacy. I am not the first on to address this issue, and I probably will not be the last either. Sadly, people still seem to be very uninformed as to what issues Cloudflare actually poses. There also seems to be a big misconception about the benefits provided by using Cloudflare. I would suggest reading the article on Cloudflare by joepie91 for a more thorough look at Cloudflare.

If anyone is using Cloudflare, please tell them to stop doing it. Link them to this page or any of the articles referenced here. Cloudflare is harmful to your visitors, and if you do not care about them, they will stop caring about you too.

A literal MITM attack

Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by browsers by setting itself up as a man in the middle. Cloudflare doesn’t do actual DDoS protection, they just make the request to the origin server for you. Once they have received the data, they decrypt it and re-encrypts it with their own certificate. This means that Cloudflare has access to all requests in plain text and can optionally modify the data you see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care very little.

If we would consider Cloudflare to be a benevolent entity and surely never modify any data ever, this is still an issue. Much data can be mined from the plain text communications between you and the origin server. This data can be used for all kinds of purposes. It is not uncommon for the USA government to request a massive amount of surveillance information from companies without the companies being able to speak up about it due to a gag order. This has become clear once more by the subpoena on Signal. It should be clear to anyone that end-to-end encryption has to be a standard and implemented properly. Cloudflare goes out of its way to break this implementation.

Cloudbleed

The danger of their MITM style of operation was shown be the Cloudbleed vulnerability. It also shows that they make use of their MITM position to scan the data your site and a visitor are exchanging. This includes private data, such as passwords.

Even if you have an SSL connection to Cloudflare, they still decrypt it on their end. They then serve the content under their own certificate. This makes it look to the visitor like everything is secure, the browser says so after all. But in reality, they don’t have a secure connection to your server. They only have one up to Cloudflare, and when it reaches Cloudflare, they decrypt it and re-encrypt it using your certificate again. If you use one, of course, otherwise they’ll pass it on in plaintext back to your server, which is even more dangerous. Whether or not you do, the content exists in plaintext on Cloudflare’s servers, which is not what you want, if you truly care about security.

Eliminating your privacy

If Cloudflare were to fix their MITM behavior, the privacy problem would not be solved all of a sudden. There are more questionable practices in use by Cloudflare.

People who are using a VPN or an anonimization service such as Tor are usually greeted by a warning from Cloudflare. Let’s not talk about this warning being incorrect about the reason behind the user receiving the warning, but instead about the methodology used to "pass" this "warning". Cloudflare presents you with a page that requires you to solve a reCaptcha puzzle, which is hosted by a well known third party that tries to harm your privacy as much as possible, Google. If you do not wish to have Google tracking you all the time, you will not be able to solve these puzzles, and in effect, unable to access the site you were visiting. It is also interesting to note that this reCaptcha system is sometimes broken if your browser does not identify itself as one of the regular mainstream browsers such as Firefox or Chrome.

Some site administrators disable this specific check. However, this still means all your requests are logged by another third party, namely Cloudflare itself. As noted in A literal MITM attack, this data is still very interesting to some parties. And do not fool yourself: meta data is still very worthwhile and can tell a huge amount of information about a person.

Forcing JavaScript

This issue generally does not concern many people, as most people online nowadays use a big mainstream browser with JavaScript enabled. However, there are still people, services and applications that do not use JavaScript. This makes sites unavailable when they are in the "under attack" mode by Cloudflare. This will run a check sending Cloudflare your browser information before deciding whether you are allowed to access the website. This is yet another privacy issue, but at the same time, a usability issue. It makes your site unavailable to people who simply do not wish to use JavaScript or people who are currently limited to a browser with no JavaScript support.

It is also common for Cloudflare to Break RSS readers by presenting them with this check. This check is often presented to common user agents used by services and programs. Since these do not include a big JavaScript engine, there is no way for them to pass the test.

False advertising

DDoS protection

Cloudflare is hailed by many as a gratis DDoS protection service, and they advertise themselves as such. However, Cloudflare does not offer DDoS protection, they simply act as a pin cushion to soak the hit. Real DDoS protection works by analyzing traffic, spotting unusual patterns and blocking these requests. If they were to offer real DDoS protection like this, they would be able to tunnel TLS/SSL traffic straight to the origin server, thereby not breaking the TLS/SSL chain as they do right now.

It should also be noted that this gratis "protection" truly gratis either. If your site gets attacked for long enough, or for enough times in a short enough time frame, you will be kicked off of the gratis plan and be moved onto the "business" plan. This requires you to pay $200 per month for a service that does not do what it is advertised to do. If you do not go to the business plan, you will have about the same protection as you would have without it, but with the addition of ruining the privacy and security of your visitors.

Faster page loads

This is very well explained on joepie91’s article under the heading But The Speed! The Speed!. As such, I will refer to his article instead of repeating him here.