マリウス – Thoughts on Cloudflare

Summary

Thoughts on its role and impact on the web’s landscape.As many of you know, I am skeptical of the concept of relying on someone else’s computer, especially when a service grows to the point where it becomes an oligopoly, or worse, a monopoly. Cloudflare is, in my view, on track to becoming precisely that. As a result, I would argue they are a net negative for the internet and society at large.Besides the frustration they cause to VPN and Tor users through incessant captchas, Cloudflare’s infamous one more step pages have dulled users' vigilance, making them more vulnerable to even the most blatant malware attacks.Moreover, under the guise of iNnOvAtIvE cLoUd InFrAsTrUcTuRe, Cloudflare not only enable phishermen to phish and tunnelers to tunnel:Ironically, the very security measures they sell can be bypassed by bad actors using Cloudflare itself. It’s a similar irony that their systems, designed to shield clients from threats, sometimes struggle to defend their own infrastructure.Incidents like these highlight not only weaknesses in Cloudflare’s offerings but a broader issue: Cloudflare has become a highly attractive target for state-sponsored attacks, suffering from recurring breaches. Their sheer scale, considering that they are serving a substantial portion of the internet, means that an outage or compromise could have widespread, costly consequences.Another major concern is, that in many cases, Cloudflare acts as a man-in-the-middle SSL-terminating proxy between users and websites. They have visibility into everything users do on these sites, from browsing habits to submitting sensitive personal information. This makes Cloudflare a prime target for any actor seeking to harvest massive amounts of data. The Cloudbleed incident clearly demonstrated the risks:Tavis Ormandy posted the issue on his team’s issue tracker and said that he informed Cloudflare of the problem on February 17. In his own proof-of-concept attack he got a Cloudflare server to return “private mes...