The EFF wrote in their most recent newsletter:
… Because it's your rights we're fighting for.
- Your right to speak and learn freely online, free of government censorship
- Your right to move through the world without being surveilled everywhere you go
- Your right to use your device without it tracking your every click, purchase, and IRL movement
- Your right to control your data, including data about your body, and to know that data given to one government agency won’t be weaponized against you by another
- Your right to do what you please with the products and content you pay for …
Cloudflare has been DoSing the whole Tor community for over a decade now. Those who are not excluded from CF sites (over ⅓ of the web), who are free to move around only have that liberty because they submit to surveillance and give up their privacy.
EFF has ties to the Tor Project that are closer than most people realise. At the same time, Tor Project itself has submitted to licking Cloudflare’s boots. TP has quietly removed material from their blogs that criticises Cloudflare.
Searching EFF newsletters for Meta, Facebook, Google, Amazon, etc has no shortage of hits. But not a word about Cloudflare -- the most direct adversary of what EFF claims to fight for.
People are already aware of Google and Facebook. If they choose to pawn themselves to those platforms, they know what they are signing up for. It’a waste of energy and resources to fixate on those known evils. EFF is doing a gross injustice by not informing people about Cloudflare.
Cloudflare is one of the few tech giants that wise users cannot escape. In some US states you cannot even register to vote without Cloudflare knowing. You can submit a paper registration but then the data entry worker still submits your personal data to a Cloudflare website.
It’s relatively trivial to escape Google and Facebook and protect yourself. Most of that battle is a matter of not registering and not accessing the services, and watching out for a few corner cases. Cloudflare fucks everyone by compromising websites whose admin doesn’t even know what they are signing up for and the fact that they are pawning all their own users. When your gov publishes legal statutes exclusively in Cloudflare’s walled garden or puts gov services inside CF, we’re fucked to an extent that is much more beyond our control.
I will not donate to EFF until they get their priorities straight.
I'm not a Tor user, but I found this post on the main page. I generally agree with the EFF in their mission and their actions. In your post here you're eluding to bad behavior by Cloudflare, but I'm not seeing anything specific called out.
What's your beef with Cloudflare?
I don’t really have time to write a book here and now, but I’ll start with some articles:
I can appreciate citing existing sources instead of typing your own synopsis. No worries there.
Full disclosure, prior to seeing your post, I didn't actually know exactly what Cloudflare was doing with its service, but about 5 minute reading Cloudflare product configuration documentation, and my prior knowledge of IT represents what I've outlined below. I don't claim to be an expert in Cloudflare but the criticism lobbed at Cloudflare appear to be either trivial or grossly misrepresented by these articles. I'll also say that I only read your first linked article and linked one article inside of that one.
So I read this source thoroughly and the main complaints are these three claims:
I'll address my opinion of each:
Entire subnets or national TLDs are blocked because they come from place or nations that do little to stop bad actors from doing bad acts. How many times do you have to get port scans or malware introduction attempts from these subnets, especially when you have few to zero legitimate users, before the better action is to block the who subnet. As someone that maintains servers, the constant threat and time consumed trying to protect against these is immense. Its simply unreasonable to place the burden on server administrators to continuously put their servers in harm's way simply to conform to an ideal when there may even be zero users coming from these places you're interested in serving. I have no issue with this Cloudflare behavior.
This idea suggests that the mitigation should be the web user should have more power/choice over the web server owner that the owner themselves. That's a bizarre notion to me. A random web user is not automatically entitled to more than what the web server owner is willing to give. I have no issue with this Cloudflare behavior.
There's actually two points wrapped up into one here. Point 1:
This is a repeat of the idea from "oppression 2". The excluded group is wanting more than the web server is willing to give (for whatever reasons). This is the same complaint that the web user should be prioritized of the web server owner. I reject this notion.
Point 2:
The article presents this as objectively true, when in fact its only true in some cases. I can't tell if the author is being willfully ignorant or if they simply don't know how technology works. What this comes down to is where in the chain the decryption occurs, if the traffic is ever re-encrytped (and how), or if the traffic is never decrypted to begin with. The article links to secondary another article to explain the technical aspects. However, not only is this secondary linked incomplete, its presents a false scenario which doesn't actually exist with Cloudflare, but less technically savvy users may not pick this up.
The one true scenario presented in the secondary article is this, where encryption is done from the client browse to Cloudflare. Cloudflare performs decryption, and sends that unencrypted traffic to the server serving the web content. Cloudflare calls this the "Universal/Flexible encryption".
Here's the Cloudflare configuration that would set this scenario:
This is the only true scenario presented in the secondary article. The secondary article's author is right that this would be an insecure method. However, the author wrongfully assumes this would be commonly used to pass sensitive information. That's not the use case for this. This would be for a non-sensitive site that would improve privacy for non-sensitive sites with very little effort on the part of the web server owner. By using this, your ISP loses the ability to see what you're reading on this site. They can't scour your clicks to try to build advertising profiles. If this site is is perhaps a cat care tips website, then its not a situation where you're putting your credit card number, name or address in, so you really don't care if you click on "litter box recommendations" and that click data is going unencrypted from the Cloudflare endpoint to the cat care website server. This method of Cloudflare would never be used in a site that takes credit card data, for example. That would violate the PCI rules that protect credit card data.
The other configurations are end-to-end encryption. There are two configs which I won't go into here (one avoids another attack vector for bad actors), but for the purposes of this discussion they behave the same.
This means the web traffic is encrypted at the web users side (using an SSL cert) and that data is passed through Cloudflare without ever being decrypted then sent to the web server serving the content. This is the config where you'd have your credit card data, name/address, sensitive information, etc. Cloudflare cannot see the data inside this web session.
The secondary article's author presents a third possible scenario which is entirely false. I'm copying their graphic and putting my red X over it to make sure this fiction dies here:
This simply isn't a possible config for Cloudflare. The fact that the secondary article's author completely leaves out the end-to-end encryption options and presents this false narrative as a short coming of the Cloudflare service makes me think they are being malicious.
Unless it wasn't clear for my assessment of "oppression 3", I have no issue with this Cloudflare behavior.
I appreciate you sharing your view that Cloudflare is bad or evil here. I disagree and hope that some of what I have posted has cleared up some misconceptions and falsehoods being presented as fact that will allow you to make your choice and form a more informed opinion.
Arbitrary collective punishment has to be seen as arcane and barbaric by 2025, no? I can’t wait until we make enough social progress to collectively see it as zombie-minded as racism.
I was unaware that Cloudflare blocks whole nations. That’s even sloppier than I was aware of. Can you give more details? Which countries? Cloudflare is not transparent about the demographics they exclude.
People travel. It’s extremely rare that a web admin can block a nation with an expectation of zero collateral damage. The possibility of Cloudflare knowing the web admin’s business is even less likely.
It’s mind-boggling how foolish admins are when they block countries or continents on the basis that residents have no business on their site. So when I travel overseas, there are some affairs I cannot manage in my homeland because of this stupidity.
“Better” is a slippery word. If a preemptive DoS attack on legit users is acceptable, you might like to endorse SpamHaus as well. The whole point to fighting spam is to protect the availability of legit traffic. When you directly attack legit traffic under the pretext of anti-spam, you’ve become an obstacle to your own purpose.
Pawning your own users to Cloudflare just shifts security problems onto others. You shift a new security problem onto all your users to escape the burden that was rightfully yours. And if you’re like all other CF sites, you also conceal CF’s role and consequences from the users.
There is no dichotomy of “harm’s way” some magical network that is outside of “harm’s way”. All connected servers are in harm’s way.
It’s simply unreasonable for an unmotivated admin to compromise the security of their users (who lack infosec expertise) in order to have an easier job securing the server.
This place of zero legit users you mention -- where is it? It’s certainly not the Tor network. It’s certainly not the CGNAT networks.
Try not to lose sight of the thesis. That behavior is part of what makes CF a walled garden. You may have no issue with walled gardens, but then what would the point be in reading the article?
That’s a false conflict. It’s not a competition. A server owner has an independent choice whether to trap their users in a walled garden. Choosing the open-free-world does not elevate the users’ power above the owner. What a bizarre notion. Server owners also have the choice whether to give users choice. E.g. freedom-respecting admins offer onion access as a clearnet alternative, like the privacy international website.
What’s bizarre is the idea of competitively comparing admin autonomy to user autonomy. They can (and should) both have autonomy, self-determination, and free choice. How do you make that leap from not trapping users to users have more power than the owner?
“Entitled” is a slippery word and also awkward in this context. Entitlement can be legal or moral, neither of which is implied by what you quoted. The article covers the meaning of a walled garden, not who is entitled to what.
Though orthogonal to the article, it can still be an interesting discussion. Consider that people are entitled to vote in general elections. Several US states have put online voter registration inside Cloudflare’s walled garden naively¹ using Cloudflare’s default config.
The analysis can get quite complex and messy. Even though /everyone/ is entitled to vote, only demographics of people who Cloudflare Inc. grants access have the privilege of registering online because the website owner is “unwilling²” to serve all those who are entitled to vote. You could say registering is an entitlement but not necessarily online reg, which is fair enough only if there are no eligible voters excluded by that. Not sure that’s a safe stance when all kinds of handicaps and situations might emerge where someone has web access but cannot obtain or complete a paper form. Paper forms are also a problem because of Cloudflare. I do not vote. Kamala lost my vote because even though I can do a paper registration, the data entry worker will still supply the sensitive form data to CF, who I distrust. IOW, trusting Cloudflare has become a pre-condition to voter reg.
¹ I say “naively” under the assumption that the SoS is impartial. Of course if the SoS is republican-leaning, voter suppression serves their party well. ² Unwilling, or in many cases is simply naive about excluded demographics.
Another walled garden feature you are happy with.
Of course. This is inherent in being denied access. If the excluded group did not want access, they would not even make the attempt to know they were being excluded. There would be no discussion to be had.
It’s not. When an oppressive resource controller marginalises a demographic of people, it is bizarre to frame that scenario as owners vs. users having “priority” over each other. It’s not a competition.
There are lousy owners and admins and there are competent ones. The most competent are skilled at separating spam from ham and not sabotaging copious ham to trash some spam. Fewer legit users are denied service when a competent admin is at the helm and it’s not because the users have more “priority” than the ownership. It’s because the ownership (and who they hire) are more skilled. They are also wise enough to measure detriment to ham (as opposed to the naive measure of just measuring the spam while neglecting collateral damage).
Would you mind saying if you are politically right of center? I’m curious because some recent research found that conservatives have a tendency to view the world as a zero-sum game; that if someone is gaining something then someone else must be losing. It explains xenophobia to some extent (for example) because if immigrants get a better life then it must come at the expense of someone else (per their zero-sum lens). Your tendency to think in terms of a priority between users and owners s.t. when users benefit the owner must be at a loss is analogous to this way of thinking.
And prioritized by WHO? The prioritization comment neglects that every stakeholder has the priviledge to rank for themselves what matters to them personally. Of course from the users’ perspective it’s satisfaction of user needs that matters most. The ownership’s needs only matters to the extent that users needs are served as a consequence. It’s naturally and inherently secondary. And inversely so for the ownership.
Your advocacy for prioritizing ownership above users in line with the enshitification trend that has downgraded all tech we’ve used over the past ~15 years.
Pre-gen-z, suppliers were rightfully expected to serve consumers. That has gotten adversely inverted. So now consumers have been made subservient to suppliers -- and they are conforming. It’s fucking shit up. A bathroom remodeling company has an appointment/contact page with CAPTCHA. So customers must dance for the supplier to solve shitty puzzles prior to having the privilege of spending thousands on a new bathroom. I walked, because I don’t bend over backwards to do service for suppliers while feeding those I boycott (Google). Service is their job. My job is to pay them.
Fixed that for you. It would not make sense for the author to complicate an article about what a walled garden is with rare unverifiable³ corner cases.
³ It’s technologically impossible for web users to prove whether Cloudflare or the server ownership holds the private key associated to the public key that the user’s browser gets from CF. But if you understand business and capitalism, you know the CF e2ee is a rare scenario.
…continued (due to post size limits)…
@joepie91@fedi.slightly.tech is an infosec researcher IIRC. I’m not up to speed on any recent CF changes but certainly what you call fiction was in play in 2016. It also make no sense that that would change.
Do you understand the difference between your 1st diagram and your last? The last config (which you call fictional) is actually more secure than the 1st (which has no CF←→origin TLS). The 1st diagram is the most reckless config.
I’m not a CF user, but I am certain admins have a choice whether to use TLS between their host and CF.
What are you saying a gratis (non-paying) subscriber does?
No, it does not “improve” privacy (LOL!) to put Cloudflare in the loop, who proxies over 30% of the world’s web traffic all with centralized access in a country without privacy safeguards. Imagine someone in Europe with two ISPs (home+work) and a few VPNs. Cloudflare has an inescapable aggregated view of their activity on ½ dozen different networks.
Separately, Cloudflares exclusion is an assault on privacy. The loss of privacy inherent in CGNAT and Tor is at the hands of CF.
Tor is better for that. CF just fucks up privacy.
Can you cite a source for this claim? The premium (paying) CF subscribers are a tiny minority.
Well, that’s interesting for sure. Can you link to something about that? I’ve not heard of those rules, but if it’s illegal (in the US, presumably) to let CF see CC data, rightfully so but seems unlikely. I would like to read about that.
BTW, I will be the judge of what is sensitive. A body of law can cover some obvious categories of sensitive data but that’s a very low bar. Each user can do their own threat model which cannot be prescribed by someone else.
It also means Cloudflare’s role of bringing the muscle is useless. CF cannot respond to client requests encrypted by another entity’s cert, so the original server bears the full load, thus defeating the top attraction to CF.
Can you explain why adding TLS to the CF←→origin segment in a “Universal/Flexible” config scenario would be impossible? If anything, it should be encouraged. It’s malicious to block that possibility.
You seem to have also missed the thesis of my post. The thesis is important because without it you’re blind about what the facts and arguments are trying to support. To be clear:
Without seeing the 3rd link, you mentally substituted a “CF is evil” thesis when reading my post and when reading the 1st link. So your analysis misses the purposes. I.e. you basically replied to “CF is a walled garden” with “CF is not evil”, and replied to my “CF is not aligned with EFF’s public values” post with “CF is not evil”.
Getting the facts right is the most important thing you can do. Opinions, meh, they are useful only to the extent that they put accurate facts into context. But the facts you present are dodgy. Joepie is more convincing. What he says makes sense. And it also concurs with others who have exposed the same problem as Joepie (he was not the 1st). Though you’ve seeded something that could be useful/insightful with the PCI rules.
It makes absolutely no sense that CF’s flexible config would refuse to proxy a TLS-only origin. There is a how-to doc covering how to Cloudflare proxy someone else’s website. I’m not going to dig for the link but that how-to would be fake news if your claim were true (that joepie’s diagram were bogus).
It’s really a tough sell to claim the e2ee configs are common enough to be noteworthy when that config dumps the gratis performance gains that bring CF patrons.
It was interesting to discover that I can see your pics. Lemmy.world is a Cloudflare site (last I checked). Pics are not cached or mirrored, so when pics are uploaded to a CF’d Lemmy node, everyone outside of Cloudflare’s walled garden just see broken links to unreachable images. Yes, CF breaks the fedi. So either LW ditched CF, or LW finally figured out how to whitelist Tor.
I trust you that your thesis is built upon your cited works. Therefore, I reject your thesis because your supporting cited words are flawed with bad analysis and incorrect conclusions.
I asked about the nature of your argument. Your provided the supporting documents, which are wrong, and they themselves are citing incorrect works. I don't blame you if you've arrived at wrong conclusions, you've started with bad source material. I'm not sure how to tell you to vet your sources better except perhaps to learn more about modern enterprise computing in both the public and private sectors. Your original claims had a stink on them when I first read them, but I gave them a chance because I wanted to see if I had incorrect info and I myself had formed incorrect conclusions. Nope, the stink was accurate and started from your bad source material.
You only read the article about the walled garden. And you actually agreed with the relevant facts that were there, and ultimately concluded that you have no problem with the circumstances that makes CF a walled garden. Your only dispute with the facts were in fact irrelevant. That is, CF is a walled garden regardless of whether there is TLS in the CF←→origin segment. It’s you who has the facts wrong on that (and failed to support your astonishing claim), but either way it does not matter for the walled-garden thesis or for my thesis.
As you said, you did not read the 3rd link, so you haven’t even begun to look at the supporting facts for my thesis. The fact that CF is a walled garden (1st article) barely scratches the surface of Cloudflare’s disalignment with EFF principles. That’s mostly covered in the cited works from the 3rd link that you ignored.
My astonishing claims? I failed to support my argument? I read actual Cloudflare documentation, which your sources apparently didn't. I provided screenshots and links to actual facts of the product. I'm not sure you have an actual understanding of what it means to support an argument. Wild conjecture not found upon factual information on your part isn't how you support an argument.
I gave you my time and attention and inquired about your position. You have to understand that offer from an audience isn't obligatory. You have a certain amount of time/effort to make your case. You chose to give 3 links and your first two were bad. If your thesis depended upon the 3rd, you should have lead with that. As it was, your links presented factually incorrect information and further cited factually incorrect information. Any faith I had in your arguments or interest in further understanding your position evaporated.
In the future, if you're trying to advocate for your position, have a little more respect for your audience's time or you will alienate them and never make your message heard exactly as you did here. You may have a valid thesis, though I doubt it, but I'll never know because of your presentation and poor sourcing.
Have a great day. Feel free to respond if you like, I won't be engaging further on this.
It makes no technical sense that Cloudflare would refuse to proxy a TLS site, which is implied by comparing your 1st diagram to @joepie91@fedi.slightly.tech’s diagram, the only difference of which is the CF←origin segment. Hence why the claim is astonishing.
Cloudflare is a biased source and they have been caught in lies (ref: 3rd article).
There are no links in your comment. Just pics. You would not likely be able to find a source that supports the claim the CF←origin segment is necessarily in the clear.
You quoted from the first link so obviously it’s a good link.
If you’re actually trying to say the /content/ is bad, this is what you’ve failed to show. You attempted to criticise @joepie91@fedi.slightly.tech’s article which was 2 links deep. You failed because the viability of the 1st diagram does not obviate the joepie’s more accurate reality (most sites use TLS these days).
Indeed it was a non-intuitive sequence. The links were pasted in a hurry.
This is what you failed to show. You did not even address the 2nd link; in fact said you did not read it. Your 1st response presented bogus misinfo on your part. The last diagram (@joepie91@fedi.slightly.tech’s) is by far the most common configuration.
Putting all that trust (against malice) into one for-profit corporation isn't really compatible with the idea of an open internet.
Please point out the place malice would occur for your augment. As in, give me an example of malice if they wanted to be malicious.
Clearly you misunderstood what you read. @JohnnyCash@sopuli.xyz’s reference to malice is not as you imply.
His fact is correct and his opinion is well supported by it. Specifically, it’s a fact that Cloudflare requires trust. And when over 30% of the (world-wide) web is in that single walled garden by a single US corporation, it’s obviously sensible to conclude that a lot of trust is required.
Your reference to malice is a straw man. JC did not say CF was itself malicious (but if he were to, it would be a reasonable claim anyway as CF’s harm to legit traffic is deliberate). You must also trust Cloudflare to be competent and not have serious defects (e.g. Cloudbleed). You must trust their diligence with incident response (accidental or malicious). You trust Cloudflare to not suddenly spontaneously hold a website hostage and demand large sums of money (for example).
Finally, JC’s comment that CF is incompatible with an open Internet is an opinion, but it’s spot on if you understand the difference between walled gardens and open resources.
I am so very glad you posted this reply before I responded to your point-by-point of our other conversation.
I had read your other reply first and was considering how to approach your wild thoughts and dismissal of the rights and implied obligations of others.
Its not my reference, its @JohnnyCash's. The sum total of my post was asking @JohnnyCash to expand on his statement for better clarity so we could discuss it. Somehow you are trying to twist that request for more information on his opinion into saying its an opinion of my own. Thats unhinged of you.
@JohnnyCash@sopuli.xyz’s reference to malice was different than yours (coming from an entirely different entity in fact). The “twist” was in your misrepresentation of his reference. Hence why your response was a straw man. At 1st I did not regard your strawman as willful malice because it could have been down to very sloppy speed-reading. But now that you have had a chance to revisit his very simple comment, either you’re attempting intellectual dishonesty at this point or English is not your first language.
It was a loaded question. That is, the question itself makes no sense if you comprehend what JC wrote. I don’t believe JC could have been more clear. There was no ambiguity in his reference to malice.
I fully admit I don't comprehend what JC wrote, thats why I was asking for clarification and and example.
Awesome, good luck changing any minds to your position if you (and JC apparently) can't even connect with your audience that is actively engaging with you on your topic.
You're correct about what I meant. I blocked the other person in this conversation because honestly I have more on my mind than engaging with something that sounded like bad faith. I agree wholeheartedly with you about anything you say about CF. They're trying to ruin the last bit of internet I enjoy simply because I'm in a country they don't like. Thanks for fighting the good fight!