The EFF wrote in their most recent newsletter:
… Because it's your rights we're fighting for.
- Your right to speak and learn freely online, free of government censorship
- Your right to move through the world without being surveilled everywhere you go
- Your right to use your device without it tracking your every click, purchase, and IRL movement
- Your right to control your data, including data about your body, and to know that data given to one government agency won’t be weaponized against you by another
- Your right to do what you please with the products and content you pay for …
Cloudflare has been DoSing the whole Tor community for over a decade now. Those who are not excluded from CF sites (over ⅓ of the web), who are free to move around only have that liberty because they submit to surveillance and give up their privacy.
EFF has ties to the Tor Project that are closer than most people realise. At the same time, Tor Project itself has submitted to licking Cloudflare’s boots. TP has quietly removed material from their blogs that criticises Cloudflare.
Searching EFF newsletters for Meta, Facebook, Google, Amazon, etc has no shortage of hits. But not a word about Cloudflare -- the most direct adversary of what EFF claims to fight for.
People are already aware of Google and Facebook. If they choose to pawn themselves to those platforms, they know what they are signing up for. It’a waste of energy and resources to fixate on those known evils. EFF is doing a gross injustice by not informing people about Cloudflare.
Cloudflare is one of the few tech giants that wise users cannot escape. In some US states you cannot even register to vote without Cloudflare knowing. You can submit a paper registration but then the data entry worker still submits your personal data to a Cloudflare website.
It’s relatively trivial to escape Google and Facebook and protect yourself. Most of that battle is a matter of not registering and not accessing the services, and watching out for a few corner cases. Cloudflare fucks everyone by compromising websites whose admin doesn’t even know what they are signing up for and the fact that they are pawning all their own users. When your gov publishes legal statutes exclusively in Cloudflare’s walled garden or puts gov services inside CF, we’re fucked to an extent that is much more beyond our control.
I will not donate to EFF until they get their priorities straight.
I don’t really have time to write a book here and now, but I’ll start with some articles:
I can appreciate citing existing sources instead of typing your own synopsis. No worries there.
Full disclosure, prior to seeing your post, I didn't actually know exactly what Cloudflare was doing with its service, but about 5 minute reading Cloudflare product configuration documentation, and my prior knowledge of IT represents what I've outlined below. I don't claim to be an expert in Cloudflare but the criticism lobbed at Cloudflare appear to be either trivial or grossly misrepresented by these articles. I'll also say that I only read your first linked article and linked one article inside of that one.
So I read this source thoroughly and the main complaints are these three claims:
I'll address my opinion of each:
Entire subnets or national TLDs are blocked because they come from place or nations that do little to stop bad actors from doing bad acts. How many times do you have to get port scans or malware introduction attempts from these subnets, especially when you have few to zero legitimate users, before the better action is to block the who subnet. As someone that maintains servers, the constant threat and time consumed trying to protect against these is immense. Its simply unreasonable to place the burden on server administrators to continuously put their servers in harm's way simply to conform to an ideal when there may even be zero users coming from these places you're interested in serving. I have no issue with this Cloudflare behavior.
This idea suggests that the mitigation should be the web user should have more power/choice over the web server owner that the owner themselves. That's a bizarre notion to me. A random web user is not automatically entitled to more than what the web server owner is willing to give. I have no issue with this Cloudflare behavior.
There's actually two points wrapped up into one here. Point 1:
This is a repeat of the idea from "oppression 2". The excluded group is wanting more than the web server is willing to give (for whatever reasons). This is the same complaint that the web user should be prioritized of the web server owner. I reject this notion.
Point 2:
The article presents this as objectively true, when in fact its only true in some cases. I can't tell if the author is being willfully ignorant or if they simply don't know how technology works. What this comes down to is where in the chain the decryption occurs, if the traffic is ever re-encrytped (and how), or if the traffic is never decrypted to begin with. The article links to secondary another article to explain the technical aspects. However, not only is this secondary linked incomplete, its presents a false scenario which doesn't actually exist with Cloudflare, but less technically savvy users may not pick this up.
The one true scenario presented in the secondary article is this, where encryption is done from the client browse to Cloudflare. Cloudflare performs decryption, and sends that unencrypted traffic to the server serving the web content. Cloudflare calls this the "Universal/Flexible encryption".
Here's the Cloudflare configuration that would set this scenario:
This is the only true scenario presented in the secondary article. The secondary article's author is right that this would be an insecure method. However, the author wrongfully assumes this would be commonly used to pass sensitive information. That's not the use case for this. This would be for a non-sensitive site that would improve privacy for non-sensitive sites with very little effort on the part of the web server owner. By using this, your ISP loses the ability to see what you're reading on this site. They can't scour your clicks to try to build advertising profiles. If this site is is perhaps a cat care tips website, then its not a situation where you're putting your credit card number, name or address in, so you really don't care if you click on "litter box recommendations" and that click data is going unencrypted from the Cloudflare endpoint to the cat care website server. This method of Cloudflare would never be used in a site that takes credit card data, for example. That would violate the PCI rules that protect credit card data.
The other configurations are end-to-end encryption. There are two configs which I won't go into here (one avoids another attack vector for bad actors), but for the purposes of this discussion they behave the same.
This means the web traffic is encrypted at the web users side (using an SSL cert) and that data is passed through Cloudflare without ever being decrypted then sent to the web server serving the content. This is the config where you'd have your credit card data, name/address, sensitive information, etc. Cloudflare cannot see the data inside this web session.
The secondary article's author presents a third possible scenario which is entirely false. I'm copying their graphic and putting my red X over it to make sure this fiction dies here:
This simply isn't a possible config for Cloudflare. The fact that the secondary article's author completely leaves out the end-to-end encryption options and presents this false narrative as a short coming of the Cloudflare service makes me think they are being malicious.
Unless it wasn't clear for my assessment of "oppression 3", I have no issue with this Cloudflare behavior.
I appreciate you sharing your view that Cloudflare is bad or evil here. I disagree and hope that some of what I have posted has cleared up some misconceptions and falsehoods being presented as fact that will allow you to make your choice and form a more informed opinion.
Putting all that trust (against malice) into one for-profit corporation isn't really compatible with the idea of an open internet.
Please point out the place malice would occur for your augment. As in, give me an example of malice if they wanted to be malicious.