I really hate this framing. The title is an old meme, but to me it always feels like a false way to present your case by making it feel more "official" than it really is. I'd rather it be titled something like "Here's why you should be careful when using Cloudflare" or "Cloudflare runs into issues when using Tor or disabling JavaScript". The framing shuts down all debate, and ignores that it's mostly just considered harmful by the author. (more: https://meyerweb.com/eric/comment/chech.html)
I personally love Cloudflare. It's made a ton of stuff a lot easier for me as a developer. Sure, there's some downsides... but that's true with any service. (And a lot of the complaints are opt-in features that the web developer enabled)
It seems the author only has problems with Cloudflare almost completely because he uses Tor. Unfortunately, most Tor traffic is malicious (94%, by Cloudflare's count), and the whole point of Cloudflare is to prevent malicious attacks.
Anytime you do something for privacy (block ads, disable JS, use Tor), unfortunately things won't always work exactly how you expect.
Lastly, it ends with a weird conspiracy theory... "It is probably a US Government-attached intelligence agency". Okay.
He may be biased for using Tor but it does come with a lot of problems even for non-Tor users, the 5 seconds wait it forces on a vast amount of users[0] have cumulatively wasted thousands of man-hours world-wide, sometimes I even close the site before the 5 seconds and click the next google search result because that is a bit faster (or at least less annoying).
In the same vein there are thousands of users complaining on Twitter[1] -and everywhere else- every day about the captcha CloudFare forced upon them
I worry about Cloudflare, but for different reasons. They are supposedly 10% of Internet traffic now, and probably much higher if you net out video and other things they aren't currently trying to gain marketshare in. Just the general monoculture worry around security, reliability, etc. Especially since they seem to front a lot of the smaller, independent web sites that I like.
If there was a competitor I'd switch immediately. But (as far as I know) no one else offers a comparable feature set with a free Basic plan. I'm a paying Cloudflare customer but only for those projects that are worth it.
And I wouldn't even need any of the newer features (even though I love Access). WAF, CDN and DDOS protection on a free plan for hobby projects would already be enough.
He also fails to mention some details about Tor itself:
- The bulk of the funding for Tor's development has come from the federal government of the United States, initially through the Office of Naval Research and DARPA.
> It seems the author only has problems with Cloudflare almost completely because he uses Tor.
Partly because they use Tor, partly because they use a browser which supports neither Javascript, frames, nor images (i.e, Lynx). What both of these things have in common is that they are problems of the writer's own creation.
Also, Cloudflare's email address munging is optional. Web site operators can (and usually should) disable it.
> Partly because they use Tor, partly because they use a browser which supports neither Javascript, frames, nor images (i.e, Lynx). What both of these things have in common is that they are problems of the writer's own creation.
Technically it the developers whose sites don't degrade gracefully who created the problem for users. JS, images, frames, and trackability are not required to deliver much of what people want out of the web.
But then these devs look at the market consuming their site and see that about 0.5% of the users need graceful degrading and decide there are more important issues to work on. Can we blame them?
> Essentially, Cloudflare by design randomly perpretrates denial of service attacks on users, yet at the same time Cloudflare paradoxically advertises itself as a service to mitigate DoS attacks.
I guess he's trying to be snarky here, but it's obvious their business is to prevent DoS attacks against the server by malicious clients.
I imagine the extremely large majority of clients [fully-featured modern web browsers] can get past the captcha (or JS challenge), therefore it's only a 'DoS attack against the user' in the small amount of situations where the user's client/browser doesn't have the technology required to solve the captcha (or JS challenge). If lynx or other non-JS browsers had a surge in popularity and CF's enterprise customers complained, you can assure they would have a solution out within a week that would not require JS or cookies.
There was another discussion a few weeks ago about how often in particular people from developing countries face captchas. Essentially cloudflare knows first and second class citizens of the internet, and sites protected with cloudflare will feel good in Western Europe and US but might require captchas at every corner and are not necessarily sped up if you happen to be sitting in India or Nigeria.
It's a rather typical blindness of US (and to a lesser degree EU/AU/.. ) companies, which by design or accident care mainly about US and other rich country users.
It's surely a difficult problem to even comprehend without being in that situation, but the CF ip reputation systems don't flag certain ASNs or IP blocks just because of the location. Maybe there's less security and unpatched RCEs happen often, maybe NAT'ing hundreds of users behind an IP is common place (making a bad actor taint the IP reputation for 99 other users), maybe a good amount of their users install things like the Hola VPN (where your computer turns into a VPN) or a rasberry Pi devices that also turns your computer into a "residential IP VPN" for extra cash. Regardless, if the automated threat detection systems see 100 IPs in a /24 block perform questionable requests, chances are that block or full ASN is going to get the boot.
Maybe that's the problem, the current scale of the internet and of human civilization means it's nearly impossible to use fairly-accurate humans for these types of things; the only option for managing something that works for the entire world is by turning to error-prone computers that we can only bet on someday being as good as humans at making decisions with the full context provided.
That's often down to site owners, not Cloudflare. I know of a few projects using captchas for all visitors from non-core markets. It drastically lowers malicious traffic while not hurting revenues by much. Not that I'd support it but I can understand why people decide to do that.
In that case Cloudflare enables them to do it but I wouldn't call them responsible.
About to read the article but "Cloudflare considered harmful" sounds like it's a news publication reporting on a well-known organization or government making a statement about CF being harmful. Based off skimming this, it looks like a personal opinion and would better be titled "I consider Cloudflare to be harmful".
A write up like that and he did not mention the cloudlfare policy to inspect the traffic and log the words read / said and send info about things people have read / said to various gov agencies..
I must assume that he does not know this, and if this guy doesn't, then how to calculate the odds that X percent of Y (how many people are sharing what they read through cloudflares pipes everyday?) - how many people don't know they are being spied on and info about them is being sent to others because a host is routing through cloudflare?
I've got to wonder why the author blames cloudflare for blocking tor. Site operators have to use cloudflare, and they do because blocking tor is one of the easiest ways to reduce spam. Tor is good for privacy, but not great for the people running the sites. What makes him think that people wouldn't switch to another service? It sounds like he's pushing for tor acceptance, but phrasing it poorly.
> Site operators have to use cloudflare, and they do because blocking tor is one of the easiest ways to reduce spam.
But most commonly Cloudflare just blocks access to what should have been a static version of the website in the first place.
You make it sounds like it's actually very expensive to generate every single page. If so, you're doing the caching wrong. If not, then you don't really gain anything by blocking access to a few users to a static version of your website.
Source: I run a website with 400k pages; out of a single machine that I pay 30 EUR/mo for. It's kind of annoying when random Tor clients spam the hell out of my access_log. But is it worth blocking them to clean up my access_log? Not really.
One just-as-easy way to reduce spam is to use google captcha only on actual spam entry points, meaning when an user wants to post a comment and such, but Cloudfare just covers absolutely all requests and doesn't care you just wanted to access an static version of the URL.
People are not using cloidflare because they block tor. Most are not using them for dos protection.qThey are using them for a variety of other reasons so they may not be aware of the situation.
Like their free DNS service that supports DNSSEC, Rotor (CDN JS optimisation), Let's Encrypt integration out of the box, low latencies where the users live, etc
If you really care about the low latencies, you might want to not pull up megabytes of JavaScript libraries to simply render up a few bytes of text.
I have a single server on another continent, yet my pages load several times faster than any of these Cloudflare-powered websites served from another part of town.
Let's Encrypt itself is an artificial construct that your homepage would hardly benefit from, and where Cloudflare reaps the most benefits from by having it be a selling point that noone outside of commercial entities ought to need in the first place.
I personally love Cloudflare. It's made a ton of stuff a lot easier for me as a developer. Sure, there's some downsides... but that's true with any service. (And a lot of the complaints are opt-in features that the web developer enabled)
It seems the author only has problems with Cloudflare almost completely because he uses Tor. Unfortunately, most Tor traffic is malicious (94%, by Cloudflare's count), and the whole point of Cloudflare is to prevent malicious attacks.
Anytime you do something for privacy (block ads, disable JS, use Tor), unfortunately things won't always work exactly how you expect.
Lastly, it ends with a weird conspiracy theory... "It is probably a US Government-attached intelligence agency". Okay.