HN discussion:
EDIT: I realized that most mirrors of this website are censored for some reason with “HTTP/1.1 451 Unavailable For Legal Reasons” example: 1 and 2.
Is there a specific part of that page that you are interested in/most concerned about?
To me it looks like a random grab-bag of FUD, minor complaints, misleading information, and some legitimate but overstated concerns about Cloudflare. There are also some things in there that are just plain wrong I think the author would be better served by focusing on the 2 or 3 problems that are most important/critical to them in depth, rather than listing basically every single past, present, or hypothetical future concern, annoyance, or piece of hearsay. I also think using less intentionally loaded language, and a more objective tone, would help the author sound more serious/credible. To me it is hard to take the author’s valid concerns seriously because they are thrown in with so many other low quality and low effort statements.
I do definitely have concerns about centralization, there are ~5 or so major CDNs and Cloudflare is by far the largest. But Cloudflare also does a lot to meaningfully and practically improve privacy in real ways. At the web standards level they are often ‘on the right side’ of privacy & security related topics.
1 Like
|Free honey for everyone. Some strings attached.|
The well known CDN/Proxy security concerns.
1 Like
It isn’t 100% clear to me what concerns you are referring to, but there are some valid concerns and risks that do need ot be appreciated and considered. However it is as you say, those concerns are pretty well known and accepted (some are just fundamental to the nature of what a reverse-proxy service exists to do, and how it does it, and others have more to do with centralization of a single service).
I think if centralization and introducing a MitM (intentionally) into the chain is your biggest concern, there are other sources that would be better to rely on to make that argument than the linked source which (in my eyes) kind of undermines its own credibility. It reminds me all the similar Anti-___ or “___ is a honeypot” websites (anti-Signal, anti-Proton, and anti-Flatpak come to mind) that combine valid but overstated concerns with hyperbole, FUD, and hearsay. I think those websites do more harm than good by grouping in legitimate concerns with a bunch of FUD they de-value the legitimate concerns and condition people to ignore them.
But concerns like terminating the HTTPS connection is a valid concern to be aware of, there is nothing objectively nefarious about that, but it is a real concern that needs to be thought through when choosing to use a service reverse-proxy service. I am personally quite uneasy with that, but I also recognize that it wouldn’t be technically feasible to offer some of the services they offer without doing that.
7 Likes
Old FUD site haven’t seen it mentioned of late.
5 Likes
Cloudflare Gateway can perform SSL/TLS decryption in order to inspect HTTPS traffic for malware and other security risks. When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a user-side certificate.
TLS decryption · Cloudflare Zero Trust docs
What’s the point of SSL if the middle guy can decrypt it?
Edit: actually Gateway seems to be a different product, sorry
The unfortunate reality is that for some websites it is essentially mandatory.
The biggest problem with the internet—which I have never seen an anti-Cloudflare post including this one address—is that DDoS attacks are a legitimate, widespread problem. Cloudflare provides protection against this, and does so for free.
Identify for me any other service which does this for free, or even for cheap. I don’t think anyone besides Cloudflare does. When you research this topic, the response you’ll usually get is “lol why u need ddos protection? maybe you don’t.” And no, I do 
Even if (and that’s a big if) there is a Cloudflare alternative that’s accessible to regular website operators, it would certainly operate in pretty much the same way as Cloudflare on a technical level. And that means you’re still trusting someone to perform this task, and control your network.
And then we’re getting into double standards territory, where you have to answer “why do I trust this alternative service more than Cloudflare?” Usually there isn’t a reason other than that the alternative is smaller, which is hardly a reason to choose a service.
I don’t think it’s great, but it is what it is.
6 Likes