HN discussion:
EDIT: I realized that most mirrors of this website are censored for some reason with “HTTP/1.1 451 Unavailable For Legal Reasons” example: 1 and 2.
Is there a specific part of that page that you are interested in/most concerned about?
To me it looks like a random grab-bag of FUD, minor complaints, misleading information, and some legitimate but overstated concerns about Cloudflare. There are also some things in there that are just plain wrong I think the author would be better served by focusing on the 2 or 3 problems that are most important/critical to them in depth, rather than listing basically every single past, present, or hypothetical future concern, annoyance, or piece of hearsay. I also think using less intentionally loaded language, and a more objective tone, would help the author sound more serious/credible. To me it is hard to take the author’s valid concerns seriously because they are thrown in with so many other low quality and low effort statements.
I do definitely have concerns about centralization, there are ~5 or so major CDNs and Cloudflare is by far the largest. But Cloudflare also does a lot to meaningfully and practically improve privacy in real ways. At the web standards level they are often ‘on the right side’ of privacy & security related topics.
1 Like
|Free honey for everyone. Some strings attached.|
The well known CDN/Proxy security concerns.
1 Like
It isn’t 100% clear to me what concerns you are referring to, but there are some valid concerns and risks that do need ot be appreciated and considered. However it is as you say, those concerns are pretty well known and accepted (some are just fundamental to the nature of what a reverse-proxy service exists to do, and how it does it, and others have more to do with centralization of a single service).
I think if centralization and introducing a MitM (intentionally) into the chain is your biggest concern, there are other sources that would be better to rely on to make that argument than the linked source which (in my eyes) kind of undermines its own credibility. It reminds me all the similar Anti-___ or “___ is a honeypot” websites (anti-Signal, anti-Proton, and anti-Flatpak come to mind) that combine valid but overstated concerns with hyperbole, FUD, and hearsay. I think those websites do more harm than good by grouping in legitimate concerns with a bunch of FUD they de-value the legitimate concerns and condition people to ignore them.
But concerns like terminating the HTTPS connection is a valid concern to be aware of, there is nothing objectively nefarious about that, but it is a real concern that needs to be thought through when choosing to use a service reverse-proxy service. I am personally quite uneasy with that, but I also recognize that it wouldn’t be technically feasible to offer some of the services they offer without doing that.
7 Likes
Old FUD site haven’t seen it mentioned of late.
5 Likes
Cloudflare Gateway can perform SSL/TLS decryption in order to inspect HTTPS traffic for malware and other security risks. When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a user-side certificate.
TLS decryption · Cloudflare Zero Trust docs
What’s the point of SSL if the middle guy can decrypt it?
Edit: actually Gateway seems to be a different product, sorry
The unfortunate reality is that for some websites it is essentially mandatory.
The biggest problem with the internet—which I have never seen an anti-Cloudflare post including this one address—is that DDoS attacks are a legitimate, widespread problem. Cloudflare provides protection against this, and does so for free.
Identify for me any other service which does this for free, or even for cheap. I don’t think anyone besides Cloudflare does. When you research this topic, the response you’ll usually get is “lol why u need ddos protection? maybe you don’t.” And no, I do 
Even if (and that’s a big if) there is a Cloudflare alternative that’s accessible to regular website operators, it would certainly operate in pretty much the same way as Cloudflare on a technical level. And that means you’re still trusting someone to perform this task, and control your network.
And then we’re getting into double standards territory, where you have to answer “why do I trust this alternative service more than Cloudflare?” Usually there isn’t a reason other than that the alternative is smaller, which is hardly a reason to choose a service.
I don’t think it’s great, but it is what it is.
8 Likes
I came across What do you think about Cloudflare? · Issue #374 · privacytools/privacytools.io · GitHub
1 Like
CloudFlare’s immense centralization becomes catastrophic when a single bug emerges, like cloudbleed, which has unacceptable widespread consequences.
Is it really that centralized / single point of failure ???
1 Like
Yes, that is problematic.
Depends how you frame it I think. Centralization is definitely a valid concern, but maybe not quite as big a concern as some people (myself included) imagine it to be.
Cloudflare marketshare compared to its competitors is a staggering 80%,
That sounds like a really huge number until you consider that over 76% of websites don’t use a reverse proxy service whatsoever (so cloudflare’s marketshare is really 80% of 24%) , so Cloudflare’s total market share (in this market) is in the high teens (19%) which is lower than I thought.
While cloudflare dominates its competitors overall, among the most popular, high traffic websites, Cloudflare has less of an edge, It appears Akamai, Fastly, Amazon Cloudfront are less used overall, but more commonly used among high traffice websites, while Cloudflare is more popular overall, but a lot of that comes from small and medium sized websites (which I suppose makes sense considering they have a free plan for individuals)
Overall, I don’t feel informed enough to have a strong opinion about the severity of centralization, but at least this provides a partial picture with some numbers to get some sense of scale.
i think a single company controlling the tech != centralization.
single point of failure is a technical problem.
they could in-theory (my theory could be wrong) add something in the infra to mitigate single point of failure.
I would be very greedy, If I asked for a DAO here but I will anyways.
i think a single company controlling the tech != centralization.
single point of failure is a technical problem.
I think you may be grouping together two overlapping but fundamentally different concepts that are best considered separately.
Something can be “centralized” without being a “single point of failure” on a technical level, and something can have “a single point of failure” without being “centralized.”
A single company controlling controlling a technology or platform or having a monopoly (which isn’t the case here, cloudflare’s marketshare overall appears to be ~19%) can definitely be an example of centralization regardless of whether there is a single point of failure on a technical level.
My answer was/is focused on the centralization aspect. No idea about the single point of failure aspect as it relates to Cloudflare or other CDNs but I’d assume this is something that they’ve considered and designed for (and an area they likely have considerable expertise in).
this was my question.
https://www.devever.net/~hl/cloudflare
Cloudflare considered harmful
1 Like