👩🏼‍🤝‍👨🏿 🤮 ⚱️ CloudFlare - Internet Cancer 👴🏻 👩🏼‍🍳 🧑

Disclaimer: I myself use CloudFlare a lot and I think that they do a great job, help develop the Internet, give cool products for free, and overall great guys. The article describes the problems of globalization and new threats when the decentralized Internet becomes centralized.

When CloudFlare first appeared, it was a real revolution in web hosting: in two clicks, without moving to another server, you could connect a professional CDN to your website, which saved a lot of traffic, accelerated the loading of static files and also protected against DDoS. Previously, only companies could afford this for a lot of money, but now it has become available to everyone, also free!

Since then, CloudFlare has grown exponentially and today proxies a third of the Internet through its infrastructure. Because of this, problems arose that did not exist before. In a post, we will look at how CloudFlare threatens the normal functioning of the Internet, prevents ordinary people from using sites, has access to encrypted traffic, and what to do about it.

How to break a third of the Internet

July 2, 2019 as a result of the CloudFlare error completely broke . As a result, all services that somehow use their network were unavailable. Among the most famous: Discord, Reddit, Twitch. This has affected not only websites, but also games, mobile applications, terminals, etc. At the same time, even those services that do not directly use CloudFlare experienced problems due to third-party APIs that became unavailable.

In most cases, to use CloudFlare, clients direct their domains to their DNS servers. At the time of the accident, the control panel and API also became unavailable, due to which customers could not redirect their domains to bypass the CloudFlare network, thus being trapped: it was impossible to quickly disable proxies and return to their infrastructure. The only way out was to delegate the domain to their own DNS servers, but such an update could take more than a day, and most clients were not ready for this and did not have spare master DNS servers in this case.

Despite the fact that downtime was small, only a few hours, this significantly affected the entire industry. Due to non-working payment services, companies suffered direct losses. This incident revealed an obvious problem that was previously discussed only in theory: if the Internet is so dependent on one service provider, at some point everything may break.

If one company controls such a large part of the Internet, it threatens the stability of the network from both the technical and economic sides.

The concept of the Internet itself involves decentralization and resistance to such errors. Even if a part of the network is disconnected, the routing system is automatically rebuilt. But when one company manages such a large part of the traffic, the network becomes vulnerable to its mistakes, sabotage, hacks, as well as dishonest actions for profit. This idea is important for understanding the remaining issues, which we will discuss later.

You look suspicious

If the proprietary algorithms for detecting malicious CloudFlare traffic consider that you are an unworthy Internet user, web surfing will turn into a torment: on every fifth site you will see the requirements to undergo a humiliating captcha.

^{CloudFlare CAPTCHA can haunt you all over the Internet.}

The author of these lines goes to the Internet from the office IP address, behind which hundreds of other employees are sitting. Apparently CloudFlare decided that we all look like bots, and began to show everyone a very evil captcha. Sometimes it comes to the point of absurdity when some mobile applications cannot log in. As a result, in order to surf the Internet normally, you have to connect a VPN.

It turns out that CloudFlare can disconnect you personally from a large part of the Internet at any time if it doesn’t please you, or, due to erroneous detection, turn the usual use of services into torment.

We can see through HTTPS

To properly cache and filter content, CloudFlare servers must be able to see decrypted HTTP traffic. To do this, they always work in MiTM (Man-in-the-middle) mode, substituting their SSL certificate for the end site visitor.

Pictures in the HTTPS setup instructions can be misleading, as if in Full mode, encryption is used throughout the traffic flow. In fact, the CloudFlare server decrypts the traffic from the server and encrypts it again with its certificate for the site visitor.

^{In any mode of operation, CloudFlare decrypts SSL traffic.}

Even if you have a valid SSL certificate on your side, CloudFlare will still have access to all transmitted data. This discredits the whole idea of SSL, which involves encryption from the client to the destination server without decryption along the way.

In case of an error or hacking of CloudFlare servers, all confidential traffic will be available to attackers. Suffice it to recall a memory leak vulnerability that caused CloudFlare servers to spit out random memory contents directly into the page content. This could include cookies, accounts, credit card numbers, etc.

You also need to keep in mind that the special services of the country in whose jurisdiction Cloudflare Inc operates may request access to decrypted traffic, even if the original server is in a different jurisdiction. This turns the basic idea of SSL into fiction.

Not only infrastructure, but censorship

Initially, Cloudflare stated that it would only provide infrastructure for customers and did not plan to censor content resources, promising to be limited only to legitimate requirements from government agencies. So it was with the site of the famous LulzSec group, which coordinated hacks and DDoS attacks. On this occasion, Cloudflare released a statement .

However, after a while, Cloudflare decides to refuse service to the 8chan website based on its moral perceptions. Moreover, there were no court decisions or other formal reasons for this - they just decided so. This caused a public discussion about whether the provider can decide for himself which service is worthy to be served on its infrastructure and which is not. Reflection article on this topic in the New York Times:Why Banning 8chan Was So Hard for Cloudflare: 'No One Should Have That Power' .

Conclusion

Despite the fact that Cloudflare is an incredibly useful service and helps to significantly accelerate the delivery of content, as well as developing the Internet, its dangerous growth and the upcoming monopoly threatens the stability of the entire Internet. Let us try to summarize all of the above in simple theses:

You cannot store all eggs in one basket. It is simply unsafe, the price of an error in this case is too high. If one company has all the secrets of the world, it can always be hacked, make a mistake, or simply act dishonestly to squeeze competitors out of the market.
— . , , , .
SSL . , Cloudflare, — CloudFlare. .

This post does not urge to abandon Cloudflare, but only describes what in the future threatens such rapid growth and influence of this company. Think about whether you really need to use Cloudflare for your tasks, and if it’s impossible without it, consider Plan B in case of an emergency move.

For those who are looking for reliable servers, we launched the action: ISPmanager for three months for free. And plus the traditional 10% discount for Habré readers: