I think this rant greatly exaggerates the alleged “risk” that CloudFlare poses, and also makes unsubstantiated claims about the inadequate protection provided by CloudFlare
I do think it’s a good thing for more people to consider self-hosted options, but we should do this on the merits and not in an artificial climate of fear
There’s no way to know what cloudflare is doing with your data. It is therefore a true risk. We have the technology (end-to-end HTTPS) to allow DDOS protection without allowing man in the middle. If Cloudflare is doing something else, we have full reason to be skeptical.
Sure, and it’d be nice for CloudFlare to offer a service that was compatible with end-to-end HTTPS
But this would be incompatible with the CAPTCHA insertion, right?
And instead of being able to use signal from the content of requests to identify an attack, they’d only be able to use the signal from the unencrypted part of the TCP exchange
This seems like inferior protection to me, but for some this might be the better compromise, and we have every right to seek such a compromise
Using captchas is another problem with cloudflare, no other hoster/provider needs that. So for users there are just downsides with cloudflare. Unfortunately a lot of websites decide to use it, and there is nothing we can do.
True, there are some attacks that cloudflare may be better positioned to mitigate…but a well-designed application won’t be susceptible to attacks unless they involve a huge amount of traffic, and in those cases the amount of traffic is so huge that it can be detected easily without needing to see the http content.
For some sites, both the content publisher and the consumer may prioritise availability over perfect secrecy (e.g. distributing life-saving information in a natural disaster or war)
There might not be a single product on the planet that is more suitable for this use case than Cloudflare
Many sites and many consumers will not share this priority of values, however, so I agree that Cloudflare is inappropriate for these cases
I’m sure for many people it is true that the USA government is a major threat, but neither “USA” nor “government” appear in the article/rant, and ideally an article written for these people wouldn’t single CloudFlare out, but would list major companies that this applies to equally
I’d even take this further and say that we shouldn’t trust software (or hardware) vendors that are beholden to laws in any of the Five Eyes countries ( https://en.wikipedia.org/wiki/Five_Eyes )
Just read the BBC article, see the link I postex above. The US government was directly involved when they started Cloudflare. Cloudflare’s CEO leaves no doubt about that.
I think this rant greatly exaggerates the alleged “risk” that CloudFlare poses, and also makes unsubstantiated claims about the inadequate protection provided by CloudFlare
I do think it’s a good thing for more people to consider self-hosted options, but we should do this on the merits and not in an artificial climate of fear
There’s no way to know what cloudflare is doing with your data. It is therefore a true risk. We have the technology (end-to-end HTTPS) to allow DDOS protection without allowing man in the middle. If Cloudflare is doing something else, we have full reason to be skeptical.
Sure, and it’d be nice for CloudFlare to offer a service that was compatible with end-to-end HTTPS
But this would be incompatible with the CAPTCHA insertion, right?
And instead of being able to use signal from the content of requests to identify an attack, they’d only be able to use the signal from the unencrypted part of the TCP exchange
This seems like inferior protection to me, but for some this might be the better compromise, and we have every right to seek such a compromise
Using captchas is another problem with cloudflare, no other hoster/provider needs that. So for users there are just downsides with cloudflare. Unfortunately a lot of websites decide to use it, and there is nothing we can do.
See: https://lemmy.ml/post/209462/comment/144156
True, there are some attacks that cloudflare may be better positioned to mitigate…but a well-designed application won’t be susceptible to attacks unless they involve a huge amount of traffic, and in those cases the amount of traffic is so huge that it can be detected easily without needing to see the http content.
For some sites, both the content publisher and the consumer may prioritise availability over perfect secrecy (e.g. distributing life-saving information in a natural disaster or war)
There might not be a single product on the planet that is more suitable for this use case than Cloudflare
Many sites and many consumers will not share this priority of values, however, so I agree that Cloudflare is inappropriate for these cases
The biggest point against cloudflare is that it is a US-based company and is vulnerable to US government spying.
I’m sure for many people it is true that the USA government is a major threat, but neither “USA” nor “government” appear in the article/rant, and ideally an article written for these people wouldn’t single CloudFlare out, but would list major companies that this applies to equally
I’d even take this further and say that we shouldn’t trust software (or hardware) vendors that are beholden to laws in any of the Five Eyes countries ( https://en.wikipedia.org/wiki/Five_Eyes )
Australia’s Assistance and Access Bill 2018 surely damages the credibility of Australian vendors, possibly even more than USA vendors: https://www.techtarget.com/searchsecurity/definition/Australian-Assistance-and-Access-Bill
Just read the BBC article, see the link I postex above. The US government was directly involved when they started Cloudflare. Cloudflare’s CEO leaves no doubt about that.