Cloudflare has spent the last 10 years building itself into one of the world's largest cloud service providers, however, after recent  revelations regarding their network being 'hijacked' by paedophiles, terrorists and drug runners as well as the continuing concerns about the way they manage data and connectivity have taken the shine off their recent IPO.

Cloudflare's declared mission is to 'help build a better Internet'.

Traditionally, industry vendors have supplied standalone hardware boxes to address security, performance and reliability issues. These boxes, often deployed in on-premise data centres, delivereda variety of functions including firewalls, traffic management and network optimization.Cloudflare have built a global cloud platform that delivers all of the above and more, allowing businesses to believe they are getting a secure network of performance enhancing applications at reduced cost and complexity. However, what are the potential costs of compromised data securityand network outages from permitting one provider to manage ALL of your data streams?

So what do they do?

DNS (Domian Naming System) is an internet service that translates domain names into IP is basically a giant distributed virtual phone book. Cloudflare provides the SaaS (Software as a Service) suite  access to the global internet via their DNS service.

Cloudflare claim to manage over 20 million internet properties and generate more than 1 billion unique IP addresses per day. They do this across a network of over 190 seperate data centres with a combined installed capacity of over 30 Tbps, they are seriously big and that, in itself, is a concern!

Who markets it?

Cloudflare are a Delaware registered IT corporation founded in 2009 with co-founder, Matthew Prince as CEO. The core idea grew out of a project initiated by Prince and fellow co-founder, Lee Holloway.

Back in 2003, Lee Holloway and I started Project Honey Pot as an open source project to track online fraud and abuse. The project allowed anyone with a website to install a piece of code and track hackers and spammers. We ran it as a hobby and didn't think too much about it until, in 2008, the Department of Homeland Security called and said "Do you have any idea how valuable the data you have is?" That started us thinking about how we could effectively deploy the data from Project Honey Pot, as well as other sources, in order to protect websites online. That turned into the initial impetus for Cloudflare.
Matthew Prince, CEO, Cloudflare

How does it operate?

Previously, when you went to a website, the request would go via a server, which in turn would return the requested page. When too many requests were submitted at the same time, the server could be overwhelmed and even potentially crash.

In order to address internet users concerns about connectivity, speed and security, Cloudflare sought to provide a global network of data centres and cloud access. This, in turn, takes the management of the data streams away from the user......and that's when the fun and games begin!

What are the concerns?

- Enablement

As previously stated by many wiser people than the author, bad people tend to do bad things......and whilst a service provider has a responsibility to conduct appropriate due diligence on its customers, it can be a crap shoot! Cloudflare are fully aware of this and declared as much in their filing for their recent IPO.

Cloudflare may have provided service to terrorists, drug traffickers in violation of U.S. sanctions - CyberScoop
The update to Cloudflare’s regulatory filing comes just before the company’s IPO on Sept. 13.

Guilt by association or a failure in corporate governanace? This recent BBC story would suggest more work is needed by the tech giant that Cloudflare has become.

Web defender Cloudflare snarled in child abuse row
Campaigners accuse the company of making it harder to restrict abusive images.

- Blocking users

Having been handed the sole management of the users' data streams, Cloudflare then has a duty/responsibility to handle same as securely as possible. This obviously means protecting the internet properties of their customers by blocking attacks from nefarious sources.

However, there have been more than a few documented cases ( where Cloudflare has actively blocked or manipulated access between external organizations and users.

- Data 'leakage'

Given that the original 'germ' of an idea for what became Cloudflare was based on gathering data, albeit on individuals sending unsolicited emails and spam, it is hardly surprising that it has evolved into a data harvesting haven for law enforcement, principally in the USA. Prince maintains close links with various government agencies and is a keen advocate for internet related legislation. The diagram below therefore  illustrates the clear privacy implications of the Cloudflare operating model!

- Partnerships

Cloudflare is partnered with Baidu, the Chinese search and cloud mega-corp. This is their 'passport' into the massive Chinese domestic market. It is a significant partnership, so much so that it was referenced in the IPO listing documents as being of such importance that if it were to be dissolved it would have a material impact on both Cloudflare's financial performance  and future growth prospects.

At the time of writing, the relationship is impacted by the on-going Trade Wars and has been flagged as a potential national security concern. One can only speculate as to what people would be prepared to do in order to preserve such a valuable relationship.

- Extent of reach

With 20 million internet properties under their control, a billion IP  addresses being generated daily, a presence on every continent and at least a virtual presence in every country in the world, it is not difficult to see that the scale of potential abuse of power could be huge.......just saying.....

- Outages

Last but not least, on a purely technical point, having given over control of your data streams and put your faith in the capabilities of an outside provider, are you covered for service outages? Seems again, some users have been caught out, despite the size and complexity of Cloudflare's global operations.

'Using Cloudflare will increase chances of an outage. Visitors can't access to your website if your server is down or Cloudflare is down. Did you really think Cloudflare never go down? Anothersample. Need more?'

How can the technical concerns be addressed?

I guess the easiest course of action, if you are convinced that Cloudflare is not for you, is to not use it. However, given it's embedded nature and semi-anonomous status (who uses them on services you use?) plus it's global reach, that may not be quite so easy.

There are extensive public domain listings detailing actions that can be  taken to address this issue in it's many and various forms.

What are the options? Listed here are a few actions you could consider, some are quick and simple, others less so but we all appreciate that privacy  comes at a price!

  • If the website you're on uses Cloudflare, ask them not to, sometimes you just need to raise awareness and ask the question
  • Always read a website's privacy policy. It should explain what Cloudflare is, how they are using it and then request your permission to share your data with them. Failure to do so will result in a 'breach of trust' and  that website is probably better avoided
  • Search for alternative websites, there are always options out there.
  • If your browser is Firefox, find a more suitable replacement
  • Look to use the Tor Browser as your default.(Psst! Anonymity should be the standard on the open internet!)
  • Avoid Cloudflare solutions. Learn how to remove their plans, domains, subscriptions, accounts
  • Using Cloudflare to proxy your API (application programming interface) service, Client update server or RSS feed can harm your customer base by silently blocking them
  • Do you need an HTTPS certificate? Try 'Let's encrypt' or purchase from a suitable alternative to Cloudflare
  • Do you need a DNS server? Go 'old school' and set one up for yourself!
  • Need a hosting service? There are numerous free and safe providers out there
  • Install a Web Application Firewall (such as OWASP) and Fail2Ban on your server
  • Redirect or block Cloudflare Warp users from accessing your website but tell them why, if possible

There are a myriad of sites and lists available with numerous solutions, options and alternatives........the link below is probably one of the best, most comprehensive and most frequently happy  hunting!

A collaboration to deal with The Great Cloudwall (aka Cloudflare)


Wouldn't it be great if someone took it upon themselves to write up every single privacy fix and remedy into one fully online public domain database? Well, watch this space as I believe that that will soon be a new feature right here on Decentralize Today

In conclusion

Cloudflare recently IPO'd selling 35 million shares to raise over $500  million, confirming the company's unicorn status with an initial valuation of over $4 billion....but at what cost?

More information:

Share this post