Cloudflare has spent the last 10 years building itself into one of the world's largest cloud service providers, however, after recent revelations regarding their network being 'hijacked' by paedophiles, terrorists and drug runners as well as the continuing concerns about the way they manage data and connectivity have taken the shine off their recent IPO.
Cloudflare's declared mission is to 'help build a better Internet'.
Traditionally, industry vendors have supplied standalone hardware boxes to address security, performance and reliability issues. These boxes, often deployed in on-premise data centres, delivereda variety of functions including firewalls, traffic management and network optimization.Cloudflare have built a global cloud platform that delivers all of the above and more, allowing businesses to believe they are getting a secure network of performance enhancing applications at reduced cost and complexity. However, what are the potential costs of compromised data securityand network outages from permitting one provider to manage ALL of your data streams?
So what do they do?
DNS (Domian Naming System) is an internet service that translates domain names into IP addresses.....it is basically a giant distributed virtual phone book. Cloudflare provides the SaaS (Software as a Service) suite access to the global internet via their DNS service.
Cloudflare claim to manage over 20 million internet properties and generate more than 1 billion unique IP addresses per day. They do this across a network of over 190 seperate data centres with a combined installed capacity of over 30 Tbps, they are seriously big and that, in itself, is a concern!
Who markets it?
Cloudflare are a Delaware registered IT corporation founded in 2009 with co-founder, Matthew Prince as CEO. The core idea grew out of a project initiated by Prince and fellow co-founder, Lee Holloway.
Back in 2003, Lee Holloway and I started Project Honey Pot as an open source project to track online fraud and abuse. The project allowed anyone with a website to install a piece of code and track hackers and spammers. We ran it as a hobby and didn't think too much about it until, in 2008, the Department of Homeland Security called and said "Do you have any idea how valuable the data you have is?" That started us thinking about how we could effectively deploy the data from Project Honey Pot, as well as other sources, in order to protect websites online. That turned into the initial impetus for Cloudflare.
Matthew Prince, CEO, Cloudflare
How does it operate?
Previously, when you went to a website, the request would go via a server, which in turn would return the requested page. When too many requests were submitted at the same time, the server could be overwhelmed and even potentially crash.
In order to address internet users concerns about connectivity, speed and security, Cloudflare sought to provide a global network of data centres and cloud access. This, in turn, takes the management of the data streams away from the user......and that's when the fun and games begin!
What are the concerns?
As previously stated by many wiser people than the author, bad people tend to do bad things......and whilst a service provider has a responsibility to conduct appropriate due diligence on its customers, it can be a crap shoot! Cloudflare are fully aware of this and declared as much in their filing for their recent IPO.
Guilt by association or a failure in corporate governanace? This recent BBC story would suggest more work is needed by the tech giant that Cloudflare has become.
- Blocking users
Having been handed the sole management of the users' data streams, Cloudflare then has a duty/responsibility to handle same as securely as possible. This obviously means protecting the internet properties of their customers by blocking attacks from nefarious sources.
However, there have been more than a few documented cases (https://codeberg.org/themusicgod1/cloudflare-tor) where Cloudflare has actively blocked or manipulated access between external organizations and users.
- Data 'leakage'
Given that the original 'germ' of an idea for what became Cloudflare was based on gathering data, albeit on individuals sending unsolicited emails and spam, it is hardly surprising that it has evolved into a data harvesting haven for law enforcement, principally in the USA. Prince maintains close links with various government agencies and is a keen advocate for internet related legislation. The diagram below therefore illustrates the clear privacy implications of the Cloudflare operating model!
Cloudflare is partnered with Baidu, the Chinese search and cloud mega-corp. This is their 'passport' into the massive Chinese domestic market. It is a significant partnership, so much so that it was referenced in the IPO listing documents as being of such importance that if it were to be dissolved it would have a material impact on both Cloudflare's financial performance and future growth prospects.
At the time of writing, the relationship is impacted by the on-going Trade Wars and has been flagged as a potential national security concern. One can only speculate as to what people would be prepared to do in order to preserve such a valuable relationship.
- Extent of reach
With 20 million internet properties under their control, a billion IP addresses being generated daily, a presence on every continent and at least a virtual presence in every country in the world, it is not difficult to see that the scale of potential abuse of power could be huge.......just saying.....
Last but not least, on a purely technical point, having given over control of your data streams and put your faith in the capabilities of an outside provider, are you covered for service outages? Seems again, some users have been caught out, despite the size and complexity of Cloudflare's global operations.
'Using Cloudflare will increase chances of an outage. Visitors can't access to your website if your server is down or Cloudflare is down. Did you really think Cloudflare never go down? Anothersample. Need more?'
How can the technical concerns be addressed?
I guess the easiest course of action, if you are convinced that Cloudflare is not for you, is to not use it. However, given it's embedded nature and semi-anonomous status (who uses them on services you use?) plus it's global reach, that may not be quite so easy.
There are extensive public domain listings detailing actions that can be taken to address this issue in it's many and various forms.
What are the options? Listed here are a few actions you could consider, some are quick and simple, others less so but we all appreciate that privacy comes at a price!
- If the website you're on uses Cloudflare, ask them not to, sometimes you just need to raise awareness and ask the question
- Search for alternative websites, there are always options out there.
- If your browser is Firefox, find a more suitable replacement
- Look to use the Tor Browser as your default.(Psst! Anonymity should be the standard on the open internet!)
- Avoid Cloudflare solutions. Learn how to remove their plans, domains, subscriptions, accounts
- Using Cloudflare to proxy your API (application programming interface) service, Client update server or RSS feed can harm your customer base by silently blocking them
- Do you need an HTTPS certificate? Try 'Let's encrypt' or purchase from a suitable alternative to Cloudflare
- Do you need a DNS server? Go 'old school' and set one up for yourself!
- Need a hosting service? There are numerous free and safe providers out there
- Install a Web Application Firewall (such as OWASP) and Fail2Ban on your server
- Redirect or block Cloudflare Warp users from accessing your website but tell them why, if possible
There are a myriad of sites and lists available with numerous solutions, options and alternatives........the link below is probably one of the best, most comprehensive and most frequently updated......so happy hunting!
Wouldn't it be great if someone took it upon themselves to write up every single privacy fix and remedy into one fully online public domain database? Well, watch this space as I believe that that will soon be a new feature right here on Decentralize Today
Cloudflare recently IPO'd selling 35 million shares to raise over $500 million, confirming the company's unicorn status with an initial valuation of over $4 billion....but at what cost?