diff options
Diffstat (limited to 'src/_posts/2017-12-17-on-cloudflare.adoc')
| -rw-r--r-- | src/_posts/2017-12-17-on-cloudflare.adoc | 129 |
1 files changed, 0 insertions, 129 deletions
diff --git a/src/_posts/2017-12-17-on-cloudflare.adoc b/src/_posts/2017-12-17-on-cloudflare.adoc deleted file mode 100644 index 9b831a8..0000000 --- a/src/_posts/2017-12-17-on-cloudflare.adoc +++ /dev/null @@ -1,129 +0,0 @@ ---- -date: 2017-12-17 10:13:26 -tags: Cloudflare Security Privacy -description: > - Cloudflare is a threat to online security and privacy. I am not the first on - to address this issue, and I probably will not be the last either. Sadly, - people still seem to be very uninformed as to what issues Cloudflare actually - solves, or introduces. ---- -= On Cloudflare -:toc: - -== Foreword -Cloudflare is a threat to online security and privacy. I am not the first on to -address this issue, and I probably will not be the last either. Sadly, people -still seem to be very uninformed as to what issues Cloudflare actually poses. -There also seems to be a big misconception about the benefits provided by using -Cloudflare. I would suggest reading the -http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/[article -on Cloudflare by joepie91] for a more thorough look at Cloudflare. - -If anyone is using Cloudflare, please tell them to stop doing it. Link them to -this page or any of the articles referenced here. Cloudflare is harmful to your -visitors, and if you do not care about them, they will stop caring about you -too. - -== A literal MITM attack -Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by -browsers by setting itself up as a -https://en.wikipedia.org/wiki/Man-in-the-middle_attack[man in the middle]. -Cloudflare doesn't do actual DDoS protection, they just make the request to the -origin server for you. Once they have received the data, they decrypt it and -re-encrypts it with their own certificate. This means that Cloudflare has -access to all requests in plain text and can optionally modify the data you -see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care -very little. - -If we would consider Cloudflare to be a benevolent entity and surely never -modify any data ever, this is still an issue. Much data can be mined from the -plain text communications between you and the origin server. This data can be -used for all kinds of purposes. It is not uncommon for the USA government to -request a massive amount of surveillance information from companies without the -companies being able to speak up about it due to a gag order. This has become -clear once more by the -https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/[subpoena on -Signal]. It should be clear to anyone that end-to-end encryption has to be a -standard and implemented properly. Cloudflare goes out of its way to break this -implementation. - -=== Cloudbleed -The danger of their MITM style of operation was shown be the -https://en.wikipedia.org/wiki/Cloudbleed[Cloudbleed] vulnerability. It also -shows that they make use of their MITM position to scan the data your site and -a visitor are exchanging. This includes private data, such as passwords. - -Even if you have an SSL connection to Cloudflare, they still decrypt it on -their end. They then serve the content under their own certificate. This makes -it look to the visitor like everything is secure, the browser says so after -all. But in reality, they don't have a secure connection to your server. They -only have one up to Cloudflare, and when it reaches Cloudflare, they decrypt it -and re-encrypt it using your certificate again. If you use one, of course, -otherwise they'll pass it on in plaintext back to your server, which is even -more dangerous. Whether or not you do, the content exists in plaintext on -Cloudflare's servers, which is not what you want, if you truly care about -security. - -== Eliminating your privacy -If Cloudflare were to fix their MITM behavior, the privacy problem would not -be solved all of a sudden. There are more questionable practices in use by -Cloudflare. - -People who are using a VPN or an anonimization service such as Tor are usually -greeted by a warning from Cloudflare. Let's not talk about this warning being -incorrect about the reason behind the user receiving the warning, but instead -about the methodology used to "pass" this "warning". Cloudflare presents you -with a page that requires you to solve a reCaptcha puzzle, which is hosted by a -well known third party that tries to harm your privacy as much as possible, -Google. If you do not wish to have Google tracking you all the time, you will -not be able to solve these puzzles, and in effect, unable to access the site -you were visiting. It is also interesting to note that this reCaptcha system is -sometimes broken if your browser does not identify itself as one of the regular -mainstream browsers such as Firefox or Chrome. - -Some site administrators disable this specific check. However, this still means -all your requests are logged by another third party, namely Cloudflare itself. -As noted in _A literal MITM attack_, this data is still very interesting to -some parties. And do not fool yourself: meta data is still very worthwhile and -can tell a huge amount of information about a person. - -=== Forcing JavaScript -This issue generally does not concern many people, as most people online -nowadays use a big mainstream browser with JavaScript enabled. However, there -are still people, services and applications that do not use JavaScript. This -makes sites unavailable when they are in the "under attack" mode by Cloudflare. -This will run a check sending Cloudflare your browser information before -deciding whether you are allowed to access the website. This is yet another -privacy issue, but at the same time, a usability issue. It makes your site -unavailable to people who simply do not wish to use JavaScript or people who -are currently limited to a browser with no JavaScript support. - -It is also common for Cloudflare to -http://www.tedunangst.com/flak/post/cloudflare-and-rss[Break RSS readers] by -presenting them with this check. This check is often presented to common user -agents used by services and programs. Since these do not include a big -JavaScript engine, there is no way for them to pass the test. - -== False advertising -=== DDoS protection -Cloudflare is hailed by many as a gratis DDoS protection service, and they -advertise themselves as such. However, Cloudflare does not offer DDoS -protection, they simply act as a pin cushion to soak the hit. Real DDoS -protection works by analyzing traffic, spotting unusual patterns and blocking -these requests. If they were to offer real DDoS protection like this, they -would be able to tunnel TLS/SSL traffic straight to the origin server, thereby -not breaking the TLS/SSL chain as they do right now. - -It should also be noted that this gratis "protection" truly gratis either. If -your site gets attacked for long enough, or for enough times in a short enough -time frame, you will be kicked off of the gratis plan and be moved onto the -"business" plan. This requires you to pay $200 per month for a service that does -not do what it is advertised to do. If you do not go to the business plan, you will -have about the same protection as you would have without it, but with the -addition of ruining the privacy and security of your visitors. - -=== Faster page loads -This is very well explained on -http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/[joepie91's -article] under the heading _But The Speed! The Speed!_. As such, I will refer -to his article instead of repeating him here. |