summaryrefslogtreecommitdiff
path: root/src/_posts/2017-12-17-on-cloudflare.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'src/_posts/2017-12-17-on-cloudflare.adoc')
-rw-r--r--src/_posts/2017-12-17-on-cloudflare.adoc129
1 files changed, 129 insertions, 0 deletions
diff --git a/src/_posts/2017-12-17-on-cloudflare.adoc b/src/_posts/2017-12-17-on-cloudflare.adoc
new file mode 100644
index 0000000..9b831a8
--- /dev/null
+++ b/src/_posts/2017-12-17-on-cloudflare.adoc
@@ -0,0 +1,129 @@
+---
+date: 2017-12-17 10:13:26
+tags: Cloudflare Security Privacy
+description: >
+ Cloudflare is a threat to online security and privacy. I am not the first on
+ to address this issue, and I probably will not be the last either. Sadly,
+ people still seem to be very uninformed as to what issues Cloudflare actually
+ solves, or introduces.
+---
+= On Cloudflare
+:toc:
+
+== Foreword
+Cloudflare is a threat to online security and privacy. I am not the first on to
+address this issue, and I probably will not be the last either. Sadly, people
+still seem to be very uninformed as to what issues Cloudflare actually poses.
+There also seems to be a big misconception about the benefits provided by using
+Cloudflare. I would suggest reading the
+http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/[article
+on Cloudflare by joepie91] for a more thorough look at Cloudflare.
+
+If anyone is using Cloudflare, please tell them to stop doing it. Link them to
+this page or any of the articles referenced here. Cloudflare is harmful to your
+visitors, and if you do not care about them, they will stop caring about you
+too.
+
+== A literal MITM attack
+Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by
+browsers by setting itself up as a
+https://en.wikipedia.org/wiki/Man-in-the-middle_attack[man in the middle].
+Cloudflare doesn't do actual DDoS protection, they just make the request to the
+origin server for you. Once they have received the data, they decrypt it and
+re-encrypts it with their own certificate. This means that Cloudflare has
+access to all requests in plain text and can optionally modify the data you
+see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care
+very little.
+
+If we would consider Cloudflare to be a benevolent entity and surely never
+modify any data ever, this is still an issue. Much data can be mined from the
+plain text communications between you and the origin server. This data can be
+used for all kinds of purposes. It is not uncommon for the USA government to
+request a massive amount of surveillance information from companies without the
+companies being able to speak up about it due to a gag order. This has become
+clear once more by the
+https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/[subpoena on
+Signal]. It should be clear to anyone that end-to-end encryption has to be a
+standard and implemented properly. Cloudflare goes out of its way to break this
+implementation.
+
+=== Cloudbleed
+The danger of their MITM style of operation was shown be the
+https://en.wikipedia.org/wiki/Cloudbleed[Cloudbleed] vulnerability. It also
+shows that they make use of their MITM position to scan the data your site and
+a visitor are exchanging. This includes private data, such as passwords.
+
+Even if you have an SSL connection to Cloudflare, they still decrypt it on
+their end. They then serve the content under their own certificate. This makes
+it look to the visitor like everything is secure, the browser says so after
+all. But in reality, they don't have a secure connection to your server. They
+only have one up to Cloudflare, and when it reaches Cloudflare, they decrypt it
+and re-encrypt it using your certificate again. If you use one, of course,
+otherwise they'll pass it on in plaintext back to your server, which is even
+more dangerous. Whether or not you do, the content exists in plaintext on
+Cloudflare's servers, which is not what you want, if you truly care about
+security.
+
+== Eliminating your privacy
+If Cloudflare were to fix their MITM behavior, the privacy problem would not
+be solved all of a sudden. There are more questionable practices in use by
+Cloudflare.
+
+People who are using a VPN or an anonimization service such as Tor are usually
+greeted by a warning from Cloudflare. Let's not talk about this warning being
+incorrect about the reason behind the user receiving the warning, but instead
+about the methodology used to "pass" this "warning". Cloudflare presents you
+with a page that requires you to solve a reCaptcha puzzle, which is hosted by a
+well known third party that tries to harm your privacy as much as possible,
+Google. If you do not wish to have Google tracking you all the time, you will
+not be able to solve these puzzles, and in effect, unable to access the site
+you were visiting. It is also interesting to note that this reCaptcha system is
+sometimes broken if your browser does not identify itself as one of the regular
+mainstream browsers such as Firefox or Chrome.
+
+Some site administrators disable this specific check. However, this still means
+all your requests are logged by another third party, namely Cloudflare itself.
+As noted in _A literal MITM attack_, this data is still very interesting to
+some parties. And do not fool yourself: meta data is still very worthwhile and
+can tell a huge amount of information about a person.
+
+=== Forcing JavaScript
+This issue generally does not concern many people, as most people online
+nowadays use a big mainstream browser with JavaScript enabled. However, there
+are still people, services and applications that do not use JavaScript. This
+makes sites unavailable when they are in the "under attack" mode by Cloudflare.
+This will run a check sending Cloudflare your browser information before
+deciding whether you are allowed to access the website. This is yet another
+privacy issue, but at the same time, a usability issue. It makes your site
+unavailable to people who simply do not wish to use JavaScript or people who
+are currently limited to a browser with no JavaScript support.
+
+It is also common for Cloudflare to
+http://www.tedunangst.com/flak/post/cloudflare-and-rss[Break RSS readers] by
+presenting them with this check. This check is often presented to common user
+agents used by services and programs. Since these do not include a big
+JavaScript engine, there is no way for them to pass the test.
+
+== False advertising
+=== DDoS protection
+Cloudflare is hailed by many as a gratis DDoS protection service, and they
+advertise themselves as such. However, Cloudflare does not offer DDoS
+protection, they simply act as a pin cushion to soak the hit. Real DDoS
+protection works by analyzing traffic, spotting unusual patterns and blocking
+these requests. If they were to offer real DDoS protection like this, they
+would be able to tunnel TLS/SSL traffic straight to the origin server, thereby
+not breaking the TLS/SSL chain as they do right now.
+
+It should also be noted that this gratis "protection" truly gratis either. If
+your site gets attacked for long enough, or for enough times in a short enough
+time frame, you will be kicked off of the gratis plan and be moved onto the
+"business" plan. This requires you to pay $200 per month for a service that does
+not do what it is advertised to do. If you do not go to the business plan, you will
+have about the same protection as you would have without it, but with the
+addition of ruining the privacy and security of your visitors.
+
+=== Faster page loads
+This is very well explained on
+http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/[joepie91's
+article] under the heading _But The Speed! The Speed!_. As such, I will refer
+to his article instead of repeating him here.