summaryrefslogtreecommitdiff
path: root/src/_posts/2017-12-17-on-cloudflare.adoc
blob: 9b831a8be2e70f890873b7e0233ce62df69b5e97 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
---
date: 2017-12-17 10:13:26
tags: Cloudflare Security Privacy
description: >
  Cloudflare is a threat to online security and privacy. I am not the first on
  to address this issue, and I probably will not be the last either. Sadly,
  people still seem to be very uninformed as to what issues Cloudflare actually
  solves, or introduces.
---
= On Cloudflare
:toc:

== Foreword
Cloudflare is a threat to online security and privacy. I am not the first on to
address this issue, and I probably will not be the last either. Sadly, people
still seem to be very uninformed as to what issues Cloudflare actually poses.
There also seems to be a big misconception about the benefits provided by using
Cloudflare. I would suggest reading the
http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/[article
on Cloudflare by joepie91] for a more thorough look at Cloudflare.

If anyone is using Cloudflare, please tell them to stop doing it. Link them to
this page or any of the articles referenced here. Cloudflare is harmful to your
visitors, and if you do not care about them, they will stop caring about you
too.

== A literal MITM attack
Cloudflare poses a huge risk by completely breaking the TLS/SSL chain used by
browsers by setting itself up as a
https://en.wikipedia.org/wiki/Man-in-the-middle_attack[man in the middle].
Cloudflare doesn't do actual DDoS protection, they just make the request to the
origin server for you. Once they have received the data, they decrypt it and
re-encrypts it with their own certificate.  This means that Cloudflare has
access to all requests in plain text and can optionally modify the data you
see. TLS/SSL is meant to prevent this very issue, but Cloudflare seems to care
very little.

If we would consider Cloudflare to be a benevolent entity and surely never
modify any data ever, this is still an issue. Much data can be mined from the
plain text communications between you and the origin server. This data can be
used for all kinds of purposes. It is not uncommon for the USA government to
request a massive amount of surveillance information from companies without the
companies being able to speak up about it due to a gag order. This has become
clear once more by the
https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/[subpoena on
Signal]. It should be clear to anyone that end-to-end encryption has to be a
standard and implemented properly. Cloudflare goes out of its way to break this
implementation.

=== Cloudbleed
The danger of their MITM style of operation was shown be the
https://en.wikipedia.org/wiki/Cloudbleed[Cloudbleed] vulnerability. It also
shows that they make use of their MITM position to scan the data your site and
a visitor are exchanging. This includes private data, such as passwords.

Even if you have an SSL connection to Cloudflare, they still decrypt it on
their end. They then serve the content under their own certificate. This makes
it look to the visitor like everything is secure, the browser says so after
all. But in reality, they don't have a secure connection to your server. They
only have one up to Cloudflare, and when it reaches Cloudflare, they decrypt it
and re-encrypt it using your certificate again. If you use one, of course,
otherwise they'll pass it on in plaintext back to your server, which is even
more dangerous. Whether or not you do, the content exists in plaintext on
Cloudflare's servers, which is not what you want, if you truly care about
security.

== Eliminating your privacy
If Cloudflare were to fix their MITM behavior, the privacy problem would not
be solved all of a sudden. There are more questionable practices in use by
Cloudflare.

People who are using a VPN or an anonimization service such as Tor are usually
greeted by a warning from Cloudflare. Let's not talk about this warning being
incorrect about the reason behind the user receiving the warning, but instead
about the methodology used to "pass" this "warning". Cloudflare presents you
with a page that requires you to solve a reCaptcha puzzle, which is hosted by a
well known third party that tries to harm your privacy as much as possible,
Google. If you do not wish to have Google tracking you all the time, you will
not be able to solve these puzzles, and in effect, unable to access the site
you were visiting. It is also interesting to note that this reCaptcha system is
sometimes broken if your browser does not identify itself as one of the regular
mainstream browsers such as Firefox or Chrome.

Some site administrators disable this specific check. However, this still means
all your requests are logged by another third party, namely Cloudflare itself.
As noted in _A literal MITM attack_, this data is still very interesting to
some parties. And do not fool yourself: meta data is still very worthwhile and
can tell a huge amount of information about a person.

=== Forcing JavaScript
This issue generally does not concern many people, as most people online
nowadays use a big mainstream browser with JavaScript enabled. However, there
are still people, services and applications that do not use JavaScript. This
makes sites unavailable when they are in the "under attack" mode by Cloudflare.
This will run a check sending Cloudflare your browser information before
deciding whether you are allowed to access the website. This is yet another
privacy issue, but at the same time, a usability issue. It makes your site
unavailable to people who simply do not wish to use JavaScript or people who
are currently limited to a browser with no JavaScript support.

It is also common for Cloudflare to
http://www.tedunangst.com/flak/post/cloudflare-and-rss[Break RSS readers] by
presenting them with this check. This check is often presented to common user
agents used by services and programs. Since these do not include a big
JavaScript engine, there is no way for them to pass the test.

== False advertising
=== DDoS protection
Cloudflare is hailed by many as a gratis DDoS protection service, and they
advertise themselves as such. However, Cloudflare does not offer DDoS
protection, they simply act as a pin cushion to soak the hit. Real DDoS
protection works by analyzing traffic, spotting unusual patterns and blocking
these requests. If they were to offer real DDoS protection like this, they
would be able to tunnel TLS/SSL traffic straight to the origin server, thereby
not breaking the TLS/SSL chain as they do right now.

It should also be noted that this gratis "protection" truly gratis either. If
your site gets attacked for long enough, or for enough times in a short enough
time frame, you will be kicked off of the gratis plan and be moved onto the
"business" plan. This requires you to pay $200 per month for a service that does
not do what it is advertised to do. If you do not go to the business plan, you will
have about the same protection as you would have without it, but with the
addition of ruining the privacy and security of your visitors.

=== Faster page loads
This is very well explained on
http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/[joepie91's
article] under the heading _But The Speed! The Speed!_. As such, I will refer
to his article instead of repeating him here.