Cloudflare essentially centralizing the Internet is disturbing to me. They have the capability to MITM huge swathes of internet traffic, and coupled with the fact they’re a US company, I’m pretty wary of them receiving some sort of order from the NSA.
Every time I’ve used Cloudflare, it’s been on a dedicated, cookieless subdomain serving static content only. Call me paranoid, but this company may be doing serious damage to our privacy online.
It is the same thing as google, amazon or microsoft - they are all centralizing the internet.
I have written a mitming proxy that is capable of blocking by ASN (https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), beside blocking domains and other things we are used from the times of proxomitron. I have once tryed to block all 3 companies to see what will happen.
Nothing worked any more. From CDNs breaking pages of those rare occurances where they werent hosted on some cloud owned by those 3 companies. Even duckduckgo wasnt accessible anymore.
The funny thing was that yandex and baidu were still working flawlessly.
Welcome to dark ages of internet, we blew it. Instead of beeing capable of surviving third world war (as it was designed for) it is now in hands of 3 companies out of pure lazyness, lack of knowlidge and greed.
Is this stuff news to people? Having worked in that segment of industry, yes, that is how things largely work now, and that's largely how they've always worked, even if perhaps there's a bit more consolidation now (market factors do that somewhat automatically, if not always in the same direction).
This may be my relative youth, but I don't really recall people complaining that Akamai or--well, I don't know as good an analog to the modern major cloud providers, but maybe, say, Equinix or Rackspace--handled so much of the internet back in the day.
Cloudflare may have more of a consumer brand presence because they intentionally market that with their free plan, branded error pages (the "Intel Inside" of CDN services), and ancillary services (1.1.1.1 and their phone VPN), but it's not like the internet of yore was some decentralized collaboration of freeholder fiber owners running their little own 1-person ISP cum hosting provider. Maybe in the early, early, more academic and hobbyist days, but I don't think it's surprising that those were more of an anomalous landscape after the internet's birth than the norm.
That's where SRI comes into play. And even if SRI isn't used, having a separate subdomain still makes it impossible to surreptitiously MITM host traffic, since attacking the site via scripts served by CDN would leave behind evidence.
>since attacking the site via scripts served by CDN would leave behind evidence.
It won't leave behind much evidence if you're only doing it for targeted attacks. I doubt NSA will burn such a valuable resource like cloudflare to do mass scale injections.
More and more of the internet is now moving behind Cloudflare, one feature at a time. I saved some serious amount of money by just by using free service they offer.
I am astonished every time Cloudflare comes up with a solution for the problems of the internet.
> More and more of the internet is now moving behind Cloudflare
This is a big double-standard here on HN. Everyone hates Google for making decisions on behalf of the internet as a whole; yet Cloudflare has done the exact same thing with a different OSI layer.
I'm not very trusting of Google, but I certainly dont trust Cloudflare any more-so, because they keep things much closer to the chest.
> Cloudflare essentially centralizing the Internet is disturbing to me.
Maybe different people have different standards, and HN isn't a completely homogeneous group with a single viewpoint. Just like every other group where individuals are free to express themselves.
I think we can trust them for now. They seem like good people and company. I don't know what's at stake in the future, but Mozilla has trusted their service, so there's bo good reason not to.
This seems like a marketing piece light on technical details. For instance
>flowtrackd is then able to determine if a packet is part of a new connection, an open one, a connection that is closing, one that is closed, or if it’s an out of state packet.
That is common with Cloudflare... Never understood why so many tech. praise them when clearly many of their claims are false. You would think that 99% of the internet was under a ddos attack 99% of the time.
Almost everything I’ve ever worked on has been under ddos attack. I actually met the founders of Cloudflare just after they got started because they saved my bacon.
Later pursuits used different providers where we could use BGP to shift our network around.
We can start with DNS ANY queries. Cloudflare lied their way through this whole process, with the claim that CF were just following standards, when in fact it was exactly the opposite: Not conforming to the standard while simultaneously pushing through draft changes to the standard in order to support CF's business decision. I'm a trusting guy, and took CF's claims of championing privacy to heart, but this move completely blew that out of the water. Nowadays, I genuinely wonder sometimes how long until someone blows the whistle and it turns out CF is building dossiers just like Google, and renting out access to governments and law enforcement and adtech, shoveling even more crap onto the pile.
It was me who was pushing for DNS ANY changes, and I'm pretty proud of it. If you worked on any DNS software, you would see how messy handling ANY was.
Fundamentally the question is about Zones. I personally don't believe "zones" in the modern internet make sense. Modern DNS is not pure-bind/flat file. It's autogenerated labels, managed and pulled from different sources. Fundamentally, answering ANY is at least super hard if not impossible.
I'm sorry you think we were not transparent. I wrote two blog posts, and helped with the draft to promote the deprecating on ANY. But the real push to do something about ANY wasn't us - it was firefox who tried to query resolvers for ANY in order to save AAAA query for IPv6. This is totally bonkers. Proved that nobody understands ANY and that it only brings cost and confusion.
What you've done here is demonstrate why Cloudflare cannot be trusted: You do not get to decide for the rest of the internet which use cases are valid and which are "bonkers" -- you probably just thought to yourself "Oh, but I did". This is a pattern of behavior at Cloudflare (cf. Cloudflare CEO waking up one morning to remove a domain from the internet because he didn't like the contents -- which is a polite way of saying he caved to the Twitter mob). You and Cloudflare made a business decision that supporting the DNS standard was too costly, despite DNS being a core offering of Cloudflare. You appear to be saying that you personally made a value judgment about someone else's use case, used that as an argument to drop support for the standard, then pushed draft changes so that Cloudflare could retroactively claim to support the standard.
You have forced changes in the DNS standard based on your own personal value judgment, and Cloudflare was duplicitous in its support of this relative moral position. I could not have made the argument against trusting Cloudflare better, myself.
> You and Cloudflare made a business decision that supporting the DNS standard was too costly,
No, I made a decision that it was time to fix an obscure feature that was impossible to use correctly, and caused real damage to the internet - see firefox ANY saga.
Fun fact. We kept on supporting ANY until the RFC was ratified.
> You have forced changes in the DNS standard based on your own personal value judgment
No, we worked on the standard in the working group. I'm not the one assigning RFC numbers. This is a process.
Every time I’ve used Cloudflare, it’s been on a dedicated, cookieless subdomain serving static content only. Call me paranoid, but this company may be doing serious damage to our privacy online.