They get shit on a lot here. Why? What do they do and how is that different from other companies that offer similar services?

What I know of them: they offer DDS brute force/spam protection for websites.

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    145
    ·
    10 months ago

    I wouldn’t call it hate, just concern.

    Cloudflare acts as a front door to many sites and as such your TLS session is terminated at Cloudflare, then CF makes a additional session from themselves to the target site.
    This is concerning as that means CF can see all of your data.

    • kn33@lemmy.world
      link
      fedilink
      English
      arrow-up
      42
      arrow-down
      3
      ·
      10 months ago

      It’s worth mentioning the advantage of why they do this. There are several reasons, but the two most common are:

      • Seeing the data means they can do a better job at detecting attacks and fending them off.

      • They can issue certificates with longer lives from their private CA which simplifies certificate management for their customers.

      • slazer2au@lemmy.world
        link
        fedilink
        English
        arrow-up
        41
        arrow-down
        1
        ·
        10 months ago

        considering they are a US company they are bound by US warrantless wiretapping laws.

      • lemmyng@lemmy.ca
        link
        fedilink
        English
        arrow-up
        22
        arrow-down
        1
        ·
        10 months ago

        Plus other capabilities like injecting banners, caching, etc

      • Snot Flickerman@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        17
        ·
        edit-2
        10 months ago

        While true, and I am not a hater of Cloudflare:

        Keyless SSL is only available to Enterprise customers that maintain their own SSL certificate purchased from a valid Certificate Authority. Cloudflare does not supply any certificates for use with Keyless SSL.

        I’m not part of any Enterprise organization and I’m too poor to sign up for Enterprise level service, and so I am unable to use their Keyless SSL.

        Just for example. Sometimes it’s not that we don’t want to but can’t afford to, especially if we’re just Joe Schmoe running a handful of services on a server box.

        Once again, I have no issues with Cloudflare myself, and personally have a decent amount of respect for them.

        I’m just saying getting access to the Keyless SSL is less easy than you made it sound.

        • gencha@lemm.ee
          link
          fedilink
          arrow-up
          2
          ·
          10 months ago

          I get that. If you’re not paying for a service, there’s still a price. There are no companies out there doing you any favors, only those that make you believe they do.

          Clouflare is okay. Don’t trust anything apparently free ever

        • gencha@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          10 months ago

          If you’re not paying money for a service, you’re paying another way

      • ISometimesAdmin@the.coolest.zone
        link
        fedilink
        arrow-up
        4
        arrow-down
        3
        ·
        10 months ago

        Right?? To let your website be susceptible to that kind of act by anyone means that you probably didn’t really care about security in the first place, so much as just getting the magic lock icon happy.

        • zeluko@kbin.social
          link
          fedilink
          arrow-up
          3
          ·
          10 months ago

          Magic lock icon is easy, hard is it to block attacks and being able to do very little about it.
          Spoofed packets, server providers not caring what their customers do, many abuse email adresses dont even work.
          Keyless SSL would be nice and i’d use it. I have my own keys, but its for Enterprise customers only.

          I am not using Cloudflare as i dont like them handling like 80% of all traffic. But as website owner i can understand why someone would still choose them…

  • dustyData@lemmy.world
    link
    fedilink
    English
    arrow-up
    67
    arrow-down
    3
    ·
    edit-2
    10 months ago

    Let me tell my personal grievance with Cloudfare. One of the services that Cloudfare dispenses to websites, whether they like it or not, is bandwidth throttling, in the name of safety, of course. If an IP has been flagged by their system to have created spam, sent spam, being part of a DDOS attack and other various offenses, afterwards the Cloudfare service will throttle that IP requests to the sites that use Cloudfare. That’s on paper what it should do, and it sounds reasonable on a surface level. However, this includes wide swaths of residential dynamic IPs, which means that a lot of people get slow internet for the actions committed by a person with whom they have no relation with whatsoever.

    Furthermore, Cloudfare has decided to mass impose this status to the entire regional IP block for my country. So, my entire country is deemed as a threat, and doomed to slow AF speeds almost everywhere on the internet. Unless, of course, you own a datacenter and specifically pay Cloudfare to reclassify your static IP addresses to be trusted. This means that in order to use 100% of the bandwidth I pay for to my ISP, use of a VPN is mandatory. Else Cloudfare determines that I don’t deserve anything but dial-up speeds.

    Fuck Cloudfare.

    • Ilovethebomb@lemm.ee
      link
      fedilink
      arrow-up
      21
      ·
      10 months ago

      That’s kinda funny that an entire country has been deemed more trouble than it’s worth.

      • learningduck
        link
        fedilink
        arrow-up
        6
        ·
        10 months ago

        I used to work with a fraud detection system for a payment gateway. The system will automatically flag payments from any Russian and some countries as fraud automatically. This was 4-5 years ago

    • KiranWells@pawb.social
      link
      fedilink
      arrow-up
      9
      ·
      10 months ago

      This is probably not the solution you are looking for, given your opinion of the company, but I wonder if using their 1.1.1.1 app (which acts as a mini VPN to a Cloudflare endpoint and changes your public IP) would fix that for you. The upside is it’s free, the downside is that it is a Cloudflare-run VPN.

  • FlexibleToast@lemmy.world
    link
    fedilink
    arrow-up
    64
    arrow-down
    2
    ·
    10 months ago

    It’s partly just their sheer size. The internet continues to become a worse place as it gets more and more centralized, and Cloudflare is part of that.

  • Dogeek@sh.itjust.works
    link
    fedilink
    arrow-up
    49
    ·
    10 months ago

    They get hated on because :

    • they inspect packets. They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such

    • they are used everywhere. If they go down, 30% of the internet goes with them.

    • IphtashuFitz@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      10 months ago

      They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such

      And any organization that utilizes a CDN/security provider, like Akamai, AWS, Fastly, etc. knows that they all do this. They need access to the unencrypted content in order for services like CDN and WAF to work properly.

      • scumola@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        7
        ·
        10 months ago

        Both points are bad. Don’t put all your eggs in one basket. The Internet was created to be run by millions of servers and works best that way. Funneling everything through one company is just a bad idea in general.

  • redcalcium@lemmy.institute
    link
    fedilink
    arrow-up
    36
    arrow-down
    1
    ·
    10 months ago

    Cloudflare is cool now, but what would happen 10 years from now when they get enshittified while handling majority of global web traffics? We would be truly fucked.

    • Rikudou_Sage@lemmings.world
      link
      fedilink
      arrow-up
      11
      arrow-down
      3
      ·
      10 months ago

      What would happen? Well, people would switch. It’s not like you’re entering a contract that forces you to host using CloudFlare.

      I once bought a website that was on CloudFlare, few simple config changes later it’s running directly on a webserver.

      • redcalcium@lemmy.institute
        link
        fedilink
        arrow-up
        15
        arrow-down
        1
        ·
        10 months ago

        Not so easy to switch it you’re balls deep into their products such as Worker, Zero Trust Network, Magic WAN, Stream, etc.

        • KiranWells@pawb.social
          link
          fedilink
          arrow-up
          5
          ·
          10 months ago

          To be honest, you can say the same about any large cloud provider. What happens if AWS, or Azure, or Google Cloud go down, or become terrible?

          • redcalcium@lemmy.institute
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            10 months ago

            Cloudflare has much more impact than other cloud vendors here simply because they MITM their customers by default. Combine that with ever increasing market share, cloudflare has the potential to tap into data not even Google analytics can collect because they’re able to see all unencrypted data following through their reverse proxy. If they decided to up their analytics game, you won’t be able to block their data collection with ublock origin.

  • BaroqueInMind@lemmy.one
    link
    fedilink
    arrow-up
    32
    arrow-down
    4
    ·
    edit-2
    10 months ago

    Most people enjoy bandwagon jumping onto hating the status-quo. If Cloudflare goes down, the majority of the internet goes with it, because they are the most prolific private entity that owns most of the hardware running the entire internet.

    They are the biggest because they provide the overall best and essentially fastest level of DDoS, geoIP block, and packet-inspection malware protection of any provider on commercial hardware short of utilising spooky predictive DARPA machine learning algorithms that ride the razors edge of sapience on government funded terawatt supercomputer clusters. They are expensive and you get what you pay for.

  • Limonene@lemmy.world
    link
    fedilink
    arrow-up
    31
    arrow-down
    5
    ·
    10 months ago

    Cloudflare seems to incorrectly classify my Internet connection, which is a residential Internet connection going to my house, as a datacenter connection or VPN or something.

    Many websites that use Cloudflare give me endless captcha forms. As soon as I solve one, it demands another, and never lets me access the website.

    Sometimes I solve one captcha, and then it says I’m blocked forever for sending automated queries, even though I filled it out correctly. The error message is: “You are blocked.”

    Sometimes it lets me in after one captcha, but I still resent having to enable Javascript for these assholes just to access a site that doesn’t otherwise require Javascript.

    Sometimes Cloudflare adds extra security to certain pages, just for me. The developers of the website didn’t program it to handle this extra security, so the site fails for just me, and the site developers don’t believe me, telling me I have a browser problem (in three different browsers, which I can fix by using a proxy). For example, when the site’s javascript has my browser to do a CORS operation, the first step is the browser sending an OPTIONS request. However, the extra security of the proxy introduced by Cloudflare responds slightly differently from the actual website, so the site breaks.

    Cloudflare uses a holistic approach to deciding whether you are a legitimate user or a bot. In other words, they use every single possible piece of data they can get on you, including tracking your visits across other Cloudflare sites. They do discriminate against certain user-agent strings.

    Cloudflare completely blocks many Tor users, even from having read-only access to a site.

    When you ask Cloudflare why your IP address is blocked, they falsely claim that it’s a setting created by the website admins. I strongly suspect that this setting is something like “use Cloudflare™ Adaptive Security™” and probably doesn’t explain to the site admin that they’re blocking large quantities of innocent users.

    Cloudflare has previously used Google Recaptcha, which has a ton of problems (tracking, accessibility, training AIs that will make my life worse).

  • Fleppensteyn@feddit.nl
    link
    fedilink
    arrow-up
    23
    ·
    10 months ago

    It sucks to go through “prove you are human” screens that seem to time out half the time. Even worse when they put RSS feeds behind this Cloudflare wall

      • shellsharks@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        10 months ago

        A measured response to be sure. Thanks for writing it up. I’m definitely not the one who’s going to tell you for sure what CloudFlare should or should not do in this case or any other cases. It’s a tricky business to be in in terms of making those decisions. That said, I do think there is a line to be drawn SOMEWHERE, and because of this they would eventually need to deplatform something. If that signals to the regimes of the world that Cloudflare can be influenced than so be it, but to me (and I think a lot of the people who were going after Cloudflare during this time), Nazi’s (and those sites you mentioned, e.g. Kiwi Farms) are easy to draw lines for. Good thing I’m just a dude on Lemmy and not a high powered CF exec hah!

          • shellsharks@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            10 months ago

            I’m taking a bit more literal interpretation of “de-platform”, which I agree is not the way it has been traditionally used. In my case, if a platform takes you down, you were just de-platformed =). As for the question of “what is a nazi?”, 100% agree in terms of “where is the line”. Yes, there are some very obvious cases that I think 100% of people would identify in the same way, but there is undoubtedly that pesky ol’ gray area (which as your bulleted list makes clear is a non-trivially large area) where things start to get a little more subjective. Sure, it’d be great if companies (like CloudFlare) smell-tested things in the same way I do haha but outside of that, it is no doubt difficult to define.

  • Fontasia@feddit.nl
    link
    fedilink
    arrow-up
    9
    ·
    10 months ago

    For me, it’s the blog posts, written with a level of arrogance and condescension that they are “fixing” the limitations of TCP\IP and if you aren’t using them, you’re making the Web worse for everyone

  • Lath@kbin.social
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    10 months ago

    You won’t see it much in the wild, but there have been a few sporadic cases of suspicion where cloudflare may have removed or modified attachment files.
    Of course, there’s a chance those files were malware or that cloudflare didn’t do anything, but for now, there is a theory being formed that all the websites managed by cloudflare can have any of its data modified at will by cloudflare, making it a potential hub for tyranny, censorship and oppression.

  • ObsidianZed@lemmy.world
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    10 months ago

    For the better part of a decade, I’ve used Cloudflare’s DNS servers, 1.1.1.1 & 1.0.0.1, mostly because they claimed it was more secure and slightly faster than say, Google’s 8.8.8.8.

    What are the secure-minded folks using these days?

    • Orbital@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      Cloudflare’s 1.1.1.2 blocks known malware domains, so that’s better than 1.1.1.1 unless you want nothing blocked.

      If you want to block ads and trackers in addition to malware, try ControlD’s 76.76.2.2 .

      Better still is to use encrypted DNS if your device supports it. I like NextDNS or ControlD for that, as DNS-Over-TLS or -HTTPS.

  • notannpc@lemmy.world
    link
    fedilink
    arrow-up
    6
    arrow-down
    2
    ·
    10 months ago

    From what I could tell it’s mostly because they didn’t participate in the immediate removal of deplorable, but legal sites from their service.

    The most recent case being Kiwi Farms https://www.cbsnews.com/news/cloudflare-abuse-policy-kiwi-farms-harassment-clara-sorrenti-keffals/

    They quickly reversed course and dropped kiwi farms within a few days of that article dropping https://www.washingtonpost.com/technology/2022/09/03/cloudflare-drops-kiwifarms/

  • casual_turtle_stew_enjoyer@sh.itjust.works
    link
    fedilink
    arrow-up
    7
    arrow-down
    9
    ·
    10 months ago

    Despite being a paying customer, my biggest gripe with them is their lack of concern for freedom of speech. They decided they can “de-platform” sites that they are not aligned with, which is shitty when A) they’ve basically cornered the SMB CDN/DDoS-protection space B) they are fine with these sites in their customer base until a pressure campaign they don’t feel like battling surfaces.

    This is referring to the KiwiFarms vs Keffles situation, where Keffles made false claims to Cloudflare about KiwiFarms endorsing/promoting suicide in an attempt to prevent her leaked discord convos from spreading. Cloudflare caved without question and suspended KiwiFarms’ account without warning.

    Otherwise, I have personally never had an issue with Cloudflare. But I am still going to look for alternatives because I don’t think it’s cool for companies with that kind of responsibility to bend a knee to bad actors out of fucking convenience.

    • Bernie_Sandals@lemmy.world
      link
      fedilink
      arrow-up
      11
      arrow-down
      2
      ·
      edit-2
      10 months ago

      Kiwifarms was actively carrying out doxxing and targeted harassment campaigns that led to the suicides of multiple people. Whatever your opinion is on Keffals, this is a fact, and it’s what got Kiwifarms taken down, Keffals was just the loudest voice pointing it out.

    • Potatos_are_not_friends@lemmy.world
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      10 months ago

      I don’t know if I agree with your statement.

      Cloudflare is absolutely fine with providing services to websites that host incredibly dangerous misinformation or violent material.

      Because unless it’s multiple legal threats or can hurt Cloudflare directly, Cloudflare won’t act.

    • Atemu@lemmy.ml
      link
      fedilink
      arrow-up
      8
      ·
      10 months ago

      Eh. That’s like saying internet routers support Nazis and other hate groups because they route the Nazi’s webservers’ packets.

          • Ada@lemmy.blahaj.zone
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            10 months ago

            If you have to be dragged kicking and screaming by public outcry before you cancel Nazis, you support Nazis. But you know what happened as well as I do, so your framing of events that way is interesting…

              • Ada@lemmy.blahaj.zone
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                10 months ago

                Yeah yeah, freeze peach etc.

                I prioritise the safety of my community more than I value trying to conflate free speech with private monopolies acting in their own self interest, especially whilst they’re actively sustaining harm against vulnerable folk.

        • Atemu@lemmy.ml
          link
          fedilink
          arrow-up
          5
          arrow-down
          1
          ·
          10 months ago

          How is their “support” more “active” than internet routers; not passive?

    • Gallardo994@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      10 months ago

      Could be a coincidence but I see the word “nazi” mentioned most by blahaj.zone accounts. Is everything okay?