Say No to Cloudflare

· 705 words · 4 minute read

Note: This post is not contradictory to other posts published in the past. Cloudflare can only be safely used to deliver static assets (e.g. public css, js) or already encrypted (by other means except TLS) traffic.

Cloudflare is the world’s largest MITM proxy (reverse proxy). Cloudflare owns more than 80% of reverse proxy market share and the number of Cloudflare users are growing each day. They have expanded their network to more than 100 countries. Cloudflare serves more web traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Cloudflare is offering free plan and many people are using it instead of configuring their servers properly. They traded privacy over convenience.

Cloudflare sits between you and origin web server, acting like a border patrol agent. You are not able to connect to your chosen destination. You are connecting to Cloudflare and all your information is being decrypted and handed over on the fly. Cloudflare has a global view into the traffic of the Internet, and they observe the traffic flowing to and from them continuously.

Cloudflare possesses great power. In a sense, they control what the end user ultimately sees. You are prevented from browsing the website because of Cloudflare.

You cannot pass this invasive “browser check” without enabling JavaScript. This is a waste of five (or usually more) seconds of your valuable life.

In the year 2020 Cloudflare switched from Google’s reCAPTCHA to hCaptcha as Google intends to charge for its use. Cloudflare told you they care in your privacy (“it helps address a privacy concern”) but this is obviously a lie. It is all about money. “hCaptcha allows websites to make money serving this demand while blocking bots and other forms of abuse.”

From user’s perspective, this doesn’t change much. You are being forced to solve it.

There is no way to solve the captcha without enabling JavaScript and Cookies. Cloudflare is using them to make a browser signature to identify you. Cloudflare needs to know your identity to decide whether you are eligible to continue browsing the site.

If you visit website which use Cloudflare, you are sharing your information not only to website owner but also Cloudflare. This is how the reverse proxy works.

It is impossible to analyze without decrypting TLS traffic.

Cloudflare knows all your data such as raw password.

Cloudflare’s HTTPS is never end-to-end.

Do you really want to share your data with Cloudflare, and also 3-letter agency?

Internet user’s online profile is a “product” that the government and big tech companies wants to buy.

U.S. Department of Homeland Security said to Cloudflare CEO, “Do you have any idea how valuable the data you have is? Is there any way you would sell us that data?”

Cloudflare also offer free VPN service called “Cloudflare Warp”. If you use it, all your smartphone (or your computer) connections are sent to Cloudflare servers. Cloudflare can know which website you’ve read, what comment you’ve posted, who you’ve talked to, etc. You are voluntary giving all your information to Cloudflare. If you think “Are you joking? Cloudflare is secure.” then you need to learn how VPN works.

You might already know about the PRISM scandal. It is true that AT&T lets NSA copy all internet data for surveillance.

Let’s say you’re working at the NSA, and you want every citizen’s internet profile. You know most of them are blindly trusting Cloudflare and using it - only one centralized gateway - to proxy their company server connection (SSH/RDP), emails, personal website, chat website, forum website, bank website, insurance website, search engine, secret member-only website, auction website, shopping, video website, game website, NSFW website, and illegal website. You also know they use Cloudflare’s DNS service ("1.1.1.1") and VPN service ("Cloudflare Warp") for “Secure! Faster! Better!” Internet experience. Combining them with user’s IP address, browser fingerprint, cookies and RAY-ID will be useful to build target’s online profile.

You want their data. What will you do?

Cloudflare is a honeypot.

Free honey for everyone. Some strings attached.

Do not use Cloudflare.

Decentralize the Internet.

If you are a web server administrator, you can block requests from Cloudflare IP. Cloudflare IPv4 addresses are here, and IPv6 addresses are here.

Go to crimeflare.eu.org to learn more about it.