The Asocial

Cloudflare

A self-inflicted MitM attack service

Image source Image source
Image license copyrighted logo
Article date May 23, 2017
Category internet

You may have noticed that we didn’t write much in the past few months. That’s because we’ve been saving our quarterly profanity quota to write about Cloudflare.

“Synergy” is a word famous for being abused by useless people, yet it would serve well to describe what combination of Cloudflare with everything connected to it is: a few pieces of shit, the combination of which is a greater piece of shit than the sum of each separately. Or, to put in a more straightforward way, Cloudflare is a shit amplifier.

Consider Google: it milks its users for private information, sells them to spammers (aka advertisers), tries to track others and do the same to them, but fails because JavaScript is disabled and Google hosts are blocked, so everyone’s sort of happy. But combined with Cloudflare by the use of Google’s captcha service, it gives users an ultimatum if one wants to visit a Cloudflare-encumbered website: either get tracked and sold to spammers, or become an image-clustering monkey working for free for Google. Supposedly Google doesn’t even pay Cloudflare for that: CF are just happy to screw their users in one more way.

Security with Cloudflare is a circus: just look at “Cloudflare One-Click SSL”. Of course they call both X.509 and TLS “SSL”, but there’s much more. The use of non-vulnerable TLS versions is just optional, as the page claims. The “Flexible SSL” mode means “pretend that there is encryption”, making it to look like the connection is safe, while it is plaintext between Cloudflare and an actual server. The “Full SSL” mode is a MitM attack performed by Cloudflare itself. Oh, look, “Cloudflare has experienced a data leak over a 5 month period that mixed sensitive data between websites and visitors” – who would have thought! Actively broken security combined with evidently half-assed job turns out to lead to actual leaks. They keep going with a patch and no substantial changes after that, of course.

The criticism listed in Wikipedia doesn’t even cover those, but mentions pink contracts and such; indeed, spammers seem to like Cloudflare, as do other scammers.

The only good thing about Cloudflare is that it lists the largest companies that are foolish enough to trust them, so one can use that to find out what to avoid. They tend to list the numbers of clients (“internet properties”, as they call them) as well, in an attempt to exploit at least two common fallacies: appeals to authority and to the people.

The Wikipedia article mentions that they’ve got some dumb award from TechCrunch. Why don’t we assign awards though? Cloudflare is hereby awarded with our new “fraud of the year” award.

P.S. The public mail service we were using, vivaldi.net, has — in its infinite wisdom — effectively blocked our account as a response to the Cloudflare leak. If you’ve sent anything there in the past year or so, use our updated contacts to resend it.