1. 61
  1.  

  2. 12

    This mostly seems like a reaction against Cloudflare promoting RPKI, from people/ISPs who don’t want to bother with RPKI. Since IMO RPKI is a good, valuable improvement to security, I’m a bit disinclined to give much credence to this.

    E.g. The claim that Cloudflare is supposedly stifling combining their services with other providers because you have to… pay to do so, instead of using their free plan? That doesn’t sound malicious to me. If you’ve never paid them a dime, why do you expect them to provide any free service you want? It’s not even expensive: it’s $5/month for all the features of their Business plan as long as you’re under 10MM requests/month (and fairly reasonable pricing over that too). It’s not like the ISPs who are complaining about RPKI are giving away their services for free; why should they complain about Cloudflare charging reasonable prices for their services too?

    1. 1

      […] Cloudflare promoting RPKI, from people/ISPs who don’t want to bother with RPKI.

      More like engaging in a counterproductive behaviour, i.e. public naming and shaming of those who don’t yet (fully) support RPKI.

      That being said, please look at the tag and the disclaimer/footer on the page:

      While this site is a parody, it may contain factual information. :)

      ;^)

    2. 11

      Other commenters have said much of what I was thinking reading this page.

      However, I do agree with this page about how consolidation under Cloudflare is kind of a scary prospect. Really, from a business perspective, they’ve made their offerings very attractive, and have done an excellent job marketing. But yes, all that consolidation is very alarming from a privacy perspective. Cloudflare does a good job promoting privacy around the internet, and coming into cloudflare, but like many companies, how that data is used internally is a black box.

      The other point that I wish was levied at more than just Cloudflare — the point about the VPN market. Cloudflare has adopted tactics of the popular VPN providers that are advertising services at folks not as familiar with tech, selling them what’s almost privacy snakeoil. I’d like to see that point echoed far and wide, about all VPN providers, so that their potential customers actually understand what they’re buying.

      1. 5

        Cloudflare is trying to centralize the internet

        I agree this is not ideal. But they provide good services and actively contribute to the security of the internet in terms of open source work and pushing for stronger standards. Ideally everyone would host their own services but I don’t think centralisation on its own is a very strong argument. Disincentivizing centralisation takes more than tackling centralised services one by one.

        Instead of the user directly connecting to the intended website, the user is connected to Cloudflare’s servers instead. […] Cloudflare gets to see the billing details and possibly payment information of customers

        No worse than trusting your own hosting provider. This issue exists any place you’re not self-hosting. However Cloudflare can do a lot more damage if at any time they turn malicious.

        In addition to that, while your browser may show that the connection is encrypted using HTTPS, it does not necessarily mean that the connection between Cloudflare and the target site is encrypted as well.

        100% agree with this statement. They should enforce that a trusted certificate be installed and verified on the origin server. You can manually enable this but for sure lots of people do not.

        Cloudflare is shielding cybercriminals

        So is encryption. So does the NHS. Criminals also breathe air like the rest of us. This argument implies that Coudflare should also be acting as a moderator for content which I do not agree with.

        they do not seem too bothered about some of their customers hosting the very services they strive to protect against, on their own platform

        The attacks themselves will not be coming from Cloudflare’s servers.

        Scaring internet users into thinking their ISPs are insecure in the middle of a global pandemic

        What? So is SSLLabs bad for listing the TLS ratings of different services? Or internet.nl? I don’t understand this viewpoint. And you’re going to back it up by appealing to coronavirus?

        1. 0

          Cloudflare is shielding cybercriminals

          So is encryption.

          Encryption is a technology and is therefore blind.

          So does the NHS.

          Yes, they do not discriminate.

          Criminals also breathe air like the rest of us.

          C’mon.

          This argument implies that Coudflare should also be acting as a moderator for content which I do not agree with.

          It’s not just about content which I do not agree with or is morally objectionable but the kind which is illegal. On the other hand Cloudflare, with their 1.1.1.1 for Families service, was absolutely fine to filter LGBT resources and sex education websites so how aren’t they a moderator?

          So is SSLLabs bad for listing the TLS ratings of different services? Or internet.nl?

          Both provide opt-in tests - the former allows for the results not to appear on their site, while the latter has a Hall of Fame, not Hall of Shame. Also, they neither encourage nor facilitate using Twitter to spread fear and cause panic.

          1. 6

            absolutely fine to filter LGBT resources

            How did you interpret “never intended to do it, reverted the wrong list as fast as they could, and apologized profusely for the mistake” as being “absolutely fine” with it?

            1. 3

              On the other hand Cloudflare, with their 1.1.1.1 for Families service, was absolutely fine to filter LGBT resources and sex education websites so how aren’t they a moderator?

              This is what I would use to respond to your first point. Cloudflare as a content service provider, sitting on the internet acting as a proxy and middle-man, providing this technological service, should not be moderating what content is and is not permitted to exist.

              but the kind which is illegal

              Sure, but arguably it is up to the original host to take that content down, not Cloudflare. I doubt the feds are sitting there trying to DDoS illegal websites.

              Also, they neither encourage nor facilitate using Twitter to spread fear and cause panic.

              Man people aren’t sitting there terrified in their homes because some guy on Twitter said their ISPs aren’t secure. There absolutely should exist a list tracking the adoption of secure technologies by providers that make up a significant market share. And there should be people encouraging the adoption of these technologies.

              What Cloudflare did here is not harmful by any stretch of the word and it’s a reach to claim that it is.

              1. 2

                I am no fan of Cloudflare, but I’ve found your tone on this topic absolutely obnoxious. Go back through any post you’ve had in just the last couple of days and count the amount of bolds, underlines, and “hot takes”. Even this post has no real information about the arguments on the field and isn’t even a good satire (opinion obviously). I have no idea who is upvoting this post.

                People absolutely do shame each other for things like that and those have been the only time it’s worked, see plaintext offenders. I have gone through literal year long disclosure process with vulnerabilities I’ve found in companies just to have them drag their feet until someone else discovered the vuln and published it publicly. Guess which one got things fixed? It’s not a one size fits all, but publishing the routing information about RPKI support is making public information that is not available to the average user. I think it’s a service, shame or not.

            2. 4

              Cloudflare is shielding cybercriminals

              It’s true Cloudflare protect victims from DDoS, but also protect attackers. Although, if there are no DDoS attacks, whom will Cloudflare protect you from? It’s basically money making machine. Both attackers and legit endusers use it for protection. Vice versa profitable.

              1. 4

                This troubled me, as there is no source for that. Only a statement from the website’s owner :/

                1. 4

                  It’s true though.

                  Cloudflare serves all customers willing to pay, and even has a free tier for some products. It doesn’t generally vet customers. You don’t have to prove that you’re worthy of using whatever Cloudflare product you wish to pay for, and Cloudflare protects its customers. That includes criminals. Most notably, it includes shielding criminals from people who send email saying “FOO BAR IS A CRIMINAL! I’M TELLING YOU FOO BAR IS A CRIMINAL!”

                  Amazon does the same — anyone can buy things there and the selection includes many useful tools, so Amazon sells burglary tools to criminals. But it’s not a universal standard. IIRC all of the big British banks eventually caved in to public pressure and closed the accounts of some customers the vegans didn’t like.