1. 88
  1.  

  2. 21

    What are the alternatives? Any other CDN offering free services for open source projects?

    1. 12

      What exactly do you need?

      1. 21

        ziglang.org is a static site with no JavaScript and no server-side code. The home page is 22 KB data transferred with cold cache. The biggest service that CloudFlare offers is caching large files such as:

        These are downloaded by the CI server for every master branch push and used to build & run tests. In addition to that, binaries are provided on the download page. These are considerably smaller, but as the number of users grows (and it is growing super-linearly), the cost of data transferred was increasing fast. My AWS bill was up to $20/month and doubling every month.

        Now these assets are cached by CloudFlare and my AWS bill stays at ~$15/month. Given that I live on donations, this is a big deal for me.

        1. 13

          You might consider having a Cloudflare subdomain for these larger binaries so that connections to your main website are not MITM’d. Then you could host the main website wherever you please, and keep the two concerns separable, allowing you to change hosting for the binaries as necessary.

          1. 4

            If I were in this situation I would be tempted to rent a number of cheap (~€2.99/month) instances from somewhere like Scaleway each with Mbps bandwidth caps rather than x GB per billing period and have a service on my main server that would redirect requests to mirror-1.domain or mirror-2.domain, etc depending on how much bandwidth they had available that second.

        2. 17

          Fastly does: https://www.fastly.com/open-source

          Amazon also has grant offerings for CloudFront.

          1. 9

            Avoid bloating your project’s website, and use www. Put all services on separate subdomains so you can segregate things in case one of them gets attacked. If you must use large media, load them from a separate subdomain.

            edit: Based on the reply above, maybe IPFS and BitTorrent to help offload distributing binaries?

            1. 6

              I use Dreamhost for all of oilshell.org and it costs a few dollars a month, certainly less than a $15/month AWS bill.

              I don’t host any 300 MB binaries, but I’d be surprised if Dreamhost couldn’t handle them at the level of traffic of Zig (and 10x or 100x that).

              10 or 15 years ago shared hosting might not be able to handle it, but computers and networks got a lot faster. I don’t know the details, but they have caches in front of all their machines, etc. The sys admin generally seems very competent.

              If I hosted large binaries that they couldn’t handle, I would either try Bittorrent distribution, or maybe create a subdomain so I could easily move only those binaries somewhere to another box.

              But I would bet their caches can handle the spikes upon release, etc. They have tons of customers so I think by now the industry learned to average out the traffic over all of them.


              BTW they advertise their bandwidth as unmetered / unlimited, and I don’t believe that’s a lie, as it was in the 90’s. I think they can basically handle all reasonable use cases and Zig certainly falls within that. The only thing you can’t do is start YouTube or YouPorn on top of Dreamhost, etc.

              FWIW I really like rsync’ing to a single, low latency, bare metal box and rather than using whatever “cloud tools” are currently in fashion. A single box seems to have about the same uptime as the cloud too.

              1. 8

                A single box seems to have about the same uptime as the cloud too.

                That’s… unpleasantly true. Getting reliability out of ‘the cloud’ requires getting an awful lot of things exactly right, in ways that are easy to get wrong.

                1. 2

                  yup

                2. 5

                  I’ll add I was a DreamHost customer because they fight for their users in court. The VPS’s are relatively new. The customer service is hit and miss according to reviews.

                  Prgmr.com I recommend for being honest, having great service, and hosting Lobsters.

                  One can combine such hosts with other service providers. The important stuff remains on hosts dedicated to their users more than average.

                3. 4

                  Free just means you aren’t paying for it. This means someone else is paying the cost for you. Chances are their $$$‘s spent is going to do something good for them, and not so good for you. Perhaps the trade off is worth it, perhaps it isn’t.

                  Assuming the poster is accurate, and Cloudfare is a front for US intelligence, does it matter for what you are using it for?

                  Of course, should the US Government be able to spy on people through companies like this is an entirely different question, and one that should see the light of day and not hide in some backroom somewhere.

                  1. 13

                    Free just means you aren’t paying for it. This means someone else is paying the cost for you. Chances are their $$$‘s spent is going to do something good for them, and not so good for you. Perhaps the trade off is worth it, perhaps it isn’t.

                    In Cloudflare’s case, one fairly well documented note is that free accounts are the crash test dummies:

                    https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/

                    The DOG PoP is a Cloudflare PoP (just like any of our cities worldwide) but it is used only by Cloudflare employees. This dogfooding PoP enables us to catch problems early before any customer traffic has touched the code. And it frequently does.

                    If the DOG test passes successfully code goes to PIG (as in “Guinea Pig”). This is a Cloudflare PoP where a small subset of customer traffic from non-paying customers passes through the new code.

                    I’d be curious if those customers are rebalanced and how often!

                    1. 30

                      Using free tier customers as limited guinea pigs is honestly a brilliant way to make them an asset without having to sell them to someone else. Whatever else cloudflare is doing with them, that one’s a really cool idea.

                  2. 3

                    Netlify is an option if your site is static, and it offers free pro accounts for open source projects (there’s also a tier that’s free for any project, open source or not, which has fewer features).

                    Disclaimer: I work there.

                    1. 1

                      Not free, but Digital Ocean Spaces (like S3) is 5$/month for up to something like 5GB, and includes free CDN.

                    2. 39

                      I work for Cloudflare, so I have a bit more insight into how it operates (I’m speaking for myself, that’s not an official response).

                      • Free customers at Cloudflare are a really cool hack. You are the product, but not in the Google/Facebook way you’d expect. The more Cloudflare caches, the more it helps ISPs save on costs of their outgoing traffic, and in return Cloudflare can negotiate better peering agreements. That’s a win-win, because Cloudflare gets cheaper bandwidth, and ISPs on other continents are very happy they don’t have to fetch everything from us-east-1.

                        The free tier is also used for testing rollouts and customer acquisition. You an read about it in Cloudflare’s S-1: https://www.sec.gov/Archives/edgar/data/1477333/000119312519222176/d735023ds1.htm

                      • There are customers who really want and pay good money for features like WAF and blocking of “bad” traffic. Sure it sounds dumb, but “just don’t have SQL injection vulnerabilities” doesn’t work for everyone. There are some customers who have thousands of sites, and are at risk of being pwned just because one of marketing teams might have set up a Wordpress microsite for a promotion 5 years ago and forgot about it. Cloudlfare has an entire team that monitors attacks happening in the wild, and keeps updating WAF in response, so you have much smaller chance of being hit by the CVE of the day.

                      • Aggressiveness of bot blocking, e-mail filtering, etc. are controlled by users. Harassment of users with CAPTCHAs doesn’t help anyone. It’s just that classification of traffic is a very hard problem.

                      • Cookies […] Since Cloudflare definitely has assets in the EU — it has to, it’s a CDN — it’s also pretty egregiously violating EU law here.

                        If it was a pretty egregious violation then wouldn’t you think that some law enforcement would have happened?

                      • The mysterious reason why U.S Govt allows Cloudflare to “violate copyright” (and so do all other governments in the world! — wow, Cloudflare is in bed with all of them!) is that users click “Agree” on Terms of Service.

                      1. 36

                        Free customers at Cloudflare are a really cool hack. You are the product, but not in the Google/Facebook way you’d expect. The more Cloudflare caches, the more it helps ISPs save on costs of their outgoing traffic, and in return Cloudflare can negotiate better peering agreements.

                        Meaning, Cloudflare gets more power and more say in who gets to have a website. 8chan is still offline, two and a half months later, as a direct result of Cloudflare’s actions. (I understand many people are happy about that, though.)

                        But, it’s just the world we live in now.

                        I think power grabs aren’t a cool hack. I’ve seen too many of them go badly to be comfortable with immense centralization.

                        1. 16

                          I think fewer genocide fan sites is always better, and I regret Cloudflare drags its feet dropping them.

                          1. 33

                            You’ll feel that way right up until they ban a site you like. And the distance between today and that day is getting smaller.

                            It’s not about 8chan. It’s about the fact that they can choose who gets to be a part of the internet. You know, that thing that we used to believe everyone should have a say in.

                            1. 14

                              To put things in perspective: even in the very recent past government censorship in the US and Europe was much much more intense than Cloudflare kicking two sites (StormFront and 8chan) off the internet for literal support of literal terrorism. We’re probably living in the most free era that has ever been known.

                              1. 9

                                We’re probably living in the most free era that has ever been known.

                                Unless you measure government and corporate surveillance. In that case we are certainly living in the most surveilled era that has ever been known.

                                1. 7

                                  We’re probably living in the most free era that has ever been known

                                  Obligatory disclaimer: if you’re fortunate enough to live in a liberal democracy.

                                  But I agree with your other statements!

                                  American “cultural imperialism” has many faces - the normalization of US norms of free speech to the world’s internet is one of them.

                                  1. 7

                                    We’re probably living in the most free era that has ever been known

                                    Obligatory disclaimer: if you’re fortunate enough to live in a liberal democracy.

                                    Yeah, obviously. I’m currently living in Indonesia and things are different here; I can’t go on Reddit for example as it’s all blocked :-/

                                    Living abroad in general is one of the things that gives you some perspective by the way, to give a different example, I used to complain about the Dutch public transport system, but after having lived in several different countries I can report that the Dutch public transport is actually really good compared to almost every other country.

                                    1. 3

                                      Americans who value freedom should build technologies that prevent their own speech from being censored by foreigners (or other Americans) who value freedom of speech less than some other political goal. It’s no imperialism worth opposing if non-Americans also make use of those technologies to secure their own speech.

                                  2. 6

                                    You know, that thing that we used to believe everyone should have a say in.

                                    I think most of who said that never believed that nazism could come back. At least I did, and now that it has come back, I’m reconsidering my position. The weaponizing of masses for digital terrorism was another thing I didn’t foresee at all, but that’s what we have now.

                                    If your point was that it’s weird that single companies have to carry the responsibility to make these decisions, that I can agree with.

                                      1. 22

                                        I think you’re stretching that comic a bit there. If you mean it as “you have free speech but I don’t have to listen to you”, I agree with you. You’re not stopping anyone else from listening to him by ignoring him.

                                        But being able to remove a platform in the blink of an eye is a very powerful tool. It should not fall in the wrong hands. As long as Cloudflare is upfront about what is acceptable and what not, and upholds those standards in a publicly verifyable way, I don’t see an issue, but the way 8chan was handled is less than ideal.

                                        Today it was 8chan that suddenly was denied service, tomorrow it could be something that I care about.

                                        1. 18

                                          I am worried about decisions of platforms that capture audience and control attention of large numbers of people (YouTube, Twitter, Facebook), because when they drop someone, they disconnect them from their audience. When they promote someone, they amplify their voice.

                                          With Cloudflare none of that happens. It doesn’t bring you an audience. You use your own domain, so when Cloudflare drops you, you can go elsewhere and reconnect with your audience. But if nobody else is willing to host 8chan, that’s the xkcd situation.

                                          In either case, when a platform makes a wrong judgement that’s very unfortunate, but IMHO it should not be an excuse for not making any judgements at all.

                                          1. 6

                                            If your service is Denial of Service prevention, and you can at your own discretion stop providing service to sites you don’t like (or even prevent certain demographics from reaching a certain site), you’re effectively saying that you protect from Denial of Service, except your own.

                                            Most of your customers are not actually in need of DoS-protection, but some are. For those, you suddenly denying them service is a huge blow. I have no sympathy for 8chan, let that be clear, but some day in the future a case might show up that is not so black and white, and do we trust Cloudflare to make the right call then? Remember they got it wrong with 8chan before - the site was not taken online as soon Cloudflare learned about it.

                                            And equally important (you’d almost forget about it with all this talk about 8chan), do we trust Cloudflare not to abuse their close-to-monopoly on web traffic?

                                            1. 4

                                              because when they drop someone, they disconnect them from their audience.

                                              If CF dropping 8chan didn’t disconnect them from their audience, what was the point in dropping them?

                                              But if nobody else is willing to host 8chan, that’s the xkcd situation.

                                              How do you feel about the Hollywood Blacklist?

                                              1. 5

                                                I think refusing to cooperate with those who you believe to be harmful/immoral/corrupting/otherwise unacceptable is a good non-violent method of suppressing such views and behaviors. It doesn’t mean I agree with motivations of all people who use this method.

                                                1. 7

                                                  Operating a hosting service doesn’t mean you can somehow be apolitical. Saying that you will host anything is itself a political statement.

                                                  Choosing to enable hate-speech is a political action. With 8chan, it appears that no one wanted that publicly associated with the site, and so it is offline. I’d say that’s a good thing. You can disagree. That’s politics.

                                                  I disapprove of the Hollywood Blacklist and similar McCarthyist nonsense. Those people should not have been harassed because those people were not violent or dangerous. This is consistent with wanting hate sites (which do appear to encourage copycat attacks, radicalise others, etc) to be shut down.

                                                  Ideally, the users would be identified and encouraged to take part in counselling and sensitivity training to try to stop them being such racists.

                                              2. 8

                                                Even if the same form of a rule (ban X from Y) can be used both for good (ban Nazis from Twitter) and for bad (ban women from public places) we aren’t obliged to throw the rule in all of its forms away. We can apply the rule in ways that reduce suffering, and refuse to apply it in ways that increase suffering.

                                                This is obvious. We don’t abandon wholesale the concept of laws and punitive justice (if you assault someone the state may confine you) even though it can be misapplied (if you commit adultery the state may execute you).

                                                1. 6

                                                  Whoa, this is not about whether censorship is good, this is about wheter it’s a good idea to do it at the discretion of a single company. At a state level the lawmaker is supposed to be separate from the justice system. Cloudflare is responsible for a large chunck of the internet; do we want to trust them now and in the future not to abuse that responsibility at some point?

                                                  1. 4

                                                    They do not have a monopoly, so they’re not censoring. The other site CF blocked is hosted again, for example.

                                                    Yes, it would be nice if this kind of thing were done democratically, and CF highlight that in their blog, but the occasional refusal of service to literal fascists is hardly the most compelling argument for democratic governance of the internet.

                                                    1. 4

                                                      Is your point that since you agree with their action this time, we don’t need oversight because next time you will also agree?

                                                      Can I ask if you protested Cloudflare when they defended hosting 8chan?

                                                      1. 3

                                                        I didn’t protest, but if I had heard about it on here or reddit I might have expressed disapproval.

                                                        My point is that it would be nice to have democratic oversight of this kind of thing, but it’s also not really that big a deal because there are competitors to use. If CF was a monopoly, this would be more of an issue and a democratic body should take action (regulate CF or break it up).

                                                        Because CF is in a competitive market, the situation is more like this one: In the UK some hotels refused service to gay people and were then sued under anti-discrimination laws because sexual orientation is a protected characteristic. If a country passes anti-discrimination laws protecting hate-speech, then the administrators of 8chan could sue in that jurisdiction.

                                                        Indeed, if CF refused to host Stonewall, then they could probably be sued in the UK on that basis. That’s the current democratic consensus and I’m mostly fine with it.

                                              3. 7

                                                No need to re-iterate, we understand what you’re saying: free speech is only for opinions you approve of. You’re just wrong, is all.

                                                1. 11

                                                  We understand what you’re saying: free speech is only for opinions you approve of. You’re just wrong, is all.

                                                  It is disingenuous in the extreme to handwave away white supremacy or Nazi ethno-nationalism as mere “opinions you don’t approve of”, or “political speech”, or whatever other weasel phrase you want to use. That the New England Patriots are a good football team is an opinion I don’t approve of. The efficacy of Austrian economic policy is political speech I don’t subscribe to. The notion that a society should be a white ethno-state is fundamentally different, different in kind, an antisocial cancer that deserves complete and contemptuous eradication.

                                                  1. 2

                                                    [ethno-state stuff]

                                                    How do you feel about non-white ethno states?

                                                2. 4

                                                  Hey, I have an idea. How about a central registry of naughty opinions? If you’re on the list, you’re not allowed to have a website or social media presence. It could be like a modern day sex offender registry: It’ll track when you say something disagreeable, and any time you pop up online it’ll automatically post a link to it for everyone to see.

                                                  I’m a bit sad that this seems like a viable idea. Also sad that people seem to want this future.

                                                  1. 8

                                                    Hey, I have an idea. How about a central registry of naughty opinions? If you’re on the list, you’re not allowed to have a website or social media presence.

                                                    It is disingenuous in the extreme to handwave away white supremacy or Nazi ethno-nationalism as mere “naughty opinions”, or whatever other weasel phrase you want to use. Disliking cilantro, or enjoying EDM, might be naughty opinions. The notion that a society should be a white ethno-state is fundamentally different, different in kind, an antisocial cancer that deserves complete and contemptuous eradication.

                                                    1. 2

                                                      China is pretty much this.

                                                      1. 0

                                                        We already have that, its called Twitter and its cancel culture.

                                                  2. [Comment removed by author]

                                                    1. 8

                                                      Genocides, although they are awful and hard to defend, often happen with very good reasons in situations where it’s often “to kill or be killed”

                                                      Off the top of my head, the Holocaust and Rwandan genocide were the results of demagogues, the Holomodor was a deliberate policy by an authoritarian state, and there’s no plausible way that Ottoman Turkey could claim that Armenians were an existential threat to their nation.

                                                      I’m welcome for counterexamples of where the use of the resources of a modern state to murder people because of their class or ethnicity was justified because those people were preparing to do the same.

                                                      1. [Comment removed by author]

                                                        1. 4

                                                          Also: There’s two sides to the Holocaust story…

                                                          Alright, I’m out. It was a nice run, lobste.rs. Shame you turned out also not to have an answer to the apparently-universal problem of tech aggregators accumulating nazis over time.

                                                          1. -2

                                                            Alright, I’m out. It was a nice run, lobste.rs. Shame you turned out also not to have an answer to the apparently-universal problem of tech aggregators accumulating nazis over time.

                                                            Seriously?

                                                            I’m quite shocked by this accusation.

                                                            If this is the level of naivety and how it has to be, I’ll show myself out.

                                                          2. 3

                                                            Any further discussion on my part with you on this topic is pointless.

                                                            1. 2

                                                              The other, less commonly know side, is that most Jews were poor and living in ghetto’s across Germany and Europe.

                                                              Do you have any historical evidence which backs up this claim? Since there was antisemitism against the jewish population well before WWII

                                                              1. -4

                                                                Do you have any historical evidence which backs up this claim? Since there was antisemitism against the jewish population well before WWII

                                                                In fact: Wikipedia has all you might want to know about this subject

                                                                By the way: I do not deny that there was antisemitism, nor do I deny that the antisemitism in Europe is what caused the entire situation in the first place.

                                                                I am merely pointing out that these issues are extremely complicated and often rooted in differences in religious beliefs and very hard competition over resources (often food).

                                                                You should take my words as a dire warning against tribalism.

                                                                You should also take my words as a plea against leaving these kinds of decisions (who does and who doesn’t get your protection) up to a private company with no democratic control whatsoever. Regardless of what has been stated in their terms.

                                                          3. 10

                                                            “Genocide is often justifiable” is not a position I thought I would encounter on lobste.rs this morning

                                                            1. -1

                                                              That is a brutal twisting of my words and absolutely not what I said at all.

                                                              1. 6

                                                                Genocides, although they are awful and hard to defend, often happen with very good reasons

                                                                The distinction between “Genocide is often justifiable” and “Genocides often happen with very good reasons” is really not apparent to me and you should really rethink 1) this position 2) posting this position in a public forum 3) jumping into entirely unrelated conversations to post this position in a public forum

                                                                1. -1

                                                                  First of all a response to 1): You should note that I have never justified genocide, re-read what I wrote and read it literally. You will find, that I haven’t stated my position at all and that the entire piece consists of merely observations.

                                                                  Secondly, in response to 2) and 3): I wasn’t the one who dragged this subject into this discussion, but I am the one who argues that these kinds of decisions should not be made by private organizations without democratic control.

                                                                  As for the distinction between the two:

                                                                  “Genocide is often justifiable” implies that a genocide has been committed on a reasonable basis.

                                                                  “Genocides often happen with very good reasons” is not as strong a statement. I have deliberately left open the option of it being unreasonable and/or unjustifiable. Often, it’s simply the consequence of a conflict, a side that wants retribution, a lack of self-control and political wheels that have been set in motion which cannot be stopped anymore.

                                                                  That is the difference between the two.

                                                                  1. 3

                                                                    Glad to see that the person willing to debate the merits of genocide has deactivated, good riddance

                                                                    1. 3

                                                                      The user deleted their own account. There’s no mention of a ban in the modlog, and from experience I know the mods will reach out in PM to a user if a ban is in the cards.

                                                                      I’m regretting engaging with the user in this matter. At the time I was genuinely interested in learning about their views on genocide - I believed it to be a misunderstanding of the term based on the user not being a native English speaker. I did not expect unprompted equivocation about the Holocaust.

                                                                      1. -2

                                                                        You argue in such despicable bad faith.

                                                                        1. 5

                                                                          Please (and for folks upthread too) refrain from ad-hominems. If you have to say something mean, at least use the messaging functionality of Lobsters instead of cluttering up threads.

                                                                          It’s really hard to even attempt to have civil discourse on political/policy points like this without also devolving into namecalling.

                                                        2. 10

                                                          Aggressiveness of bot blocking, e-mail filtering, etc. are controlled by users.

                                                          It’s the defaults that are terrible! Tons of fully static blogs have the stupid “bot protection” for GET requests which has no security purpose whatsoever. Because users do not bother to change defaults.

                                                          1. 4

                                                            That’s a fair point. I’ll ask if we can change the defaults.

                                                            I suppose it’s tricky, because when we create an account, we don’t really know if it’s going to be used for a dumb static site. And there are some origins (e.g. Wordpress on low-end hosting) that can go down if they’re crawled less than gently, so they do need protection even for GET.

                                                          2. 9

                                                            Thanks for taking the time to respond to this.

                                                            There are customers who really want and pay good money for features like WAF and blocking of “bad” traffic.

                                                            It’s not news to me that WAFs are snake oil sold to enterprises who are determined to see security as a kind of product they can buy, or a box to be ticked. It remains a fundamentally broken practice.

                                                            Aggressiveness of bot blocking, e-mail filtering, etc. are controlled by users.

                                                            As far as I’m aware Cloudflare reserves the ability to disable all meddling to paid tiers, unless this has changed. And in any case most sites leave this stuff enabled, leading to the various issues I raise in the article. The fact that some of these sites have their own AJAX calls broken does not suggest to me that site operators are fully understanding the caveats of Cloudflare’s product.

                                                            If it was a pretty egregious violation then wouldn’t you think that some law enforcement would have happened?

                                                            Honestly, no. For a law as vague and open-ended as EU privacy law, there’s always going to be more violations than enforcement actions. GDPR for example is sufficiently pervasive in its implications I doubt enforcement action will be taken against even 1% of its violations. Enforcement is prioritized against the biggest or most publicly visible harms. Though of course, I’d be interested if Cloudflare has its own legal arguments with regards to this tracking cookie.

                                                            The mysterious reason why U.S Govt allows Cloudflare to “violate copyright” (and so do all other governments in the world! — wow, Cloudflare is in bed with all of them!) is that users click “Agree” on Terms of Service.

                                                            You’re misinterpreting my argument. Yes, of course Cloudflare can and does receive permission from a website owner to redistribute their content. However, this assumes that the website owner has permission to distribute everything on their website, which isn’t necessarily the case.

                                                            The Pirate Bay is an instructive example because, although it doesn’t host anything illegal directly, its purpose is to engage in contributory copyright infringement by linking to infringing material. Under US law, it would be obliged to process 17 USC 512(c) takedown notices in exactly the same way that Google, a search engine, is obliged to process such takedown notices for mere links to infringing material in its search results.

                                                            In order to be exempt from liability for contributory copyright infringement, Cloudflare needs to fall under one of the exemptions from liability provided for under 17 USC 512, presumably 512(b). However, they cannot because they modify the content they transmit. This suggests, unless I am mistaken, that Cloudflare’s activities do not fall under any 17 USC 512 exemption. This is no problem for Cloudflare’s redistribution of content which a website operator had permission to distribute and thus gave to Cloudflare, but it poses a big problem if Cloudflare provides service to any website which itself violates copyright law… which it does, namely TPB.

                                                            1. 1

                                                              GDPR for example is sufficiently pervasive in its implications I doubt enforcement action will be taken against even 1% of its violations.

                                                              Have you tried raising your concerns with your local data protection agency?

                                                              1. 1

                                                                When filtering we try to observe MIME types, so AJAX calls shouldn’t break, unless sites incorrectly label their responses. File bugs with customer support, these get passed on to devs. We’re in the process of upgrading our HTML rewriter, so we may be able to fix many edge cases.

                                                                Cloudflare has a ton of lawyers who review everything we do. I can’t even make a blog post without presenting evidence for all claims to our legal, so I’m pretty sure the main functionality of our main product has been carefully reviewed. Illegal stuff is taken down if Cloudflare is ordered to do so. There’s an entire overworked dept for dealing with law enforcement.

                                                                IANAL, but the cookie is not tied to any PII, and its siloed to DoS protections. As a dev I don’t have access to it, so I can’t use it for other products (even though it’d be useful for things like smart H/2 push or RUM metrics).

                                                                We don’t have infrastructure to do any major tracking. Almost everything is per request and distributed and stateless. Log aggregation is per zone (customer) for billing and performance metrics.

                                                              2. 7

                                                                Harassment of users with CAPTCHAs doesn’t help anyone

                                                                Agreed. So when will it stop?

                                                                Since Cloudflare definitely has assets in the EU — it has to, it’s a CDN — it’s also pretty egregiously violating EU law here.

                                                                If it was a pretty egregious violation then wouldn’t you think that some law enforcement would have happened?

                                                                It isn’t a violation because you haven’t been fined? By that logic I’ve never driven past the speed limit, because I’ve never received a speeding ticket.

                                                                1. 3

                                                                  There’s ongoing work on improvement of bot detection accuracy, but it’s an endless cat and mouse game.

                                                                  Cloudflare has nothing against Tor, but when actual attackers use Tor, and legit users use Tor, and both do everything they can to make their traffic look the same, we have no way of telling them apart.

                                                                  IIRC Cloudflare proposed some solutions that were meant to preserve privacy while carrying a “I’m not a bot” proof, but unsurprisingly Tor users are not receptive to changing anything about their traffic, so that’s probably a stalemate.

                                                                  I’ve just checked the Tor bug tracker about it, and the thread ends with users linking to Hitler memes.

                                                                  1. 15

                                                                    This has already been adressed in the article. I quote:

                                                                    Cloudflare’s inexplicable inability to implement HTTP in a sane, transparent manner, despite this incapability being seemingly unshared by every other CDN service in existence, became even more ridiculous when Cloudflare reached out to the Tor project to request that they make changes to Tor to accommodate their own problematic practices.

                                                                    Or to say it another way: Allow GET requests from low-reputation IPs.

                                                                2. 5

                                                                  What’s your take on the argument that the NSA must have compromised Cloudflare and is using it as a convenient tap to become a Global Active Adversary? (Because the NSA is many things, but it ain’t dumb.) I know you can’t speak to specific countermeasures you may or may not have in place against such things, but… this has always seemed like a really important point to address.

                                                                  I appreciate that Cloudflare has made some credible efforts at working with Tor, especially the Privacy Pass initiative (which is the first concrete step I’ve seen towards the blinded reputation system we really need.) But… there’s still a long, long way to go. I don’t know if you’ve tried using the web through Tor, but Cloudflare is becoming increasingly problematic. :-/

                                                                  1. 5

                                                                    Cloudfare already does monitoring of raw traffic for security (esp DDOS), availability, and competitive insights into improving their own business. If backdooring Cloudfare, NSA would use systems that already intercept and/or redirect lots of traffic using patterns or firewall rules (“targeting criteria”) substituting their own. The information will be sent to them either directly in a way Cloudfare normally sends external traffic or back to collection points such a national or regional HQ’s or backbones. They’ll likely be sent to some NSA controlled system that, AT&T-style, has an extra connection that sends traffic outside the building without Cloudfare’s systems seeing that. They might even use master-master systems in HA configuration with the redirected data said to be testing those systems. Even fail them over periodically when intel wasn’t needed. Many ways to do it.

                                                                    At most, there would be 1-3 executives/managers and a few specialists that need to know what’s actually going on. The equipment and systems would look like any others for the stated purpose. Their traffic patterns could look different if one looks closely at them but crypto could obscure it. Trusted systems that don’t do anything outside their bounds might also never get traffic inspection by a human. A subversion of a Cloudfare-scale organization would take a handful of people keeping the rest in the dark. NSA might also provide the specialists, too, since they’d be cleared for it. Just with fake resumes.

                                                                    And you should already assume it happened due to Core Secrets saying NSA asked FBI to “compel” U.S. companies to “SIGINT-enable” their systems. And, since it’s TS/SCI, lie to their employees and customers about that. It’s straight-up a felony with 15 years imprisonment for them to tell you the truth if they were coerced into one of those programs. However, the other leaks were clear that NSA paid tens of millions to companies with lots of reach. Around $100 mil each to big telecoms. It’s more likely that Cloudfare, a startup with a huge bill for physical assets, took a large pile of cash to rapidly grow the business faster than those just taking VC money. Also, they made the tradeoff knowing the alternative was being fined out of existence or the executives doing time. There’s few, actual choices if one lives in a police state like America. Liking it or not, I’d understand if a for-profit, small startup took the money instead of declaring war on the U.S. government.

                                                                    1. 2

                                                                      I can’t prove a negative. We have our own hardware and people familiar with the entire hardware and software stack, so I think a non-targeted/high-volume attack would be detected quickly. There’s a healthy level of paranoia about security. There’s also an option of signing TLS sessions from a remote machine, so that we don’t even have a key to compromise: https://www.cloudflare.com/ssl/keyless-ssl/

                                                                      1. 8

                                                                        When you mention a “non-targeted, high-volume attack”, you’re referring to hypothetical processing and exfiltration of all or nearly all traffic metadata, right? (E.g. the NSA extracting all Tor traffic for analysis.) I agree that that’s unlikely, and that barring a goodly number of employees actually being in the pay of the NSA, it would be extremely difficult for it to remain undetected. I’d be more concerned about a sequence of targeted attacks on specific endusers.

                                                                        I know you can’t prove a negative. I suppose I’m asking you to justify helping create a large MITM system, knowing that it will inevitably be a huge target for state-level adversaries, rather than working to design something without this danger to society.

                                                                        (Keyless SSL is indeed cool, but it doesn’t change you being a MITM.)

                                                                        1. 4

                                                                          Cloudflare wants to be in the business of delivering data quickly, protecting sites from attacks, implementing cutting-edge protocols and performance optimizations. MITM isn’t a goal, and it would be fantastic if all these features could be delivered without liability of key management.

                                                                          Cloudflare is a big target, because it grew big offering useful MITM. I don’t know what you expect Cloudflare to do about it? Drop customers? Shut down? Let proletariat seize the means of content distribution?

                                                                          1. 3

                                                                            Let proletariat seize the means of content distribution?

                                                                            Yes. Entities as powerful as CloudFlare are not healthy for the internet.

                                                                            The power could be spread thin administratively. You could become a non-profit foundation and govern your own code and infrastructure through consensus-driven mechanisms that the public participates in, a la the IETF.

                                                                            The power could be spread thin technically. You could split up billing so that each datacenter bills customers individually and set up each of your datacenters to be an independent node that has zero trust in the others and is configured to discover and interact with any other datacenter that implements the same protocols. This would allow third parties to participate–assuming that it behaves as it should in the network. (I recommend requiring nodes to spit out their own source code on demand.) A federation of CDN providers. Indeed, marketplace of competition among CDN providers.

                                                                            Sorry for the word salad! I’m sure what I suggest makes no sense–I don’t know how CDNs work or how your company is organized. But, I repeat my answer to your question: Yes!

                                                                            Same goes for Google, Facebook, Comcast, Level3 Communications, etc. I would happily run a couple Google nodes in my basement if I could just apt-get install google-daemon and get paid for converting electricity into services. I can even offer very low latency to my neighbors!

                                                                            1. 1

                                                                              I can’t say I expect Cloudflare to be upfront about what their service really is, but I think they would have fewer customers if the customers understood what the service is and whether they really need it.

                                                                              Most of your customers don’t need the “delivering data quickly”, “performance optimizations” (it would’ve been quick anyway), “protect sites from attacks” (if there’s nothing to attack on a static page) and “cutting-edge protocols”. Through very good marketing they make technical novices think that they need the service, and that they get a good deal by getting it for free.

                                                                              Consider lobste.rs, not behind Cloudflare, more users than a lot of the sites behind Cloudflare free tier, and yet it’s not slow or regularly down due to attacks.

                                                                              1. 0

                                                                                Using cloudflare may be good for the environment, depending on how they’re set up. Networking is expensive and you do less of it if you hit a local CDN instead of us-east or whatever.

                                                                    2. 7

                                                                      I had high hopes for this article - finally! Someone can elucidate all this belly-aching I hear about CloudFlare being evil.

                                                                      But instead the author chooses to rely on hyperbole rather than making a cogent point.

                                                                      The problems start at the beginning:

                                                                      A website is an HTTP request processing service. Adoption of Cloudflare results in such services becoming unreliable, and causes denial-of-service conditions to occur for users, in an essentially random and unaccountable fashion.

                                                                      So, let me get this straight. Presenting the user with a reCaptcha is less reliable than the server going down and returning a 500 or nothing at all?

                                                                      Were the argument less hyperbolic, there might be some interesting points to be made here: “CloudFlare’s reCaptcha strategy interferes with users ability to browse CF fronted sites using Tor” is a perfectly reasonable statement (I don’t know if that’s true, I’m making a point about technical discourse here).

                                                                      We’re technologists, we should be able to have reasonable well thought through discussions or even arguments that are fueled by their technical merit.

                                                                      This article does not, as I see it, meet that bar.

                                                                      1. 3

                                                                        Cloudflare’s randomly occurring demand that users complete CAPTCHAs discriminates against users which are not humans, by design.

                                                                        Isn’t it the point of using Cloudflare (or one of the points at least)? To block bots, but allow humans to enter? Using reCaptcha in its current form is indeed a poor choice, as Google is involved, but I don’t really see how not wanting abusive scripts to use my bandwidth for which I pay for is a bad thing. If only bots that respect the bandwidth of a target host would exist on the world, this wouldn’t be an issue, but it’s not the case. If a bot will eat up all my bandwidth, then I’m loosing my host on the internet and nobody benefits from it. I think it’s a sensible trade off.

                                                                        1. 3

                                                                          You know, since you have to punch holes in CF for stuff like API endpoints, it’s still perfectly possible to waste the operator’s bandwidth anyway. CF’s nonsense breaks a whole lot of automation on the Web, and makes it nearly impossible for anyone who isn’t Google or Bing or DuckDuckGo to do any kind of spidering. YaCy users for example.

                                                                          1. 2

                                                                            You know, since you have to punch holes in CF for stuff like API endpoints

                                                                            Scrapers, especially the kind of broken automated garbage that can cause performance problems, don’t crawl your API endpoints. They’re following redirects and links in HTML; they wouldn’t know how to parse your bespoke JSON stuff. As a final check, if you’ve got some really expensive API endpoint that you don’t want untargeted scrapers to hit, you can do something like require a special Accept header.

                                                                            Anybody who’s still working such an API hard enough to harm your site is, by definition, now a targeted attack.

                                                                            1. 1

                                                                              Temporary bans work well enough for misbehaving clients. fail2ban makes it quite easy. The one thing which is tricky is DDoS. Basic knowledge about DNS helps quite a bit against that.

                                                                            2. 1

                                                                              You know, since you have to punch holes in CF for stuff like API endpoints, it’s still perfectly possible to waste the operator’s bandwidth anyway.

                                                                              Does that mean Clouflare’s CAPTCHA thing can’t be used for single-page apps, which will mainly be interacting with the server via an API? (Asking because we’ve had some issues with spambots at work recently, and some people are suggesting using Cloudflare.)

                                                                              1. 1

                                                                                No, requests from the browser should be just fine, it’s the external requests from phone apps, integrations, etc that get blocked.

                                                                                1. 1

                                                                                  Does that include XHR-requests? If the initial HTML and JavaScript load, subsequent requests must also be allowed, otherwise the single page application breaks.

                                                                                  Quote from the article:

                                                                                  I have definitely encountered websites which didn’t do so and which had broken AJAX functionality due to the subsequent AJAX-triggered requests being denied by Cloudflare, a condition the JS code was not designed to handle (nor would there be any sane way for it to handle it anyway).

                                                                                  1. 2

                                                                                    Well, not from my limited experience at least. Clouflare sets cookies on initial requests, so subsequent requests succeed.

                                                                          2. 2

                                                                            You can set the security level to “essentially off” and disable browser integrity checking and other “security” features in the control panel.

                                                                            1. 2

                                                                              I don’t buy this piece. Cloudflare might have some susceptibility to centralizing traffic, but internet infra is already centralized at several layers. The real money is extreme caching of large static assets, so don’t forget that many developers would rather sacrifice some centralization to gain features that are hard or costly to roll yourself.

                                                                              1. 11

                                                                                internet infra is already centralized at several layers

                                                                                This is not a justification in any way.