They get shit on a lot here. Why? What do they do and how is that different from other companies that offer similar services?
What I know of them: they offer DDS brute force/spam protection for websites.
I wouldn’t call it hate, just concern.
Cloudflare acts as a front door to many sites and as such your TLS session is terminated at Cloudflare, then CF makes a additional session from themselves to the target site.
This is concerning as that means CF can see all of your data.
It’s worth mentioning the advantage of why they do this. There are several reasons, but the two most common are:
-
Seeing the data means they can do a better job at detecting attacks and fending them off.
-
They can issue certificates with longer lives from their private CA which simplifies certificate management for their customers.
There is https://developers.cloudflare.com/ssl/keyless-ssl/
If you don’t own your private keys, wtf are you doing anyway? People are fucking lazy and they are paying for it.
While true, and I am not a hater of Cloudflare:
Keyless SSL is only available to Enterprise customers that maintain their own SSL certificate purchased from a valid Certificate Authority. Cloudflare does not supply any certificates for use with Keyless SSL.
I’m not part of any Enterprise organization and I’m too poor to sign up for Enterprise level service, and so I am unable to use their Keyless SSL.
Just for example. Sometimes it’s not that we don’t want to but can’t afford to, especially if we’re just Joe Schmoe running a handful of services on a server box.
Once again, I have no issues with Cloudflare myself, and personally have a decent amount of respect for them.
I’m just saying getting access to the Keyless SSL is less easy than you made it sound.
Right?? To let your website be susceptible to that kind of act by anyone means that you probably didn’t really care about security in the first place, so much as just getting the magic lock icon happy.
Magic lock icon is easy, hard is it to block attacks and being able to do very little about it.
Spoofed packets, server providers not caring what their customers do, many abuse email adresses dont even work.
Keyless SSL would be nice and i’d use it. I have my own keys, but its for Enterprise customers only.
I am not using Cloudflare as i dont like them handling like 80% of all traffic. But as website owner i can understand why someone would still choose them…
Let me tell my personal grievance with Cloudfare. One of the services that Cloudfare dispenses to websites, whether they like it or not, is bandwidth throttling, in the name of safety, of course. If an IP has been flagged by their system to have created spam, sent spam, being part of a DDOS attack and other various offenses, afterwards the Cloudfare service will throttle that IP requests to the sites that use Cloudfare. That’s on paper what it should do, and it sounds reasonable on a surface level. However, this includes wide swaths of residential dynamic IPs, which means that a lot of people get slow internet for the actions committed by a person with whom they have no relation with whatsoever.
Furthermore, Cloudfare has decided to mass impose this status to the entire regional IP block for my country. So, my entire country is deemed as a threat, and doomed to slow AF speeds almost everywhere on the internet. Unless, of course, you own a datacenter and specifically pay Cloudfare to reclassify your static IP addresses to be trusted. This means that in order to use 100% of the bandwidth I pay for to my ISP, use of a VPN is mandatory. Else Cloudfare determines that I don’t deserve anything but dial-up speeds.
Fuck Cloudfare.
That’s kinda funny that an entire country has been deemed more trouble than it’s worth.
I used to work with a fraud detection system for a payment gateway. The system will automatically flag payments from any Russian and some countries as fraud automatically. This was 4-5 years ago
This is probably not the solution you are looking for, given your opinion of the company, but I wonder if using their 1.1.1.1 app (which acts as a mini VPN to a Cloudflare endpoint and changes your public IP) would fix that for you. The upside is it’s free, the downside is that it is a Cloudflare-run VPN.
It’s partly just their sheer size. The internet continues to become a worse place as it gets more and more centralized, and Cloudflare is part of that.
They get hated on because :
-
they inspect packets. They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such
-
they are used everywhere. If they go down, 30% of the internet goes with them.
They terminate the TLS sessions at their servers and reencrypt to forward to the backend. This allows them to analyze the data to spot spam, optimize compression and such
And any organization that utilizes a CDN/security provider, like Akamai, AWS, Fastly, etc. knows that they all do this. They need access to the unencrypted content in order for services like CDN and WAF to work properly.
First point, fair enough.
Second point isn’t really a valid reason to hate them for…
Cloudflare is cool now, but what would happen 10 years from now when they get enshittified while handling majority of global web traffics? We would be truly fucked.
What would happen? Well, people would switch. It’s not like you’re entering a contract that forces you to host using CloudFlare.
I once bought a website that was on CloudFlare, few simple config changes later it’s running directly on a webserver.
Not so easy to switch it you’re balls deep into their products such as Worker, Zero Trust Network, Magic WAN, Stream, etc.
To be honest, you can say the same about any large cloud provider. What happens if AWS, or Azure, or Google Cloud go down, or become terrible?
