Comment by kyledrake
8 years ago
Cloudflare has spent a lot of time gaslighting people into believing this, but it physically, scientifically, OSI model-y isn't true. Cloudflare hosts web sites. When Cloudflare CDN edges that content, that content exists on their servers. Just because the canonical store is on another machine doesn't mean they don't host the site. If I mirror a site from some other server, and you're loading that site from my server, I'm the one hosting that site. That's how HTTP works.
The argument that they don't know what's hosted on their network has also been demonstrated by evidence as nonsense. The reason the Pirate Bay got blackholed by Cogent last week was because Cloudflare was grouping all of the BitTorrent sites on their network onto a single IP address, and a Spanish court order related to a different site ended up BGP blackholing over two dozen torrent-related sites as collateral damage.
http://seclists.org/nanog/2016/Jul/400 https://mailman.nanog.org/pipermail/nanog/2017-February/thre...
Cloudflare is completely capable of enforcing this, yet they don't do anything about it. It benefits them financially to not do anything, because they get business from these DDoS attackers trashing other networks on the internet, making it so you can only have sites stay up if they are hosted by Cloudflare's broken, bleeding servers.
This is fundamentally an extortion racket. Frankly, it should be a crime. This is exactly the kind of problem laws exist for.
It's not the responsibility of anyone except the police to police those sites. Cloudflare aren't providing those attack sites with an attack vector, they are just serving their webpages. The post office isn't responsible for policing blackmail letters sent through the mail.
The theory that Cloudflare only enforces against sites they receive court orders for is yet another argument that is not backed by evidence. They actively take down phishing attacks, without warrants or court orders. Presumably because if they didn't, Google would shitlist them in pagerank. They behave responsibly and morally when it benefits them financially, and tell everyone they need court orders when it doesn't, even if that decision hurts the web.
It is everyone's responsibility to be responsible members of the internet community. Just because they've found a temporary legal loophole does not give them a moral blank check to be complicit in the murder of the Internet's ability to function.
The morality of hosting the sites of jerks is not nearly as objective as you claim. I could make an argument that they behave morally by treating everyone equally, but they make an exception and perform immorally with phishing sites because google would punish them.
But the real answer is a lot simpler. The DDoS sites are not doing the DDoS through cloudflare. The phishing sites are doing the phishing through cloudflare.
And exposing some DDoS sites to DDoS is not going to fix the root problem. People will still sell DDoS services, and people will still put insecure devices online to become part of botnets.
But it sounds like in the absence of laws, you want private companies deciding what is allowed to be on the internet.
If you really want there to be a nightmare situation where private companies decide what gets to be a web site, just let Cloudflare keep doing this. You'll be left with a centralized internet run by 3 US-based CDN companies that only supports HTTP.
But yes, I absolutely do want private companies to make decisions like this. If Google didn't do this constantly, my search results would be a bunch of spam, scams and phishing attacks.
Requiring the police to get involved every time something bad happens (like a new phishing site) would be the end of the functioning internet and of our ability to enforce laws. Internet tech companies are absolutely expected to behave responsibly on a private level, and are given a lot of legal leeway on the assumption by the government that they will.