Comment by worldofmatthew
2 years ago
Cloudflare is horrible for privacy. It is also a bit of a sovereignty issue for European countries to have all their citizens web habits to be MITM by a forging power (no matter how friendly they seam).
Edit: not even going in to the sovereignty issue of having an American private company effectively decide your internet regulations.
Cloudflare exists out of necessity for the most part. The alternatives to shield from large scale DDoS are all US American too.
Which lets be honest isn't a problem that 99% of the sites using Cloudflare need to solve. Nobody is going to waste energy and time to attack your blog with your vacation photos.
The huge wave of DDoS extortion attacks that happened 3-4 years ago was mostly enabled by "booter" services that themselves hid from law enforcement behind Cloudflare.
Here is an example: https://therecord.media/feds-seize-ddos-booter-sites-in-late...
Feel free to punch any of the sites they mention into dns.coffee and look at the historical nameservers. All Cloudflare.
Beat me to it. More often than not, every time I run into the run-of-the-mill booter or other super blatantly illegal things, at least some portion of the infrastructure is behind CloudFlare.
I don't have enough fingers and toes to count the number of abuse reports I've personally filed that seemingly go nowhere.
OVH at least takes down the booters and other proper malicious stuff. However, copyright infringement reports go ignored to the point to where I stopped bothering--not that I had any right to care when I torrented loads, but it was a little annoying that ~$10 software, with no DRM, regional discounts, and a dozen ways to pay still ended up pirated to the point to where it wasn't worth selling
(fun story: I still have email records from when a pretty beloved multi-billion dollar tech company launched their ROG-clone sub-brand and pirated our XenForo plugins to use on their site instead of ponying up $10 -- maybe one day I'll have to ask them for a laptop).
CloudFlare, on the other hand, at best, just passed on whatever I send in, and whoever their actual providers were never cared either, so nothing gets done. It can feel like rackeetering; sign-up for protection from the people attacking you ...whom we also protect and refuse to take down.
That said, I think 99% of small sites, personal blogs, etc, really don't need any of the services offered; the most useful offering for most people is literally probably DNS.
Game servers and gaming-related communities, or at the least the ones I am most attracted to, are just about the only thing I think requires DDoS mitigation regardless of size. Our little Garry's Mod TTT server with a max player limit of like ~24 people would get attacked a couple of times a week at least.
And good lord, the RuneScape community is another breed of toxic. The way I learned to program was by reverse engineering the game, and we'd work on private servers that were essentially from-scratch MMORPG servers that just emulated the RuneScape mechanics and protocol.
One aspect of the game, though, is PvP -- when you kill another player in the wilderness, unlike in a lot of other MMOs, you get most, if not all, of their items they have on them.
I could perhaps understand DDoSing another player during combat in order to steal their gear. But what made me stunned beyond belief was that when I hosted a "spawn PKing" server (e.g., PvP-only, but you don't have to work for your gear; everything is free - it's just for fun), they'd literally lure each other into TeamSpeak to grab IP addresses and DDoS each other for.... nothing :)
(and so you can imagine also just how often we'd get hit with massive attacks ourselves)
DDoS protection is standard among hosting providers now, including budget ones like OVH.
The fact that Cloudflare is allowed to continue hosting websites which are obviously illegal, some notorious, is deeply strange. As I wrote in my article on the subject, it makes no sense when you consider the way the US responds even just to copyright infringement; see how they nuked Megaupload's business without trial because they saw them as knowingly enabling piracy. However, it's a known fact that US authorities will keep illegal or disreputable services up if they see them as a source of more intelligence. I can't really see any other explanation for how Cloudflare is allowed to host some of the sites it does without pressure from the US unless it's basically funnelling all of the data to the NSA.
In this aspect, Cloudflare should be viewed similarly to an ISP. Why are ISPs allowed to host illegal sites? Well, they aren't supposed to pay much attention to what they're hosting - it's not their job. But they aren't supposed to protect what they're hosting, either. If they get a court order asking for the details of the subscriber hosting some website, they turn those details over. If they get a court order asking to turn off the service, they will. Governments are fine with this, because they can easily get the details upon request.
Cloudflare should be viewed the same way - they shield you from DDoS, not from the government. They allow everything to be hosted until proven otherwise. Cloudflare doesn't have to police what's hosted through it, because the police can do it easily enough.
There are lots of pirate websites, explicitly designed for piracy, but saying the opposite on their terms and conditions page to create a little plausible deniability. I can't tell you if Megaupload was one of those and I don't know what evidence the government had.
> Cloudflare exists out of necessity for the most part.
I agree with this, there don't seem to be that much self-hosted software that someone could (easily) setup for the use cases that Cloudflare serves.
> The alternatives to shield from large scale DDoS are all US American too.
Not only that, but the WAF functionality is also pretty useful. To be honest, the same applies to something like wanting to have CAPTCHAs on your own site - not that many options out there.
As far as I can tell as a hobbyist, if you wanted to host everything yourself:
And even then, certain things are not an option - you won't be shrugging off huge DDoS attacks and you probably won't be running your own CDN (easily), unless you have bunches of money to spend and the know-how. So of course people would rely on external orgs for whatever they can.
As a hobbyist, dealing with load consists of upgrading your $5 VPS to a $10 VPS or even a $50 dedicated server from Hetzner(!) - note that *no* other provider has dedicated servers at this price point.
WAFs are heuristics at best. If what you're running on your server is actually secure, you don't need a WAF. If it's not secure, the WAF is guaranteed to let through at least one attack.
CAPTCHAs are difficult. Try to avoid depending on them, but it's fair to use a third-party service if you need one. hCaptcha is pretty easy to integrate right now.
3 replies →
Most sites don't get DDoSed. https://immibis.com/ has been running without DDoS protection for a long time now. It's as simple as nobody caring to do so. Why would they? What's in it for them?
And if someone does knock it offline, I still don't care. I can wait until they get bored. The site isn't important to me, either.
And if I really do care, Cloudflare encourages people to sign up whilw they are actively under attack. Of course, it costs money, because you aren't paying with your access logs all the times you aren't under attack.
The EU regularly de-facto tries to decide regulations for other countries. All is fair in a globally connected world.
Yeah, but it generally goes in the direction of more privacy, environmental and labor standards. Less so from other countries.
That is how American tech monopolies like to paint what the EU does. Lol
dumb question: why do I have the option to downvote your comment, but not many other comments in this thread?
1 reply →