Comment by aeon_ai
4 months ago
We can entirely write off every US-based company as inherently evil simply because they're American.
Or, you know, we could operate with an ounce of nuance and not oversimplify the complexities of the world we live in.
Most US-based companies aren't conducting MITM attacks that capture plaintext traffic for something like 20% of all global internet traffic.
Accordingly, most US-based companies are not in a position for bulk data collection and assisting the totalitarian surveillance state.
Cloudflare, however, is, and does. They are not a trustworthy party here, no more so than Flock itself.
MITM attack is a disingenuous label applied to a completely voluntary service that the site you're visiting opts into.
Why? Because, for many, it's a technical necessity to protect sites from the dark forest of the web (i.e., assholes.)
You can cast aspersions on the implications of that in conjunction with US intelligence access, but you're painting a completely fabricated picture of reality that borders on delusional.
Just because the site operator opted into having all of their users' traffic slurped up by what functionally amounts to a private sector branch of the NSA doesn't mean that netizens opted into such an arrangement. Being behind Cloudflare doesn't stop bots, it doesn't magically block all exploits, and as history has proven, doesn't even stop all DDoS attacks. What it does do is block off large portions of the web for people needing assistive technologies, block off large portions of the web for people who live in countries with bad rulers they didn't elect, give tyrants the ability to more or less achieve complete personalized information censorship at a moment's notice on a whim, contribute to a culture that normalizes totalitarian surveillance, protect C2 channels and other malicious infrastructure indiscriminately, discriminate against non-gecko, non-webkit, non-blink browser engines (anti-competitive, pro-monopolist, reduces competition, harming all consumers), and extort small businesses who think they're getting cheap or free DDoS protection right at the moment those small businesses are suffering attacks.
And just to be clear, your formal position is that we should all have faith in the idea the NSA, the organization tasked with collecting intelligence from more or less anything interacting with any part of the entire electromagnetic spectrum, the one that can and has silently compelled US corporations including Facebook, Microsoft, Google, and Apple to share user data with them, without a warrant, with a program that's very existence was classified, is NOT doing the exact same thing to perhaps the single highest-volume chokepoint for 20%+ of global internet traffic, all completely decrypted, a US company subject to the same laws that the PRISM companies were?
It would genuinely border on criminal negligence for the NSA to not be collecting from Cloudflare, given their capabilities and mission.
Additionally, I'd like to point out that your framing presents a false binary: the options are not "Love Cloudflare Unconditionally" or "Abandon all CDN / WAF / security tooling". There are a multitude of other options for every single function, feature, and service Cloudflare offers, including many that can be self-hosted, many that are not US corporations, many that do not infringe upon end-user privacy, many that do not discriminate against tor and vpn users (people living in repressive countries), many that do not discriminate against non-mainstream browsers (aka less untrustworthy browsers).
Finally, just because you don't care about many of these issues doesn't mean they aren't real issues causing real problems for real people, and it's very unkind to call someone delusional for raising these kinds of concerns. If dang is reading this, I hope they can remind you of HN's community guidelines around such conduct.
1 reply →