Comment by aeon_ai
4 months ago
MITM attack is a disingenuous label applied to a completely voluntary service that the site you're visiting opts into.
Why? Because, for many, it's a technical necessity to protect sites from the dark forest of the web (i.e., assholes.)
You can cast aspersions on the implications of that in conjunction with US intelligence access, but you're painting a completely fabricated picture of reality that borders on delusional.
Just because the site operator opted into having all of their users' traffic slurped up by what functionally amounts to a private sector branch of the NSA doesn't mean that netizens opted into such an arrangement. Being behind Cloudflare doesn't stop bots, it doesn't magically block all exploits, and as history has proven, doesn't even stop all DDoS attacks. What it does do is block off large portions of the web for people needing assistive technologies, block off large portions of the web for people who live in countries with bad rulers they didn't elect, give tyrants the ability to more or less achieve complete personalized information censorship at a moment's notice on a whim, contribute to a culture that normalizes totalitarian surveillance, protect C2 channels and other malicious infrastructure indiscriminately, discriminate against non-gecko, non-webkit, non-blink browser engines (anti-competitive, pro-monopolist, reduces competition, harming all consumers), and extort small businesses who think they're getting cheap or free DDoS protection right at the moment those small businesses are suffering attacks.
And just to be clear, your formal position is that we should all have faith in the idea the NSA, the organization tasked with collecting intelligence from more or less anything interacting with any part of the entire electromagnetic spectrum, the one that can and has silently compelled US corporations including Facebook, Microsoft, Google, and Apple to share user data with them, without a warrant, with a program that's very existence was classified, is NOT doing the exact same thing to perhaps the single highest-volume chokepoint for 20%+ of global internet traffic, all completely decrypted, a US company subject to the same laws that the PRISM companies were?
It would genuinely border on criminal negligence for the NSA to not be collecting from Cloudflare, given their capabilities and mission.
Additionally, I'd like to point out that your framing presents a false binary: the options are not "Love Cloudflare Unconditionally" or "Abandon all CDN / WAF / security tooling". There are a multitude of other options for every single function, feature, and service Cloudflare offers, including many that can be self-hosted, many that are not US corporations, many that do not infringe upon end-user privacy, many that do not discriminate against tor and vpn users (people living in repressive countries), many that do not discriminate against non-mainstream browsers (aka less untrustworthy browsers).
Finally, just because you don't care about many of these issues doesn't mean they aren't real issues causing real problems for real people, and it's very unkind to call someone delusional for raising these kinds of concerns. If dang is reading this, I hope they can remind you of HN's community guidelines around such conduct.
I don't make many of the claims you seem to tease apart from my response. I've presented no false binary, and explicitly advocated for operating with more nuance there.
I'll elaborate.
---
I'm pointing out that, in response to a seemingly innocuous post about a site, you've drawn attention to an unrelated issue, and subsequently framed the entirety of US-based companies as morally complicit with NSA surveillance.
I have no doubt that the NSA likely petitions Cloudflare, among others, for information. But, unlike you, I don't have any indication or context for relationships that would provide the NSA direct, unfettered access to all information processed by Cloudflare.
Further, I believe that the ever-holy north star of capitalism would suggest that Cloudflare, a company that operates globally with significant ties to large organizations outside the US, likely has a sufficient incentive to maintain at least a degree of friction in that access.
What I do know - - The company issues multiple transparency reports. They declare they have never: turned over encryption keys, installed law enforcement software on their network, provided feeds of customer content to law enforcement, modified customer content at government request, or weakened their encryption. - They are a public company, and have SEC filings which the CEO is on the hook for. - The CEO of the company stands to make a lot more money being successful at what Cloudflare does than serving NSA requests the US govt makes -- And the latter would pose great risk to the former.
The best move if the golden goose is at risk is to make an absolute shitstorm of noise, which would put everyone on high alert. In fact, the tranparency report says as much -- "If Cloudflare were asked to do any of these, we would exhaust all legal remedies, in order to protect our customers from what we believe are illegal or unconstitutional requests. -- Accurate as of October 8, 2025"
Cloudflare, like any CDN/reverse proxy, has the technical capability to view customer traffic. There's no evidence of systematic NSA access, and plenty of evidence that would suggest resistance to it.
Suggesting that because the company is US-based that they are somehow "evil" indicates, more than anything, an anti-US sentiment that is looking for reasons to villainize the company.
None of that is to downplay the issues the Cloudflare does, in fact, create. But, proposing that there's a massive conspiracy to "slurp up your data" requires a really, really big stretch that begins to stray into tinfoil territories.