Thoughts on its role and impact on the web’s landscape.
As many of you know, I am skeptical of the concept of relying on someone else’s computer, especially when a service grows to the point where it becomes an oligopoly, or worse, a monopoly. Cloudflare is, in my view, on track to becoming precisely that. As a result, I would argue they are a net negative for the internet and society at large.
Besides the frustration they cause to VPN and Tor users through incessant captchas, Cloudflare’s infamous one more step pages have dulled users' vigilance, making them more vulnerable to even the most blatant malware attacks.
Moreover, under the guise of iNnOvAtIvE cLoUd InFrAsTrUcTuRe, Cloudflare not only enable phishermen to phish and tunnelers to tunnel:
Ironically, the very security measures they sell can be bypassed by bad actors using Cloudflare itself. It’s a similar irony that their systems, designed to shield clients from threats, sometimes struggle to defend their own infrastructure.
Incidents like these highlight not only weaknesses in Cloudflare’s offerings but a broader issue: Cloudflare has become a highly attractive target for state-sponsored attacks, suffering from recurring breaches. Their sheer scale, considering that they are serving a substantial portion of the internet, means that an outage or compromise could have widespread, costly consequences.
Another major concern is, that in many cases, Cloudflare acts as a man-in-the-middle SSL-terminating proxy between users and websites. They have visibility into everything users do on these sites, from browsing habits to submitting sensitive personal information. This makes Cloudflare a prime target for any actor seeking to harvest massive amounts of data. The Cloudbleed incident clearly demonstrated the risks:
Tavis Ormandy posted the issue on his team’s issue tracker and said that he informed Cloudflare of the problem on February 17. In his own proof-of-concept attack he got a Cloudflare server to return “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
I stand with Hugo in considering Cloudflare harmful and recommend that websites avoid relying on it whenever possible. Cloudflare’s origins in Project Honeypot, and its early ties to the US Department of Homeland Security, are troubling to say the least:
Five years later Mr Prince was doing a Master of Business Administration (MBA) at Harvard Business School, and the project was far from his mind, when he got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks. Mr Prince recalls: “They said ‘do you have any idea how valuable the data you have is? Is there any way you would sell us that data?’. “I added up the cost of running it, multiplied it by ten, and said ‘how about $20,000 (£15,000)?’. “It felt like a lot of money. That cheque showed up so fast.” Mr Prince, who has a degree in computer science, adds: “I was telling the story to Michelle Zatlyn, one of my classmates, and she said, ‘if they’ll pay for it, other people will pay for it’.”
Source: BBC
Furthermore, Cloudflare has been criticized as an employer, reportedly fostering a hire-and-fire culture among its sales staff. Even its CEO has attracted controversy, such as suing neighbors over their dogs following objections to his plans to build an 11,300-square-foot estate. Plans that required lobbying to overcome local zoning laws.
Given all this, it is time to reconsider Cloudflare’s dominant market position, controlling over 20% of the internet. Cloudflare has shown a pattern of equivocating on politically sensitive issues, perhaps to maintain its status as the world’s largest botnet operator, and they appear to defend “free speech” when it is profitable, but not when it isn’t. Cloudflare has also been accused of providing services to terrorists and drug traffickers while skirting international sanctions. Meanwhile, open-source developers have been harshly punished for less.
Despite the brilliance of many engineers at Cloudflare, they are not infallible. They, too, experience recurring downtime and preventable mistakes. Cloudflare, like any other company, puts its pants on one leg at a time. There is no reason it should be treated as the default, or sole, solution for content delivery.
So what can I do?
If running your own Varnish instances isn’t feasible, and you need a global CDN, consider these alternatives to support competition and balance the scales:
BlazingCDN
BunnyCDN
CDN77
CDNetworks
CacheFly
DigitalOcean Spaces
Fastly CDN
KeyCDN
Netlify Edge
Vultr CDN
… or just any other cloud provider’s CDN
Info: Some hosting services might use Cloudflare without disclosing it openly/obviously, e.g. Render. Make sure to check whatever hosting service that you’re using whether it employs Cloudflare’s infrastructure in the background.
If you currently have domains registered with Cloudflare, move them elsewhere immediately. As a general rule, never allow your CDN or hosting provider to also hold your domain registrations. Should the hosting provider cut you off, you’ll want the freedom to quickly redirect your domains to another provider without disruption.
For more info, visit the cloud and domains sections of the infrastructure page.
If, however, you’re running Cloudflare’s more advanced service offers, like Cloudflare Workers, you will likely have a harder time moving away. While some frameworks support different providers, like Vercel, Fastly, AWS, Azure, or Akamai, it is likely that most simple implementations will be heavily reliant on Cloudflare’s architecture. There’s unfortunately no easy path out of this, other than rewriting the specific components and infrastructure deployment configuration to support a different provider.
If you wish to identify or avoid websites that make use of Cloudflare, you can use this browser extension for Firefox and Chrome (ironically created by Cloudflare). Beware that these extensions might transfer information about your browsing behavior to Cloudflare. Configure them to be active only when manually clicked on specific websites that you want investigate. There are third-party alternatives like this and this, as well as older/unmaintained extensions like this and this.
PS: Decentraleyes is a solid option to enhance browsing privacy; check the browser section for other helpful extensions.
All that said, you might think “Come on, Cloudflare isn’t that bad!”, and you’d be right: Every now and then, they do some good. *smirk* Still, we have to recognize that Cloudflare has grown into a cornerstone of modern digital infrastructure, which is a role that could eventually render it too big too fail, to borrow a term from the financial world.