Cloudflare a honey pot? ( conspiracy )

submitted by luckyguy

I wanted to start doing some research on why every site uses cloudflare and why it seems like their are no major competitors who's captcha pages come up. It's nearly ubiquitous. So I started looking at what other options site owners have.

I found this article that is practically an ad but it also sort of hits the nail on the head https://dzone.com/articles/cloudfront-vs-cloudflare-we

Cloudflare by its own admission isn't acting as a direct pass through proxy but is deeply analyzing content (discovering sql injections and xss). What other analysis is there? The fact that sites use it with https and cloudflare is able to do this analysis means that you aren't really encrypted from you to the website but only between you and cloudflare. They could read passwords if they'd like and probably store everything they can. We individually don't have a use agreement with cloudflare and so there is no privacy policy they have to abide by. They have every right to store anything including passwords. Even if cloudflare isn't nefarious on their own, law enforcement knows the data is readable through them and companies can be forced to maintain logs they otherwise would not have an interest to maintain (see HideMyAss). Surely they've been asked to log something before considering how valuable their data is. The police could know every password on the net.

Their profit model seems to beg for people to put as much data through it they can.

badp4nd4

Well, you can't use signature based Intrusion Prevention against encrypted traffic so in order for Cloudflare's anti XSS/SQLI features to work they need to man in the middle the traffic so they can analyze it.

"The fact that sites use it with https and cloudflare is able to do this analysis means that you aren't really encrypted from you to the website but only between you and cloudflare"

You are encrypted from the destination host to you and back that you've negotiated an SSL connection with. What the destination host does with the traffic after it hits it is beyond your control. Using a man in the middle proxy to allow for signature based IPS (to work on ssl encrypted connections) is a standard in basically every enterprise company.

I'm guessing they just do it on the back end to avoid any cert warnings or other user inconveniences.

djsumdog

There are lots of competitors. Amazon has CloudFront, other commenters mentioned Akamai... if you wanted to roll you own, you could use Varnish and Haproxy/nginx, but it would have no where near the reach as one of the big CDNs.

Also all these services I've mentioned are different and need to be integrated into your web application in slightly different ways. There aren't a lot of solutions because it's a very very difficult problem. You're talking about a lot of servers running globally. There's a reason these particular companies have risen to the top. Akamai even works with local ISPs to change the DNS responses to point you to content servers that are closer to you geographically (so your responses will actually be slower if you use Google's 8.8.8.8 DNS).

This gets into the bigger problem of just not having distributed, non-centralized web applications. A lot of the open social networking initiatives haven't worked out. There are projects like ZeroNet and Miro that try to solve this problem as well, but they don't have as high an adoption rate.

Is Cloudfare spying on you? Of course...I'm pretty sure they use that data for advertising or marketing in some way. That's how they make money..one of the many ways they make money.

revofire

It is true that Cloudflare analyzes ALL traffic, I mean how else can they stop the attacks effectively? Can they be trusted with your information? Probably not, who can be? I'm sure there are good people working there but anyone who is anyone knows that bad people are everywhere and they will buy out a company or rise to the top to do as they wish with what they wish (our information).

definitelynotabot

I like your skepticism. From the little bit of searching that I just did on cloudfare, they're backed by some VC (make of that what you will). They do have other plans besides the free one, and they suggest that their $200/month business plan is the most popular, and the enterprise level is "call for quote" type deal. They probably have some larger customers that help offset the cost of providing the free tier.

They seem to work by having the website owner redirect their DNS record from the owner's server to CloudFare's system and there'd be some way to point CloudFare to the website owner's server. From there I'd imagine they'd cache the pages and serve them up. The free tier offers ssl and the page suggests you don't have to install a cert on your server...which would mean you're correct in that they have the keys and are decrypting the ssl traffic on their end.

I might have a domain and an old webserver. Maybe I'll sign up for the free service and check out how it works.