Cloudflare is a well known company that provides a range of services to protect and optimize websites. These services include a content delivery network (CDN), DDoS protection and a web application firewall (WAF).

One of the most highly regarded services offered by Cloudflare is thier DDoS protection, which is not only effective but also free of charge. Cloudflare’s success can be attributed to its provision of free DDoS protection, a service that can cost hundreds or even thousands at other providers.

The catch

Is there anything better than having free security for your website? Sadly, there is a catch. Cloudflare, which provides the security services, requires that all traffic is unencrypted. Although SSL encryption is in place between the visitor and Cloudflare’s server, it doesn’t extend to the actual origin server. Cloudflare acts as a middleman, with complete access to all data transmitted between the user and the server, which is also known as a man-in-the-middle situation.

You might not consider it to be unique, as typically there are various intermediaries involved in connecting you to the final server. These may include your Internet Service Provider (ISP), Transit Provider, Internet Exchanges, and potentially the Hosting Provider. It’s not uncommon for the connection to pass through five or six different entities, possibly spanning just as many countries.

However, these connections are usually encrypted (thanks to ssl/https). While those involved in the connection can discern the amount of traffic going to and from different locations, they are generally unable to see precisely what is going on. In fact, aside from your ISP, the traffic can’t even be attributed to a particular individual.

Cloudflare differs from this norm, as encryption terminates at their servers. As a result, not only can they identify the traffic source and destination, but they can also see precisely what is taking place. To illustrate this, consider sending a direct message (DM) on Mastodon. Your ISP and other intermediaries will only know that you are using Mastodon, and nothing else. In contrast, Cloudflare can determine your Mastodon username, who you are messaging, and the content of your message, as well as the precise moment you press each button.

Just imagine someone sitting behind you, watching every step you do.

The scale

Cloudflare’s immense size presents another issue. Recent statistics indicate that Cloudflare has a marketshare of 80% in the entire CDN/DDoS protection market, equating to 20% of the total internet. 1 Those familiar with the internet are aware that these enourmus numbers constitute a legitimate threat to the internet as such.

Should there be a security breach at Cloudflare, the ramifications would extend beyond Cloudflare and impact the likes of Netflix, Stripe, Discord, Cisco, IBM, the BBC, and numerous other services. Furthermore, as previously mentioned, Cloudflare has access to a significant amount of sensitive data.

In the worst-case scenario, a security vulnerability in Cloudflare could result in a weakness in the entire internet.

The same problem applies to any outages. In the worst-case scenario, if Cloudflare were to experience an outage, 20% of the internet could be taken offline, with the actual disruption likely to be even greater, potentially reaching 50%. Although some may not be directly affected by a Cloudflare outage, many services depend on other services that use Cloudflare, increasing the likelihood of disruption.

Governments

It is common knowledge that various government organizations extensively monitor the internet. For instance, in Germany, there was a well-known lawsuit by DE-CIX (Biggest internet exchange in europe) against the BND (Germany’s Intelligence Service) regarding network surveillance at DE-CIX 2.
I don’t even want to start to talk about all the stuff that happends at US agencies.

However, this brings us back to the core issue. When internet exchanges or other nodes of the internet are monitored, metadata is the primary collected data. This metadata mainly consists of information about from where, to who, when, and how much data is being transferred. Becasue most internet traffic being encrypted, a significant amount of data is not accessible by just listening at those connections.

However, we now have a US company that is governed by US laws and has access to vast amounts of UNENCRYPTED data.

No need say more, as the rest is left to your imagination.

Conclustion

Please avoid using cloudflare where ever you can. There are alternatives out there, some of them have similar issues but it is already a progress if we could reduce the market dominance of Cloudflare.

And always keep in mind, If you are not paying for it, you’re not the customer; you’re the product being sold.

  1. https://w3techs.com/technologies/details/cn-cloudflare ↩︎

  2. https://www.datacenterdynamics.com/en/news/worlds-largest-internet-exchange-sues-german-spy-agency-for-tapping-data-center ↩︎