[iquerno]

I never really understood Cloudflare's intent, because from the marketing material it seems that you get DDOS "protection", free TLS certs, everything in a monthly package, affordable, bla bla bla.

But from some basic calculations I get that R2, Workers and egress bandwidth beyond a few terabytes costs just as much as Oracle cloud / Alibaba.

But what I dislike the most is how little control you have over what's going on there. Like: If you haven't setup TLS on your webserver, why do they allow unencrypted traffic to flow between the server <-> Cloudflare and encrypt it to the end users and pretend that is secure?

Why can't they forward all my server's headers? Why <XYZ> ?????????

Read some horror stories on Hackernews and you'll quickly find out what their "unmetered bandwidth" really means. You get very little if any transparency about the pricing, which I would except from tiny cloud companies, but this is supposed to be a major one!

[CHY872]

I think the ability to put TLS in front of a non-TLS'd website comes of a few properties:

1. It's probably better than nothing. 2. It's a legacy thing.

A company like Cloudflare has to make a choice - how frequently do we break users who've set up their site in a way that is no longer in line with security best practices? It looks like the decision they've made is to break infrequently. Certainly the site I set up in 2014 when their free TLS was new still runs, and I haven't made changes.

I believe that you can set up strict TLS between Cloudflare and the end host if you choose, but it's up to you. I think in that instance, your 'little control you get' is actually more control, no?

And, if you look back even a few years, TLS was both uncommon and expensive. Cloudflare was a pioneer by offering free TLS certificates in I think 2014 (only 8 years ago!). LetsEncrypt started in 2015 and was niche for quite some time. I think even now you can find Linux distros preferring to ship their data over HTTP with GPG-keys recommended for the security. Of course in 2022 even simple sites should be TLS'd, but Cloudflare's existed for a while.

And, TLS to the client but plaintext from CDN to site is still better than cleartext the whole way, because it (generally) stops the ISP from snooping on its customers.

[BeefWellington]

    I think even now you can find Linux distros preferring to ship their data over HTTP with GPG-keys recommended for the security.

This isn't really to solve the same problem though. The GPG key thing is so you can use mirrors for hosting that are distributed but still trust the package came from the real source. TLS termination of where the packages are retrieved is separate.

[CHY872]

Yes, the gpg piece provides that functionality nicely. However, it’s exceedingly common for the mirrors to not be provided over TLS for cost reasons. Netflix switched to serving video over TLS for no other reason than to promote the usage of TLS (after a lot of custom engineering (pki on cpu, crypto on nic iirc?) to reduce the overheads of doing this.

[nine_k]

A few TB/mo is quite enough for a lot of smaller companies, and DDoS protection is something that a smaller company can see as a pretty valuable thing. A CDN with thick worldwide presence does not hurt either. So using Cloudflare is a no-brainer for a smaller business, especially with the prices they offer. Not using Cloudflare means either buying separate DDoS protection (likely offered by your cloud provider), or risking an extortion attack.

Some competition exists, but it's both more expensive and less reliable and convenient.

[scrollaway]

The two actual whys you have posted are settings you can change in the cloudflare config.

[hw]

> But what I dislike the most is how little control you have over what's going on there. Like: If you haven't setup TLS on your webserver, why do they allow unencrypted traffic to flow between the server <-> Cloudflare and encrypt it to the end users and pretend that is secure?

I don’t get the issue here. The traffic between client and Cloudflare is secure. SSL is terminated at Cloudflare. You can choose to have end to end security if you want.

If you set up your own frontend that terminates SSL, but choose not to secure the traffic to your backend, the end client will still see the connection as secure.

[systemvoltage]

Can't you use "Strict Origin" cert on Cloudflare? Here is a pic of my settings: https://i.imgur.com/aHQ1U1L.png

Sorry if I am missing something here. Cloudflare gives flexibility to their customers. That seems right.

Cloudflare enterprise is pretty transparent if you've gone through the sales process. They tell you exactly what the limits are. For average person, on free plan, they are not obligated to provide details of where the limits are. That's no different than BackBlaze unlimited storage plan.

[AtNightWeCode]

I agree that it is difficult to know exactly what you are paying for but they are very affordable.

[intelVISA]

> If you haven't setup TLS on your webserver, why do they allow unencrypted traffic to flow between the server <-> Cloudflare and encrypt it to the end users and pretend that is secure?

I Really Can't Think of Any Reason