> Monopolistic Control of the CDN Market: Another issue is the monopolistic control that Cloudflare has over the CDN market. As one of the largest CDN providers...
This is a silly piece, but the claim that Cloudflare is so big that they can push sites around doesn't make sense. Not everyone has released 2022 revenue yet, but in 2021 Akamai took in $3.5B to Cloudflare's $0.66B, Fastly's $0.35B, and Edgecast's $0.29B. Then consider that while we don't have separate revenue numbers for Amazon Cloudfront, Google Cloud CDN, or Azure CDN they're all serious contenders. If Cloudflare offers you bad terms you have many other companies that want your business.
This is weighted by site, and counts cnn.com and jefftk.com equally. My understanding is Cloudflare is dramatically disproportionately popular among small sites, I think because of how generous their free plan is? If they were 76% of traffic I'd be worried, but I think a majority of the sites using CF probably are signed up because "why not?", which doesn't actually give CF that much power.
It does count them equally and I agree it's popularity is mostly because of the free tier. From the same website, there is a graph and Cloudflare is lower for high-traffic websites than Cloudfront, Akamai and Fastly. [0] But regardless, that gives Cloudflare power over a lot of sites.
To me, this reeks just a little bit about a symptom, rather than the cause. Which is, why do people use CloudFlare?
People don't pay for things with no benefit. The internet doesn't have a built-in CDN system. The internet's not very good at blocking bot traffic or DDoS attacks. The internet's not very good at remembering things when servers go down. And so on. There are, of course, many attempts to fix these shortcomings (IPFS?), but if it wasn't Cloudflare, it would be Akamai. If it wasn't Akamai, it'd be some other company, because you can't convince people anymore to just forgo Cloudflare's benefits for ideological purity.
Instead of ranting at Cloudflare, we should be looking into how to replace Cloudflare with open standards and systems. Which is much harder than just ranting in a blog post against the symptoms of a damaged internet.
It's a series of bad takes strung together into this flimsy idea that a [relatively tiny] service provider has the power to push anything on anyone. That is not to say that a post like this might not be possible, but this series of stub points is so poorly developed, and so full of unsourced nonsense, even defending its presence on HN feels like trying to take the chap shouting at pigeons at the park seriously.
You could level the same arguments against half the hot take blog posts that end up on the HN front page. I fail to see why this particular post raises so much ire that it warrants flagging, save that it's going after a sacred cow.
It's not going after a sacred cow. The idea that Cloudflare is evil for centralizing the internet is commonly seen in HN comments.
This writer does a terrible job of advancing their argument. None of the points are developed or supported. There's no evidence provided, just a litany of bald assertions. It also seems to fundamentally misunderstand details of how CDNs work in its rush to attack Cloudflare for being a CDN.
CDNs are inherently "monopolistic", under the definition this author uses. The cost to entry into the market means that there's never going to be a wide variety of providers. That said, there's no shortage of other large CDNs, so the accusation seems odd when Fastly and Akamai go unmentioned.
This was never the open internet. You can't send a direct packet to another person without intermediaries and cloud systems. You can barely host a website from your personal computer, most cannot. This internet is as they say sold out.
We are the ones that are sold out, by regulatory capture, monopolies, wireless spectra, etc. Section 230 does nothing for people, it created the platforms that censor, and gave the government a hook into the industry.
Look, even EFF supports section 230 [0]; btw, EFF is a total sell out operating as a feel good, ideological protector. All they do is swindle the "engineering culture" into pushing these things onto the world.
Cloudflare has pushed against public sentiment and mildly against the government to restrict censorship. They would want nothing more than be just "delivery infrastructure" part of the internet.
All the points about transparency, monopolies, and privacy concerns and implicit trust in general level are true, of course. They should be addressed. If you want to resist attacks and deliver content efficiently you need CDN and bigger the network is more efficient it is (Network effect is strongest in networks, no surprise there).
Take it to the extreme. If cf has a site hosting child exploitation content, that absolutely has to go - at the very least cf could potentially be liable for it. Taking it as a given that this is acceptable to block, then a line must be drawn somewhere at what does and does not get thrown off their network. So far cases of cf taking action have been very few and far between (in the grand scheme of things).
I personally don't trust any of my businesses to run on it after this, and have been advising business partners and people I advise to steer clear of it. I know it's not much, but it's been mid to high 6 figures in revenue i've had shifted elsewhere. Having a business possibly be crippled won't pass any sort of risk management, and clearly shows they don't rank highly on any sort of organizational maturity scale.
Maybe you should instead advise your business partners not to host content that threatens the lives of specific individuals based solely on their identity group? Including coordinate doxxing, harassment, swatting, and threats of violence?
It's nice that you have the option to take such a professional attitude that can advise companies in the abstract based on free speech absolutionism, but the details really matter.
I know too many Americans genuinely believe that free speech absolutionism is the only way to prevent a descent into 1984 authoritarianism, but Canada and Europe seems to have found a way to restrict nazis and threats of violence against races and LGBTQ people and ending the "slippery slope" there.
Many Americans would disagree that they "ended the "slippery slope" there" or have anything close to free expression. Look at the Trucker protests during Covid, arresting people for harmless jokes on Twitter, or because a dog raised it paw.....
Come On now. Neither Canada, nor Europe have free speech, while they may not be to 1984 authoritarianism yet, they are well well down that path.
The law is a mess. But ironically it's not because of a degradation of free speech, but rather because of legacy laws that haven't been caught up with the times.
> because a dog raised it paw
While I personally wouldn't have made a stink out of that one either, let's not pretend that's all it was.
The man trained his dog to raise a paw in response to the command "Do you want to gas the Jews?" and then put it online.
I realize it may be difficult for Americans to understand why the rest of the world takes such a zero-tolerance policy with fascism considering they are only 6 years removed from having elected a fascist president, but there are good reasons why the rest of the world takes a zero tolerance policy with Nazi speech.
If learning that Cloudflare took action against literal, self-identified Nazis—who praise Hitler, deny the Holocaust, and drove a car into a crowd and killed a woman—made you worried that Cloudflare might take action against you, you're really telling on yourself.
I don't condone that stuff at all. The big risk comes from 5 or 6 digit member enterprises where you can't properly vet your partners, employees, or contractors. What if a situation like Yandex happens and you find out your code has obscene comments on the backend? What if you have a sponsor that wasn't properly vetted. What if you wind up in a catastrophic PR situation, say BP oil spill. Or, what if someone goes onto a public comment form and posts that obscene stuff and you don't realize it?
Enterprises are massive machines that move EXTREMELY slow. And the risk of not being able to catch something in time is there, and since Cloudflare has now done it once, that means they could be pressured into it in the future. And would the media or Twitter be defending a poor Oil and Gas company if their source code had obscene things in it from a malicious developer, or would they push for Cloudflare to remove them?
Even if the odds of this are so low. I would be doing a disservice to my clients and enterprises if I didn't advise them of this possible risk that could cripple a company. Anything that can be easily stopped by using another vendor, so essentially free, when compared to a risk of something that could result in a company losing hundreds of millions or billions of dollars is an easy choice to make.
Corporations are risk averse, and this plays into both sides. Activists abuse this to pull advertisers of people they don't like. But they also have to understand that services which can cause risk are avoided like the plague.
This type of response has no value and should not be posted, here.
If you wanted to _provide_ links to said information and be helpful or provide a factual counter-argument, that would be wonderful. It not only benefits the person you're replying to, but also the rest of the HN community.
Otherwise, this type of response simply raises red flags of evasion and lack of knowledge.
I did in another comment in this thread. Also this topic is already on the line so putting in too much content and information would run a foul of the political leanings and bias of a large part of rest of the HN community resulting in mass flagging of my postings...
This is so overwrought. We're not talking about Embrace, Extend, Extinguish here, where Microsoft wanted to exploit their OS monopoly to bend the Internet to its will. Cloudflare's products are popular because they solve real problems; Cloudflare is not responsible for the popularity of outsourcing SSL termination, the difficulty of implementing SSL properly is, and if Cloudflare ceased operating tomorrow there would still be vendors and customers for SSL termination aplenty.
The main point of criticism towards Cloudflare is that they both sell services for DDoS protection and services for anonymization and hiding IPs used by DoS attackers at the same time. As such, they have no incentive to improve the situation for users. Nor to work towards IETF or other control plane standards for DoS protection/mitigation. It has been like that on the web for far too long, also with certain other players.
> In an era where the internet is becoming increasingly important, it's crucial that governments ensure that companies like Cloudflare are not able to use their power to limit access to information or censor speech
Cloudflare should be seen as an ISP. An ISP is neutral and doesn't care about what content flows through its network. My only gripe is Cloudflare has to /store/ content on its servers, so it's not really an ISP in the traditional sense.
I strongly disagree with the analogy between CDNs and ISPs. ISPs operate on the user-side, they have no business filtering what the user sees. CDNs operate on the server-side, they have the power and responsibility to decide who they want to do business with, and to not provide services to harmful customers—I'm sure we agree ISPs shouldn't provide services to harmful customers either (spam, malware, phishing, etc).
> My only gripe is Cloudflare has to /store/ content on its servers, so it's not really an ISP in the traditional sense.
Traditionally (at least in my experience), back in the pre-HTTPS-everywhere days, ISPs often had Squid proxies, sometimes optional (had to be manually configured) and sometimes "transparent" (the ISP's router forcefully forwarded all connections matching TCP destination port 80 to the Squid proxy). IMHO, that's a close enough analogue to Cloudflare's main business.
The security check should detect properly the web engine based on the user agent http header and provide only javascript stuff for geeko/blink/webkit (the only 3), and a noscript/basic (x)html system for all the others (netsurf/links2/edbrowse/lynx/dillo/any lean and light web engine past/present/futur).
The real problem with cloudflare is the fact that it is the single centralized TLS terminator. Not for a second will I believe that there is no eavesdropping - the temptation is just too high.
IMO, the real threat to open internet is our current established certificate management system, but that's a totally different topic.
Anti trust rules do not only address singular literal monopolies. Oligopolies can also have malign influence. Many of the forced breakups of the 20th century were companies very far being total monopolies.
The concerns listed in the article all seem repevant to companies hosting things. Im so so on cloudflare decrypting traffic for example, which they easily can do.
Your arguments are somewhat crudely stated, but the impacts on users are what concern me. The Internet Is For Users. And this policy of blocking & obstructing users along the way is 100% my worst concern about CloudFlare. It's gross to the max.
I really like their serverless workers & storage offerings, a lot. They do so much right & have great easy use tech at many levels. But the catchpas also sometimes feel like a spreading dark spot on the internet, where society goes dark. It's the worst.
> Yeah no shit Cloudflare, YOU'RE THE REASON FOR IT.
Cloudflare is not the reason for it - ridiculous amounts of bot traffic is. Bot traffic that is either malicious, resource consuming, or actively trying to bring your website down. CAPTCHAs are just the best tool we have to block them, and I don't believe it is completely fair to have website operators just put up with it for the sake of the users - it's a team effort. Let's solve the internet's actual problems so that we don't need things like Cloudflare to patch symptoms instead of causes.
That's a similar argument to "we don't need police, everyone should just behave". It's always a worthwhile cause to teach our kids to be better humans, kind and forgiving...but the reality is people are...not great. We're always going to need cops. Someone will always ddos, we're going to need Cloudflare/anti-ddos.
This is a silly piece, but the claim that Cloudflare is so big that they can push sites around doesn't make sense. Not everyone has released 2022 revenue yet, but in 2021 Akamai took in $3.5B to Cloudflare's $0.66B, Fastly's $0.35B, and Edgecast's $0.29B. Then consider that while we don't have separate revenue numbers for Amazon Cloudfront, Google Cloud CDN, or Azure CDN they're all serious contenders. If Cloudflare offers you bad terms you have many other companies that want your business.