The glossary entry on warrant canaries is dated December 2020, but there is a more recent canary list in their 2022 transparency report (https://www.cloudflare.com/en-au/transparency/) with the same 6 items in it.
Bizarre they appear to have skipped the H2 2022 transparency report unless I’m missing something
Give H1 2023 has only just wrapped up I optimistically presumed it would be in production now, but I’ve got no idea what the lead time on these reports historically has been
Maybe I’m just getting old and distracted, but I feel like CloudFlare went from “whoa some HN pros are doing great CDN work with some serious chops and an underdog work ethic” to “is it possible to never connect to them” like, really fast.
I love cloudflare, but honestly I assumed they WERE the CIA/FBI not just compromised by them. It would be the perfect front company for the government.
If adamgamble's speculation were the case, I'd go to jail for things I'd have illegally signed in our SEC disclosures attesting to the sources of our revenue and any government contracts. Suffice it to say, I like not being in jail. It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons. So… once we went public I kind of thought this silly speculation would end. But guess not.
Beyond that, if you think about it, it's a way better business to run Cloudflare and serve the world than serve some US intelligence entity. That's just per se true. So if that's the case why would we ever do anything that would remotely compromise the trust necessary to, you know, be Cloudflare?
Lastly, here's a funny story. Early in our history one of our investors suggested that we talk to In-Q-Tel. Here's how naive Michelle and I were: we had no idea it was the CIA's venture capital arm. So we showed up in their office on Sand Hill Road. It was weirdly austere compared with other VCs we'd visited. And lots of security cameras. The partner at some point came out and greeted us. As he was walking us back he looked back right before we crossed the threshold back to the inner offices, "You're both American citizens, right?"
"No," Michelle said. "I'm Canadian."
"Oh." the VC said. Then you can't come back here.”
"I'm not going back there without her," I said.
"Ok, well, I guess we'll have to do the meeting in the reception area," decided the In-Q-Tel VC.
We had a very cordial meeting and then left. As we were driving away Michelle said, "Those guys were weird." And that was the end of that. Never talked to In-Q-Tel again.
But maybe it's the Canadian equivalent of the CIA/FBI/NSA we're beholden to??! ;-)
> So… once we went public I kind of thought this silly speculation would end. But guess not.
In fairness, there are quite a number of public companies that turned out to be operating partially as fronts for spying agencies (AT&T is the shining example here). So simply being a public company could not be expected to serve as some kind of proof of independence.
Immunity from prosecution seems like a marvellous way to destroy rule of law. Crazy that that and royal^H^H^H^H^H presidential pardons exist. Recipe for corruption of the state and then the justice system.
As the purpose of Presidential pardons is to provide the opportunity to right significant miscarriages of justice in system that is almost impossible to get perfect, and that is the way they were typically used, it does not seem crazy that they exist.
What IS crazy is that they exist with very little consideration of a corrupt POTUS, judiciary, and/or congress. Seems the writings of the founders did worry about that significantly in later years, but evidently not in time to enshrine many guardrails in the US Constitution, not even a clear prohibition against self-pardon. Seems such a thing was considered so obviously wrong and corrupt that it didn't need to be mentioned. so here we are two and a half centuries later with people arguing that it should be possible.
I think that it does seem crazy that they exist. To give a single politician the power to simply override our justice system is dangerous and crazy. If that's really necessary in order to ovoid miscarriages of justice, then we need to fix the real problem, not introduce a new one.
Why is the pardon ability a problem? Because it's the judgement not just of one person, but of a person who is a political animal. There is no way that power will be used in a way that is impartial, and there is no single person who is so wise that they should be entrusted with such decisions. That it's a politician making the decisions all but guarantees that the decisions will be made out of political interest, not some interest in actual justice.
All the pardon power does is to increase the potential for corruption.
> It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons.
As difficult as it was to keep PRISM and the many other overt and covert arrangements (public, private but leaked, and private but not yet leaked) between backbones, carriers, CDNs, hosting providers, ISPs, etc., and the agencies leveraging them, out of each firm's public filings?
Because evidence is it's not difficult at all, considering the whole of the 30 years since the Internet went commercial.
Hi, kind of hijacking this conversation but as Cloudflare is unfortunately routing the majority of websites I visit I have to ask this:
Can you guarantee my Firefox browser will keep on working on 'the open internet' now Chrome moves towards "Web Environment Integrity" and Safari towards "Private Access Tokens" and Cloudflare is supporting and implementing such technologies on scale?
I intent to not participate in these DRM APIs with my Firefox browser and would like to keep browsing the internet.
"will you be supporting WEI and PAT in your captcha/ddos protection services" is a VERY different question to "can you guarantee my Firefox browser will continue to work on the open web"
That usually happens when I'm faking my user agent to use the most popular (windows + Chrome). Once I go back to the default (Linux + Firefox) then CloudFlare seems to allow it.
Your response really shows a disconnect with the user and what was said
Not many users who encounter your service while trying to connect to a website will know _anything_ about your company, let alone knows its public or read disclosures.
Cloudflare has a public perception and sentiment problem and dismissing it as you have will lead to an inevitably negative outcome.
Not an attack but certainly a person in the middle.
IAAL and advise on data protection and privacy.
Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.
My impression is that a lot of people use these services without really understanding the implications.
For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.
Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.
That said, I routinely use Cloudflare for my personal projects.
And AWS has control of all of your servers and everything stored on them. If it's part of your systems architecture and how it's intended to work it isn't being attacked.
>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.
That doesn't mean they are an attack. That is just how a CDN works.
You're being needlessly pedantic. It might not be an attack in the usual sense, but it's a MITM "access point" and agencies like CIA/NSA/FBI would definitely have that kind of access. This access transforms Cloudflare's role into a de facto MITM "attack" on their customers and end users who didn't intend to share unencrypted data with 3-letter agencies.
It's worse. You can't just start Mitm'ing regular encrypted internet traffic without compromised infrastructure. With Cloudflare everything is already in place.
Sorry for the delay. I was writing our Q2 earnings script rather than checking HN. And John (CTO) is in Lisbon where he's probably just waking up. Also: he's on vacation this week.
Warrant canaries are largely believed to be unworkable. Ie federal lawyers are going to say "cute, but no, you cannot disclose that we warranted you in this or any other way."
Compelled speech of any kind has been repeatedly ruled unconstitutional. Also many companies have triggered their canaries, including Apple, Silent Circle, and Reddit. If Apple's legal department considers it valid I'm inclined to agree with them absent positive evidence of the contrary.
Many of those seem to be "you cannot do this legally codified activity unless you also fulfill the requirements enumerated therein". Can't sell food in retail setting without labeling it as required in the law that regulates food sales, and so on. That seems separate from compelling a creation of a false statement unrelated to business activity.
Why is the commentary of far-right reactionary, who is not a legal expert, commenting on a canadian law, that has nothing to do with warrants, with a citation pointing out that legal experts disagree with him, at all relevant to this conversation?
This forum requires a basic assumption of good faith for posters, especially when it comes to such a trivial mistake like having the wrong anchor section on a link to a short article. It was probably an artifact of their browser trying to be “helpful” when they were copying the link to the full article. Your aggression is unwarranted.
Perhaps, but until there's a test case we're all just guessing. So far the Supreme Court has been fairly strict in following the compelled speech doctrine.
They can say "don't do anything". They can't say "don't avoid doing something." That's the point if the age of the warrant canary notification--they stopped updating it. This is in effect a dead canary, they're saying they are subject to an order they can't disclose.
Is there a point to a company as large as Cloudflare even having a warrant canary? Half the internet goes through their servers. Of course the US government had or has hooks in them for something or other.
I'll state right here: all these are still true. We'll get the canary updated. Checking with legal and trust & safety why it hasn't been for so long. Likely just slipped someone's mind. Will make sure that doesn't happen again.
I wonder how pedantic you could legally get with that.
Cloudflare has never been compelled to give up information to an agency called AAA.
Cloudflare has never been compelled to give up information to an agency called AAB.
...etc.
As we sort of saw with the Twitter Files (and other incidents with foreign governments, eg the Indian government), they can get extremely pedantic about describing the kind of cooperation they have with government agencies.
(Not to point to a conspiracy to silence political opposition, just to highlight that, at least to me, the extent of their cooperation was really surprising relative to how little they talked about it)
I think we'd consider them "law enforcement agencies." But, for the sake of complete clarity, I'm happy to say that we haven't done any of these for the CiA or NSA or any non-US equivalent.
Buuuut, since 703 allows law enforcement agencies to harvest data captured by intelligence agencies any statement that doesn't specifically exclude those intelligence agencies is essentially meaningless.
Because these agencies are horrifically corrupt beyond any usefulness. These agencies could go after any number of human and drug traffickers and make these problems nearly vanish almost overnight because they collect practically all of our communications. But they don't do that. They are used as targeted political cudgels when its handy and when there is much money to be made.
Agree #5 is the riskiest right now with the Quad9 decision in Germany and some of the cases we're facing in Italy, Austria, and elsewhere. The copyright industry has decided that DNS is their new target; never mind that anyone can setup their own local DNS resolver. Good news: those are extremely public cases. And, if we lose, we'll make a lot of news about how dangerous they are. If you're in Europe, it'd be really helpful for more people to be telling the courts and legislatures: DNS is not the right place to try and censor the Internet.
Bear in mind that there are multiple ways for Cloudflare to give law enforcement or intelligence agencies customer information that do not breach one of these six statements.
It doesn’t mean that they are not helpful. Just that - as warrant canaries go - they are not complete.
What is the language around the non-disclosure order? There seems to be speculation that a warrant canary would be construed the same as a disclosure, but are you required to not inform the concerned party, or required to not disclose law enforcement contacting you at all?
From a practical perspective I don't imagine that cloudflare removing a canary could give any one organization a signal - I don't know what the bar for a 'disclosure' is but informally I would not consider it a targeted specific warning.
EDIT: the other component I am curious about is duration, there is still utility in the canary even if it comes late, future users will know that there was a compromise and that further ones are likely, right?
It's weird to me people think warrants are still used.
No warrant is needed by any government agent to read your email that is over six months old and the major providers just give them a backdoor so as not to waste any time/money with requests.
Who is going to stop them from doing that with anything else? The supreme court? Good luck with that belief system. You think the NSA ever stopped just because they were discovered? Or did they just switch to "try to stop us".
Their "canaries" don't make any reference to warrants, and two of them explicitly rule out providing a backdoor for governments ("Cloudflare has never installed any law enforcement software or equipment anywhere on our network" and "Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network").
I'm not an expert, but my course of action is to stop using cloudflare. I never used them for whatever that other thing they do is, but I switched my upstream DNS to quad9 (9.9.9.9).
So what's stopping these people that claim to be so righteous by using canaries from lying to you? Anyhow the ISPs and internet backbones are all tapped as many whistle-blowers have already revealed.
Nothing stops anyone from lying to you. In this case it would be considered fraud if the lie was discovered or leaked. Which is one of the rationales on why courts cannot compel a company to lie and post false warrant canaries, because it would incriminate them.
Fraud against paying customers, if they can demonstrate they wouldn't have paid if the company didn't lie. Also competitors if they can demonstrate they lost business due to the lie.
The SEC could throw me in jail. And, sure, you could believe that the FBI or whoever could tell the SEC what to do. We have European and Asian investors too, so their financial regulators could also sue me personally for lying. Perhaps the FBI/CIA/NSA control them too? Gets tricky to believe: the bigger the conspiracy the faster it falls apart. It's really, really hard to be part of some grand conspiracy as a public company.
The concern isn't a grand conspiracy, it's that you've been coerced to comply with the kind of surveillance overreach that US intelligence and enforcement agencies have repeatedly engaged in.
Cloudflare isn't the bad guy in this scenario, it's the hostage.
The biggest MITMer should complain about another service being an MITM? How much has Google now routed to go through themselves or be checked by them prior to serving your destination?
Bear in mind Google doesn't have a warrant canary because it is served literally hundreds or thousands of warrants per year, to the tune it's just called a transparency report to count them.
By MITMing traffic between you and the host. Maybe Firefox should display a warning when it detects intermediaries that could have decrypted the traffic between the host and you?
The owner of the domain has to choose to integrate a CDN. They implicitly trust the vendor who runs the CDN just like they implicitly trust the cloud provider that asserts their VPC between their server that terminates TLS and any API servers behind that which don’t use encryption for data in transit.
3rd party could mean a DBA, IT consultant, AWS support tech, CDN support tech, MSSP employee, cloud platform, etc. those all come with different levels of risk, different contract terms, etc.
I’m trying to say that just saying the TLS connection is terminated by a vendor, who then creates another to the origin server doesn’t tell you anything valuable from a security / risk standpoint. The CDN-fronted connection that shows the warning may be highly secure while a self-managed reverse proxy that terminates the TLS connection to another serve owned+managed by the same person/org might be completely insecure. The warning is not a useful signal.
I guess you like those cookie warnings that pollute the Internet these days? Because this would be cookie warnings all over again. Any site that's reasonably popular uses a CDN to increase scalability, improve performance, and add reliability. Half the Internet would need a new pop-up warning that a CDN is in use. The last thing we need is yet another pop-up when a page loads....
It doesn't need to be a pop up. Just behave like a HTTP site ("not secure" warning) when you could be MITM'd between yourself and the entity you think you are communicating with.
If it turned out "End to end" encrypted chat went through a third party that even transiently had access to the plaintext version of the chat (like how Cloudflare works) you'd be apoplectic.
It's impossible to know if a third party had access to the plain text. Hell even Cloudflare can be setup with actual end to end encryption where they can never see the contexts of the traffic. Most users don't want that as they want CDN features that require unencoding the data.
Do you want a similar warning on every site that the server might be compromised? Because I don't think that risk is smaller than the CloudFlare MITM risk.
I want a similar warning on any provider that is known to routinely MITM and send data unencrypted across the Internet. As far as I know that would only be sites hosted by Cloudflare and sites using certificates issued by the government of Kazakhstan. There's a difference between screwing up (and I wouldn't be against holding companies liable for that) and wilfully setting up a https:// URL that sends your requests unencrypted over the public Internet.
Bizarre they appear to have skipped the H2 2022 transparency report unless I’m missing something