Given Snowden, I have to assume Cloudfare is under the thumb of at least the NSA.
For example, all the usual arguments against backdoors are going to be used by intelligence agencies to justify "providing assistance", which isn't even merely a euphemistic excuse given how incredibly valuable it would be for normal organised crime to spy on some of the encrypted data… but also is at least a bit of a euphemism, as I have to assume the controversies about terrorist groups using Cloudfare are only pemitted to happen because someone in US intelligence knows how to squeeze secrets from those groups.
In theory, messing with SSL is one of Cloudfare's features, not a secret; in practice I suspect most end users treat all this as magic — I've directly witnessed magical thinking with the padlock icon in browsers.
That's different. I have a lot of problems with CF, but when you sign up for a service which requires to see the traffic and you configure it explicitly to see your traffic... what's the complaint here?
Onavo users signed up, consented to their traffic data to be used for market research and were actually compensated for it. What's the complaint here ?
Did they? I mean, did they understand the privacy violation possible in this case? Or was the technical point they wouldn't understand somewhere in the middle of an agreement nobody reads anyway?
The difference in awareness is massive between those two use cases.
> Users cannot consent to Cloudflare seeing their traffic
Users consent to the website seeing their traffic and the website consents to Cloudflare doing the SSL termination. This isn't too much different from the website consenting to analytics scripts monitoring webpage activity (i.e. Hotjar). If they did something shady, then users & the website would both be rightfully mad at them. But Cloudflare hasn't, so far at least.
Meanwhile, Facebook is known to do literally everything shady that is possible to do with a user's data, as well as plenty of things that weren't even a thing before they invented entirely new methods of tracking and selling data, so it's rightfully insane to trust them with anything, especially website traffic that they have no rights to.
Why would you idea stop at CF? Did they consent to hetzner / digital ocean / AWS / whatever hosting company seeing the traffic? The idea that the content producer decides how the content is served on the internet is the default.
They don't see the traffic unless they analyze the memory of your running server, because the SSL termination happens inside the server. Encrypted traffic passes through their network, which they don't have the keys for. Cloudflare, on the other paw, literally offers to do the SSL termination for you, as in they hold the private keys and perform the decryption on their servers that they control. Then they pass the decrypted traffic through their network in order to do things like "optimize" your images, or inject JavaScript into your pages. Website owners consent to this, but I guess the question here is whether users should need to consent to this website's traffic being handled in decrypted form by Cloudflare before that is actually done.
They can see the traffic if you're using one of their load balancers. And even if not, snooping on VMs is pretty trivial. For example this project https://github.com/KVM-VMI/kvm-vmi makes it easy to look at memory / processes on a VM.
> They can see the traffic if you're using one of their load balancers.
Only if you let them manage the SSL connection. Load balancers can easily relay individual TCP connections that are encrypted - load balancing doesn't require decryption.
> And even if not, snooping on VMs is pretty trivial.
They'd have to go out of their way to do this, and this would probably be the end of them if it were ever found out. So it's safe to assume any provider who wants to continue existing will not be doing this.
They explained pretty clearly why they think that's the case. You're both right though. It's likely not the case that cloud flare is the only company conducting and cooperating with government agencies to do these types of things. In my opinion it would be very silly to assume that.
I honestly can't think of one without googling. Cloudflare is kind of everywhere. Just like Google... can't really get rid of them even if you want to.
I'm sorry but that means your nerd card will expire at the end of the month. I see you've had it for quite a while, but being unable to name any CDN companies besides Cloudflare means your nerd card will lapse. If you'd like to apply for a newer issue one, an LLM agent will be along shortly to help you.
Now obviously my comment is not about "just a CDN provider" right?
The SSL stuff that Cloudflare offers to protect your websites/APIs etc so you don't have to, their DNS products. The fact that iCloud Private Relay uses Cloudflare under the hood (and so all browsing there happens through their gateways etc).
I mean, if it's just the case that you've drank that much of the Cloudflare Kool aid that Akamai, AWS, and GCP don't have competing options in your mind, then that's a different problem entirety. Good for Cloudflare's wallet, and kudos to their marketing team though.
For example, all the usual arguments against backdoors are going to be used by intelligence agencies to justify "providing assistance", which isn't even merely a euphemistic excuse given how incredibly valuable it would be for normal organised crime to spy on some of the encrypted data… but also is at least a bit of a euphemism, as I have to assume the controversies about terrorist groups using Cloudfare are only pemitted to happen because someone in US intelligence knows how to squeeze secrets from those groups.
In theory, messing with SSL is one of Cloudfare's features, not a secret; in practice I suspect most end users treat all this as magic — I've directly witnessed magical thinking with the padlock icon in browsers.