[peanut-walrus]

Articles like these seem to hold a weird belief that Cloudflare does not react to security reports or legal orders? From my experience, they react appropriately and relatively quickly compared to rest of the industry.

Could Cloudflare be more proactive or add more friction to their signups? Yes, probably, but the reasons they have outlined for not playing internet police make sense to me.

I don't think it should be a requirement to provide your credit card, phone number and a copy of your ID in order to host content on the internet...

[dsl]

The internet worked for so long because people responsible for each little island did what was for the most part in the best interests of the rest of the islands. If you didn't, other islands would shut off their links to you. Law enforcement was a last resort because 1. the courts don't move at the speed of the internet and 2. nobody wanted the internet getting top down governmental regulation because it was trans-national.

Cloudflare spent a bunch of venture capital to give away expensive things for free and buy market share. If you convince all the grocery stores to move to your island, you can operate a den of criminal activity with no fear of everyone else shunning you.

Talk to anyone who fights botnets, malware, or online scams. Once you hit the Cloudflare dead end you just have to give up. Law enforcement isn't going to take up a case where only 7,000 peoples computers are infected, and Cloudflare isn't going to investigate and take action themselves.

[peanut-walrus]

I do fight botnets, malware and scams. Criminals flock to any service where they can spread their stuff and appear legitimate. Google, Facebook, Vercel, Netlify, Amazon, Oracle, Microsoft, OVH, etc. In my experience, Cloudflare is not any more or less of a dead end than any of the other providers, there are some others in that list who deserve being called out a lot more.

[Sebguer]

Yes, Cloudflare has always been really shitty and automated at responding to abuse reports, and because they are the front-end connection, it is impossible to pursue the report against the 'real' host unless Cloudflare is willing to provide you with information about where that host is: which they won't typically do, even if you are a fellow infrastructure provider. It's been several years, so maybe they have gotten better, but I would be surprised.

[hdgvhicv]

I don’t think it should be a requirement to talk to cloudflare at all to host content on the internet. I certainly don’t.

[peanut-walrus]

Oh absolutely agreed. Cloudflare becoming a giant internet chokepoint is certainly a real problem. It would be a much better world where ddos protection would not be a needed service or where we it was provided as a public service, rather than by private companies. However, that's not the world we live in.

[somewhatgoated]

How did you get that from the comment? It’s the other way around - if you report criminal or illegal sites hosted by cloudflare they will take it down.

I’ve hosted content online for decades and never once talked to cloudflare.

[Sebguer]

Will they? Have you gone through that process with them? In my experience (admittedly somewhat stale) it was fairly hard to get through to them, much less to get the information required to actually report bad actors to their real hosting provider that Cloudflare is fronting.

[dryarzeg]

I once came across a website hosting extremely inappropriate content while surfing the web. I discovered that this website was using Cloudflare for DDoS protection and other purposes. I had a bit of a look online and found out how to submit a complaint to Cloudflare. On that form, I was asked for my email address and no other personal details, if I remember correctly. On the very same day, I received an email confirming that my complaint had been accepted and was under review - presumably an automated response. It was already quite late, so I went to sleep.

And just a few hours later, I received a letter informing that the information about the website in question had been forwarded to the relevant authorities, as well as to the website’s hosting provider. To be honest, I didn’t read that second email until the next day (I was sleeping), and it seems the website's hosting provider acted quickly (or the site owners decided to cover their tracks), because when I went to that website to check how it is going, it was no longer active, no longer existed at all. It just was gone. That was about six months ago.

So... I won’t speak for others’ experiences, but in this particular case, they reacted quickly and quite effectively. Perhaps other people have had different experiences.

[somewhatgoated]

I haven’t but it seems you have gone through it successfully with some friction (which is probably good?)

[hn773746483]

Cloudflare & AWS wouldn't even INVESTIGATE a abuse report I sent because there weren't any "infringing URLs" or "specific resources".

I provided enough evidence for them to at least be able to kickstart a internal investigation or even CONTACT the abusive customer, which they did not do.

If it were a stresser, all they would see is a login panel. It's not like these sites are publicly advertising what they're doing...

[yosamino]

That's not a "weird belief". Cloudflare positions itself as "infrastructure". That means they think they are not responsible for the content that they carry.

In a normal scenario, if you want to protect your systems from other "bad" systems on the internet, you can block them on the IP layer.

But Cloudflare operates at the IP layer proxying data between you and good and bad (and everything in between) systems.

In a normal situation you could block and report a site that is run by the the mob, by either blocking them at the IP level or by contacting the abuse@ of the organization that is hosting the content.

Cloudflare is making it so that you can't do either. And if you send an abuse report to Cloudflare, you cannot be sure that they will not just forward your contact information directly to the entity that you are complaining about. They have changed their stance over the years to appear more responsible, but the fact remains:

If I want to send an abuse@ report to a system that is hidden behind Cloudflare I can not be sure that they won't just forward it without me knowing who they are forwarding it to.

[iamnothere]

This is a good thing. You shouldn’t be able to get a Discord full of “activists” with personality disorders to spam someone’s host with false abuse reports and threaten them until the host boots them out of sheer annoyance.