Because they’re literally MITM-as-a-service. I wish I was exaggerating.
Seriously. If a website uses Cloudflare, Cloudflare can see everything you do on that website. Stuff you say. What pages you go to and what you’re looking at. Any passwords you type in. Everything.
(And your browser doesn’t warn you about that because Cloudflare has a legit cert for the site; as far as your browser is concerned they ARE the site.)
The thing is, every CDN provider does the exact same thing, and the modern internet wouldn’t work without them. Cloudflare gets a bad rap largely because they offer free and low cost services that are very attractive to individuals, hobbiests, etc.
Companies like Akamai, Fastly, AWS, etc. offer virtually identical services but you may never have heard of them because they mostly only offer services to corporate customers. But their CDNs operate the same way - by decoding the traffic so they can analyze it for purposes of caching it to speed up delivery.
Edit: Love how my comments are being downvoted. What I’ve said here is 100% accurate and true. I used to work at Akamai, and still work with it on a daily basis at my current employer so I have a lot of knowledge of the platform. If you think what I’m saying isn’t accurate then just say so.
Yeah it’s… DEFINITELY a thing you should know, and definitely a thing they don’t want you to know, because they want you to not even know they’re there!
At least with normal trackers that embed JS on the page, like Google, which can also snoop on basically everything you do by the way, if you block the tracker you’re relatively safe (until they change the tracker, until you get an updated filter list… it’s a constant back and forth).
You can’t block Cloudflare MITMing you. (“man-in-the-middle”, they pretend to be the server and pass on everything you say to the server and the server’s response to you, while probably writing down everything for their own purposes. this is a large part of what HTTPS was explicitly intended to protect against…)
Every single CDN provider works this way, and the internet as we know it wouldn’t work without them. If you don’t like that Cloudflare works this way then you should be upset at Amazon, Akamai, Google, Fastly, and many others as well.
Edit: For all of you downvoting me, if I am wrong then please enlighten me as to how CDNs operate without being able to decrypt your browsers traffic.
Bullshit. I work on a daily basis with Akamai, providing CDN, WAF, image optimization, and other services across roughly a dozen domains. Those services are all fully in-line with the domains in question. No need for a third party domain. We’ve also evaluated Cloudflare to see if the cost savings would justify migrating from Akamai.
Because they’re literally MITM-as-a-service. I wish I was exaggerating.
Seriously. If a website uses Cloudflare, Cloudflare can see everything you do on that website. Stuff you say. What pages you go to and what you’re looking at. Any passwords you type in. Everything.
(And your browser doesn’t warn you about that because Cloudflare has a legit cert for the site; as far as your browser is concerned they ARE the site.)
– Frost
This very much. They are probably the largest private worldwide vigilance operation ever to exist.
Unfortunately they provide services that are very valuable to some organisations, so they get away with it.
Wow, thanks. I didn’t know. Get my upvote! Honestly, this is the best reply on this post.
The thing is, every CDN provider does the exact same thing, and the modern internet wouldn’t work without them. Cloudflare gets a bad rap largely because they offer free and low cost services that are very attractive to individuals, hobbiests, etc.
Companies like Akamai, Fastly, AWS, etc. offer virtually identical services but you may never have heard of them because they mostly only offer services to corporate customers. But their CDNs operate the same way - by decoding the traffic so they can analyze it for purposes of caching it to speed up delivery.
Edit: Love how my comments are being downvoted. What I’ve said here is 100% accurate and true. I used to work at Akamai, and still work with it on a daily basis at my current employer so I have a lot of knowledge of the platform. If you think what I’m saying isn’t accurate then just say so.
Um, no they don’t, at least not the way “CDN” is typically meant. They typically provide a third party domain the website includes stuff from.
Cloudflare also does that, but it’s not the issue here. The issue here is all the MITMing.
Unless Akamai and suchlike silently MITMs your visitors by pretending to be the original site too? in which case yes, fuck Akamai as well.
The modern internet WOULD, in fact, work without them, it just might be a little slower, and you know what? That’d be okay. We’d live.
– Frost
Yeah it’s… DEFINITELY a thing you should know, and definitely a thing they don’t want you to know, because they want you to not even know they’re there!
At least with normal trackers that embed JS on the page, like Google, which can also snoop on basically everything you do by the way, if you block the tracker you’re relatively safe (until they change the tracker, until you get an updated filter list… it’s a constant back and forth).
You can’t block Cloudflare MITMing you. (“man-in-the-middle”, they pretend to be the server and pass on everything you say to the server and the server’s response to you, while probably writing down everything for their own purposes. this is a large part of what HTTPS was explicitly intended to protect against…)
Every single CDN provider works this way, and the internet as we know it wouldn’t work without them. If you don’t like that Cloudflare works this way then you should be upset at Amazon, Akamai, Google, Fastly, and many others as well.
Edit: For all of you downvoting me, if I am wrong then please enlighten me as to how CDNs operate without being able to decrypt your browsers traffic.
Um, no they don’t. They typically provide a third party domain the website includes stuff from.
Cloudflare also does that, but it’s not the issue here.
– Frost
Bullshit. I work on a daily basis with Akamai, providing CDN, WAF, image optimization, and other services across roughly a dozen domains. Those services are all fully in-line with the domains in question. No need for a third party domain. We’ve also evaluated Cloudflare to see if the cost savings would justify migrating from Akamai.
I guess Akamai is a creep too then.
– Frost