Hey there!
Still remember me?
Man i've been off-the-grid for a long time.

In case you're new: Hi, my name is sn0w.
I bully bloated software for a living, and sometimes I even write texts like this one.

I pretty much vanished from the internet during 2018 due to various job-related reasons, but I'm glad to be back. Expect more content soon-ish. I really enjoy writing, and I hope that some of the content here is useful for a few of you out there. Feel free to leave feedback or content suggestions using my contact page.

With that said, let's start today's post!

Obligatory Foreword

Today I'd like to use my 5 minutes of internet attention to talk a little bit about Cloudflare, and why I think that you should avoid them as much as possible. I wrote a lot about this in chats during the last months, so I thought I might as well write a blog post about it.

This post is not about Cloudflare's business practices, or their behavior towards TOR and VPN users. These are important problems too, but I want to talk about some of the potential privacy implications that I feel not everyone is aware of.

Proxies everywhere

Normally you've got your user who initates a secure HTTPS connection to your server. Nobody who's eavesdropping on any hop between you and them should be able to decrypt the requested content.

With Cloudflare you're voluntarily adding a "man in the middle".
And that's a problem.

These are the security modes available on Cloudflare:

[user] ----> [cloudflare] ----> [server]

[user] -🔒-> [cloudflare] ----> [server]

Full / Full (strict):
[user] -🔒-> [cloudflare] -🔒-> [server]

Now obviously "Off" isn't really something anyone would use.

But let's take a look at the other modes and why they're both potentially dangerous.

"Flexible" SSL

When you open a website through HTTPS you expect it to be secure. You carefully watch your browser's address bar until that nice green padlock appears, and feel an instant sense of security.

But are you actually using that Secure Connection your browser is promising?

With CDNs like Cloudflare you can't know for sure.

As you saw above, the connection between Cloudflare and the actual server is not forcibly encrypted in the "flexible" ssl mode. Now I hear you ask, "why is that important, the connection is just internal". And yes, that would be true, if the person who ran this website was hosting inside Cloudflare's datacenters.

In reality there is an undefined number of intermediate hops. Data will go through Cloudflare's ISP, straight through the internet, until it eventually reaches the actual server's ISP, and then finally it's destination.

This means that there are 1..n possible intermediate steps between you and the server you're interacting with, where your data is travelling in plain-text format.

"Strict" SSL

Ok so if Flexible and Off suck, then this mode should be awesome right?
No, I'm afraid not.

You see, Cloudflare advertises this mode as "End-to-End Encrypted", and since the infographic shows padlocks on both connection arrows most admins think "yeah that's privacy".

Let's recall how an automated CDN works. It has to intercept every request, determine if that request is cacheable, and ultimately decide if it forwards it to an edge cache or your server.

That doesn't work with true End-To-End HTTPS.
HTTPS encrypts the entire underlying HTTP data.
URL, query parameters, headers, cookies, you name it.
Everything encrypted except for the bare IP and/or domain that's needed for transmission.

What Cloudflare does to "fix" this is called "SSL Termination", and a shocking amount of people I talked to didn't know this. It means that the Secure Connection your browser is promising ends at Cloudflare. An edge server decrypts the HTTPS request and makes decisions based on the plain HTTP data. After that, the "Strict" mode causes a re-encryption of your data, which is then ultimately sent to the actual server.

Let that sink in.
Cloudflare, an american "cloud" company, has plain-text access to any and all requests on literally millions of websites, and every day that number is getting bigger.

Of course they claim that they don't do anything with that data, but as with all closed services there is no real proof for that. In theory they have access to everything. Everything you ever did on Discord, Patreon, 4Chan, Curse, you name it. It all went through their hands, totally unencrypted and just begging to be aggregated and analyzed.

Abandon Cloudflare

TL;DR: With Cloudflare, insecure pages can get a green HTTPS icon, and even if everything is "secure", a US-based company has access to everything you do on major sites in plain text.

If you're a server operator, please think thrice about adding a whole-page CDN. It's extremely likely that you don't need it, and that just hosting your media assets on a "manual CDN" is more than enough.

If you're a user, protect yourself from Cloudflare.
Put their subnets (https://www.cloudflare.com/ips/) in a deny/reject policy of your firewall, and if you really have to access them (eg because your friends won't stop using discord), use something like Tor Browser to temporarily bypass your self-imposed blocks.

Use decentraleyes to unbreak pages that get their JS libraries from ajax.cloudflare.com.

Thanks for coming to my TED talk.
Stay safe.

PS: This post focused on Cloudflare but, of course, also applies to other providers that offer similar services like Fastly or AWS WAF/CloudFront. I didn't mention them simply because avoiding Cloudflare is the "most bang for the buck" way of improving your privacy. If you want 100% protection you'll have to do some additional research on your own.