Why I dislike CloudFlare

Until a few months ago I had been using Tor mostly for sensitive communications and circumventing censorship but because I am conscious, maybe even to a fault, about surveillance I decided to start using Tor for my main internet browsers. From time to time I open up another browser that is meant specifically for non-Tor use but this is not too often.

From usability point of view I think Tor is great. It works fantastically, the startup time is fast and the connections are bearable. On an occasion, every few days, I get a Tor circuit which is a tad slow but because Tor makes getting a new identity so easy this isn't really a problem. There is another thing however that has proven to be a bit problematic, that thing is CloudFlare.

CloudFlare actively stops Tor users from accessing content that uses their CDN, content delivery network. The worst part about this is that often times the website owner doesn't even know that it is happening. I even met a couple of professional web developers on IRC who had no idea that they were blocking Tor connections.

Use of CloudFlare is often excused with hiding your IP from DDoSsers. This could just as well be done with Tor using a hidden service and at the same time you would be fighting for the freedom of net, freedom from surveillance and censorship.

Speaking of surveillance and censorship. By using using CloudFlare you are actively contributing to these very negative goals. CloudFlare collects vast amounts of metadata on their users and being based on the US they are most likely forced to give up this data to the NSA. Currently I only know about CloudFlare stopping Tor connections but it would be trivial for them to expand the set of censored IP blocks, addresses, pages, users, you name it. Their Tor blockade also has the negative effect of encouraging the act of connecting to the world wide web directly, which of course makes the user very prone to surveillance.

CloudFlare also gives users and website owners false sense of security. It is not possible to use encrypted communications from a web browser to the web server if you want to use CloudFlare as it needs to be able to see and cache all of the content. Thus CloudFlare does a man-in-the-middle, all of the communications are decrypted and then reencrypted. Because CloudFlare's certificate is valid user still sees the icon that his browser uses for working TLS sessions. Because what CloudFlare does is just a man-in-the-middle they can see everything that the user sends to the server, which often includes very sensitive data such as passwords but also private messages. They can and most likely do store all of the data, they might even be forced to do so. CloudFlare also has the ability to modify the data in transit and use that to infect users or serve them false information.

I have been trying to contact website owners about their use of CloudFlare but unfortunately it is very rare that they respond. For a security and privacy conscious individual CloudFlare is a nightmare but for an intelligence agency it must be a wet dream. I like to call it MaaS, man-in-the-middle as a service.

I've had this as a draft for a few weeks now, decided to release because I saw an article on softpedia about the Tor project and CloudFlare.