I've had a fairly high opinion of CF, apart from their Tor handling and bad defaults (Trump's website requires a captcha to view static content.) Yeah I'm uncomfortable with them having so much power, but they seemed like a decent company.
But their response here is embarassingly bad. They're blaming Google? And totally downplaying the issue. I really didn't expect this from them. Zero self awareness- or they believe they can just pretend it's not real and it'll go away.
I'll just use their own logic they use against us when we ask them to take down the DDoS attack-for-hire sites they host while they are attacking our servers:
Why does Cloudflare think Google needs to do anything here? It's not illegal. Google shouldn't do anything unless they receive a court order to do so! Why does everyone expect Google to do enforcement here? Google has the right to post this information, it's not illegal to do so, therefore they shouldn't do anything at all about this. Don't you care about freedom of speech? If Google removes this, it creates a slippery slope that will lead to the entire internet being censored.
Google removes info from its index and caches all the time. It's not unreasonable for CloudFlare to expect them to remove this issue. It's just a matter of scale and difficulty.
I'm not sure if you're playing along or if you entirely missed his point. Of course it's a bad argument, just like when it is used by cloud flare to protect the ddos site they are hosting while they often remove other stuff. That's the hypocrisy he is pointing out.
But it's not hypocritical in the least. CloudFlare is not in the business of removing customers based on site content. Google is. It's entirely reasonable for CloudFlare to expect Google to clean the caches without having to consent to being internet cops.
Child pornography sites are easy to isolate and remove. There's a database of md5 hashes for images that are considered illegal; if you're a CDN you are likely already calculating the md5 hash of all images passing through your system as part of your caching process.
If you find any site has a large number of illegal md5 hashed images going through it; then just remove the site.
Piracy sites can be isolated by checking for keyword clusters or seeing if they're directly serving torrents, or banned hashed content.
We do something similar at work to sanitise image data---by policy no one actually looks at the content, but if you match against previously banned content for DMCA reasons, we drop your data.
DDoS sites though? How can you tell some site individually is part of a network to DDoS another?
These sites aren't performing DDoS, they're advertising DDoS services/tools. This makes them prime candidates for targeting by other DDoS services, hence the importance of being behind CloudFlare. If you can use keyword clusters to find piracy, DDoS advertisements aren't too far away.
Or they could just remove them when someone points them out to them, which is even harder to explain when you're already working to suppress child pornography and piracy sites using your services.
MD5 hash detection is easily avoided by changing the files by one bit. But if they're using PhotoDNA that's actually quite plausible, and they have my full support (err, I mean, censorship! Slippery slope! Where's the court order?)
Keyword clusters would work just fine for flagging DDoS attack-for-hire content:
They say they are 'legal' and perform 'stress tests', and 'distributed performance analysis' or 'real world testing'.
Granted I'd never use something as shady sounding as ddos.xyz, but they are plenty of legit companies that do the exact same things.
You'd need a bunch of manual review, and even then it'd become a "we think they're shady" instead of a "they're objectively sharing known illegal content" like it is with illegal pornography or copyright content.
Cloudflare understandably doesn't want to get into the business of being a company that manually reviews the internet (in how many languages?), and boots people who don't meet its tests.
neither is google in the bussines of removing the content, they have to remove it if they get the legal request, or they remove it based on some internal rules.
Agree that it's a shame that it doesn't really feel like they're owning up to how bad it was.
But I wonder if it will just mostly go away. Luckily for cloudflare this is a pretty random sampling of people around the country and world. Unless someone has put together a big data set from the caches and decides to leak it or inform the victims, it seems like most people whose accounts do get taken over from this will have no way to trace it back to this bug.
It's not surprising though & it's probably going to keep happening going fwd, and not just at CF. There are only ~10 megacap companies that can afford to hire & retain dedicated hardcore, top-shelf netsec teams to fastidiously audit every production SW module for problems like this one, and proactively rewrite things that look sketchy even if no specific bug has been encountered yet. At most other firms, security teams are still largely reactionary.
I've had trouble finding a competitor that offers the same service with DDoS mitigation, WAF, and CDN for a flat fee. Every other service charges per request and/or by bandwidth. Do you know of any comparable alternatives?
By tiered flat fee, does that mean that if my little website was DDoSed, they'd stop serving traffic once the amount of data I've paid for is used up? I'd be fine with that. Being billed for more than the data I wished to pay for would mean doom.
Is there an option to not revert DNS but instead to just temporarily remove the DNS records or something in case one doesn't want the IP addresses of the origin servers revealed?
Not that I can see in the documents, but I imagine you could handle that yourself by not serving traffic if the request body doesn't have the appropriate proxy headers.
I have my origin servers firewalled to allow only traffic from CloudFlare servers and would do the same in case I switched to OVH, but even so it would cause a lot of trouble if the origin server IP addresses were revealed since this would let the attackers target the network I'm on directly.
Regardless of this bug or their business practices, this is why Cloudflare has gotten so big. They have a much better pricing model compared to other CDNs.
CloudFlare typically shows a CAPTCHA when a site is accessed by an IP with a bad reputation. This is mainly to block access to spammers and evil crawlers, but the IP addresses used by Tor exit nodes often have bad reputations, as they are used for all manner of things.
For people who do most of their browsing via Tor, it can get annoying to be repeatedly presented with a CAPTCHA.
For jet.com and Trump's site, this would happen on residential connections in Guatemala. Jet.com fixed it after I told them. Most likely they just leave CF's bad defaults.
But their response here is embarassingly bad. They're blaming Google? And totally downplaying the issue. I really didn't expect this from them. Zero self awareness- or they believe they can just pretend it's not real and it'll go away.