I love cloudflare, but honestly I assumed they WERE the CIA/FBI not just compromised by them. It would be the perfect front company for the government.
If adamgamble's speculation were the case, I'd go to jail for things I'd have illegally signed in our SEC disclosures attesting to the sources of our revenue and any government contracts. Suffice it to say, I like not being in jail. It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons. So… once we went public I kind of thought this silly speculation would end. But guess not.
Beyond that, if you think about it, it's a way better business to run Cloudflare and serve the world than serve some US intelligence entity. That's just per se true. So if that's the case why would we ever do anything that would remotely compromise the trust necessary to, you know, be Cloudflare?
Lastly, here's a funny story. Early in our history one of our investors suggested that we talk to In-Q-Tel. Here's how naive Michelle and I were: we had no idea it was the CIA's venture capital arm. So we showed up in their office on Sand Hill Road. It was weirdly austere compared with other VCs we'd visited. And lots of security cameras. The partner at some point came out and greeted us. As he was walking us back he looked back right before we crossed the threshold back to the inner offices, "You're both American citizens, right?"
"No," Michelle said. "I'm Canadian."
"Oh." the VC said. Then you can't come back here.”
"I'm not going back there without her," I said.
"Ok, well, I guess we'll have to do the meeting in the reception area," decided the In-Q-Tel VC.
We had a very cordial meeting and then left. As we were driving away Michelle said, "Those guys were weird." And that was the end of that. Never talked to In-Q-Tel again.
But maybe it's the Canadian equivalent of the CIA/FBI/NSA we're beholden to??! ;-)
> So… once we went public I kind of thought this silly speculation would end. But guess not.
In fairness, there are quite a number of public companies that turned out to be operating partially as fronts for spying agencies (AT&T is the shining example here). So simply being a public company could not be expected to serve as some kind of proof of independence.
Immunity from prosecution seems like a marvellous way to destroy rule of law. Crazy that that and royal^H^H^H^H^H presidential pardons exist. Recipe for corruption of the state and then the justice system.
As the purpose of Presidential pardons is to provide the opportunity to right significant miscarriages of justice in system that is almost impossible to get perfect, and that is the way they were typically used, it does not seem crazy that they exist.
What IS crazy is that they exist with very little consideration of a corrupt POTUS, judiciary, and/or congress. Seems the writings of the founders did worry about that significantly in later years, but evidently not in time to enshrine many guardrails in the US Constitution, not even a clear prohibition against self-pardon. Seems such a thing was considered so obviously wrong and corrupt that it didn't need to be mentioned. so here we are two and a half centuries later with people arguing that it should be possible.
I think that it does seem crazy that they exist. To give a single politician the power to simply override our justice system is dangerous and crazy. If that's really necessary in order to ovoid miscarriages of justice, then we need to fix the real problem, not introduce a new one.
Why is the pardon ability a problem? Because it's the judgement not just of one person, but of a person who is a political animal. There is no way that power will be used in a way that is impartial, and there is no single person who is so wise that they should be entrusted with such decisions. That it's a politician making the decisions all but guarantees that the decisions will be made out of political interest, not some interest in actual justice.
All the pardon power does is to increase the potential for corruption.
> It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons.
As difficult as it was to keep PRISM and the many other overt and covert arrangements (public, private but leaked, and private but not yet leaked) between backbones, carriers, CDNs, hosting providers, ISPs, etc., and the agencies leveraging them, out of each firm's public filings?
Because evidence is it's not difficult at all, considering the whole of the 30 years since the Internet went commercial.
Hi, kind of hijacking this conversation but as Cloudflare is unfortunately routing the majority of websites I visit I have to ask this:
Can you guarantee my Firefox browser will keep on working on 'the open internet' now Chrome moves towards "Web Environment Integrity" and Safari towards "Private Access Tokens" and Cloudflare is supporting and implementing such technologies on scale?
I intent to not participate in these DRM APIs with my Firefox browser and would like to keep browsing the internet.
"will you be supporting WEI and PAT in your captcha/ddos protection services" is a VERY different question to "can you guarantee my Firefox browser will continue to work on the open web"
That usually happens when I'm faking my user agent to use the most popular (windows + Chrome). Once I go back to the default (Linux + Firefox) then CloudFlare seems to allow it.
Your response really shows a disconnect with the user and what was said
Not many users who encounter your service while trying to connect to a website will know _anything_ about your company, let alone knows its public or read disclosures.
Cloudflare has a public perception and sentiment problem and dismissing it as you have will lead to an inevitably negative outcome.
Not an attack but certainly a person in the middle.
IAAL and advise on data protection and privacy.
Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.
My impression is that a lot of people use these services without really understanding the implications.
For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.
Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.
That said, I routinely use Cloudflare for my personal projects.
And AWS has control of all of your servers and everything stored on them. If it's part of your systems architecture and how it's intended to work it isn't being attacked.
>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.
That doesn't mean they are an attack. That is just how a CDN works.
You're being needlessly pedantic. It might not be an attack in the usual sense, but it's a MITM "access point" and agencies like CIA/NSA/FBI would definitely have that kind of access. This access transforms Cloudflare's role into a de facto MITM "attack" on their customers and end users who didn't intend to share unencrypted data with 3-letter agencies.
I don’t think I’m being pedantic. In practical, the parent comment’s description is not that of MITM attack, but how a proxy works. Proxy is everywhere, useful, and voluntary.
I just don’t understand how a voluntary use of proxy can be called MITM attack.
I’m not saying I like the fact that CF is part of so much of the Internet, or that CF isn’t on some level a security risk. But that has nothing to do with being an MITM attack.
It’s always the website’s choice what infrastructure is used to serve the website, including whether a proxy is used. You don’t have a chance to say no if the website owner wants a proxy in front of their site. The web owner has a say in how they want their server to be connected.
In the same way, you can use a proxy to access sites, and the server cannot bypass that, either.
I know. I understand the tech and the business decisions behind all of this. I understand the value of a CDN.
It's still a MitM. It's a centralised entity that sees a huge share of the global Internet's traffic, unencrypted. I doubt most people are aware of that.
Someone in another comment mentioned AWS is one as well, and they're right. AWS, GCP and Azure all have TLS-terminating gateways of some kind.
Take Cloudflare, AWS, GCP and Azure, all USA companies bound by the CLOUD act, and nearly all Internet traffic is immediately accessible by US authorities, unencrypted.
Makes the whole "think of the children" rhetoric being spun to pass anti-E2EE laws tame in comparison.
It's worse. You can't just start Mitm'ing regular encrypted internet traffic without compromised infrastructure. With Cloudflare everything is already in place.
