Created by Opal Hart - source , released by the author into the public domain under the Creative Commons Zero licence, modified “a bit”.

Hi,

May I ask what influenced your decision to place your website behind Cloudflare? «Information about how I discovered your site»

While Cloudflare is easy and free to use and set up (I made an account a while back to test it out) it is not without issue. Along with the fact it seems to discriminate against legitimate Tor and other VPN/proxy users, despite claims that Cloudflare is doing its best not to impede upon Tor traffic, there are other problems with its current implementation and its design. It is a central entity, which means any attacks on Cloudflare affect many or all of its users, regardless of website; as long as it’s behind Cloudflare it is affected, and it could cause anywhere from downtime [1] to security vulnerabilities and personal information leaks [2].

In addition, people using your website must not only agree to your and your hosting provider’s terms of service, but also Cloudflare’s terms, and Google’s terms as well if they get served a reCAPTCHA from the “One more step” page. ReCAPTCHA is difficult to solve on a good day and impossible to solve behind an IP address with a “bad reputation” such as with Tor’s exit nodes. The solution to reCAPTCHA (and Google designed it this way) is to keep one’s browser logged into Google across all sites, which requires a trade-off on privacy that Tor and other VPN users do not want to risk – if they did, then they would likely not be behind a proxy anyway.

You might be wondering why Tor is important: not only is it good for privacy-conscious people, but it helps people access websites otherwise censored by ISPs and governments. My choice to use Tor is thankfully just that, a choice, but it is one I make because I believe in the power of privacy and in strengthening the anonymity set of the network. With my normal browsing traffic mixed into the network, it becomes more difficult for adversaries to track the browsing habits of people who “shouldn’t” have unbridled access to the Internet. While it’s true that Tor is also used by criminals and spammers, it is a vocal minority, and websites such as your own are more likely to attract undesired traffic coming from people with access to thousands of open proxies and botnet computers. I personally have much experience dealing with Tor traffic because I help administrate Tor-only as well as Tor-friendly websites, and with proper caching and security, I am able to keep my websites maintainable and moderatable.

There is also the fact that Cloudflare is, simply put, a man-in-the-middle service. It’s their business; it’s the only technically possible way they can achieve layer-7 DDoS mitigation. Thankfully, layer-7 mitigation can be done from your own server; like I said, caching web pages for logged-out users does wonders and you most likely do not have to worry about any other server configuration other than keeping all your software up to date. Lower layer mitigation is offered by many providers and tunnel services; just do a search for DDoS-mitigated providers if this is a concern of yours.

Again, the MITM trait of Cloudflare matters because user data has another terms-of-service to transport through, another security weak point to transport through, and potentially the eyes of several three-letter agencies to worry about, should any of them decide to reach out to Cloudflare in request of any information or metadata. Also, it means Cloudflare can terminate anyone and do anything they want with customer and end-user information, which they had demonstrated in the past [3]. Thankfully the CEO of Cloudflare learned from his mistake and promises his business will not make any similar rash choices again, but next time it may not be up to him but by another disgruntled employee. This final concern might not affect you, but it is a concern nonetheless, and it demonstrates the power Cloudflare has over its business due to its MITM nature of a majority of the Internet. I have a strong desire to see decentralisation on the Internet, given it is a naturally-decentralised network that spans across nations and websites. If all websites with their own interests and policies tunnel through Cloudflare, are they our websites anymore? I have similar concerns with other large hosts such as Google, Amazon AWS, and Github, but I believe that simply addressing my concerns to sites behind Cloudflare is a large enough goal to focus on. These other companies I have a watchful eye for, and I personally do not host my content with any of them because again, I believe I must avoid placing all my eggs in one basket.

I only wish for Cloudflare users to be aware of the product they are using, it is ultimately your choice as a website administrator to use Cloudflare, but be aware of its impact on all of your users, and if you wish to at least be indiscriminate toward Tor users, you should look into lowering your site’s protection settings and only have the reCAPTCHA page served when your site is actively under attack. Again, there are a lot of legitimate users who simply wish to read the content published online.

[1] https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
[2] https://en.wikipedia.org/wiki/Cloudbleed
[3] https://blog.cloudflare.com/why-we-terminated-daily-stormer/

Thanks,