From 8ea432791d0745576e9293e6a6fc61276ace8aea97fca61c96e5d5c0148c00cf Mon Sep 17 00:00:00 2001 From: Nicholas Johnson Date: Tue, 10 Oct 2023 00:00:00 +0000 Subject: New entry: re-cloudflare-considered-harmful --- content/entry/re-cloudflare-considered-harmful.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 content/entry/re-cloudflare-considered-harmful.md diff --git a/content/entry/re-cloudflare-considered-harmful.md b/content/entry/re-cloudflare-considered-harmful.md new file mode 100644 index 0000000..166a021 --- /dev/null +++ b/content/entry/re-cloudflare-considered-harmful.md @@ -0,0 +1,21 @@ +--- +title: "Re: Cloudflare Considered Harmful" +date: 2023-10-10T00:00:00 +tags: ['computing'] +draft: false +--- +Time for another Hugo Landau blog post. This particular one, "[Cloudflare considered harmful](https://www.devever.net/~hl/cloudflare)", was written in 2019, but it's even more relevant given that Cloudflare has since expanded. + +First I just want to say that I fully agree with Hugo's post. + +I will never MitM my websites with Cloudflare. For one, there's no need for it. That I'm aware of, my site has never been DoSed and it gets on my nerves seeing websites use Cloudflare that don't need it. I often stumble across a website in Tor Browser that I can't access because of Cloudflare and think to myself "Is this website important enough to need Cloudflare? I doubt anyone has ever cared to DoS it." And second, as Hugo Landau points out, there are other ways to mitigate DoS that don't involve MitMing one's site and making it stochastically fail. + +Another important point Hugo makes is that Cloudflare is potentially a global active adversary, calling it "essentially the world's premier global MitM agency" which causes massive centralization and represents a huge step backwards in the progress we've made in TLS support since 2013. Given the nature of Cloudflare's business, I agree with Hugo that it's highly likely that it's cooperating with the NSA. Even if by some miracle it's not wittingly or willingly cooperating with the NSA, the nature of Cloudflare's business makes it a high-value target for US intelligence. In other words, if the G men want the data badly enough, and they do, then they'll find a way. + +Finally, I agree with Hugo that the idea of web application firewalls (WAFs) is fundamentally flawed: + +> "The “web application firewall” concept is fundamentally flawed in all instances, because it falsely presupposes that a blind intermediate proxy can reliably assess the semantic meaning of data transmitted, which is in actual fact impossible. Since this kind of “service” is part of the Cloudflare value proposition and an attempt to add a profit-making value-add, Cloudflare has essentially built their entire business on doing something which is a bad idea and which cannot be reliably implemented." + +I wouldn't deny that WAFs can increase security. They are defense-in-depth. But they come at the cost of increasing coupling and complexity and, in Cloudflare's case, blocking valid requests and mangling harmless HTML. Like Hugo says, it's not the place of intermediate proxies to assess the semantic meaning of transmitted data. + +So that's about all I have to add. In summary, don't use Cloudflare. If you find yourself tempted to use a WAF, maybe look for another solution. -- cgit v1.2.3