Cloudflare has been infamous among sysadmins and threat hunters for over a decade [1,2] now for having an almost-nonexistent moderation program. Their services have been routinely abused by malicious actors for years [3,4,5,6,7] They've arguably been the single largest commercial provider for criminals globally over that time period, including non-tech criminals like drug traffickers and actual terrorists [8,9], to say nothing of aiding and abetting war criminals [10].
In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]
They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.
It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.
If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.
> They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
And equally so is whoever they trust to provide the hardware to host their website on. Most of the time, it's someone else.
(edit: Your last source is laughable. Some real conspiracy theory shit)
And what do you reckon the chance is that Azure and AWS and GCP are extracting ephemeral TLS session keys for every inbound HTTPS traffic stream bound for their customers, and decrypting every single stream?
The chance that cloudflare is getting access to all incoming traffic in plaintext is 100%.
Didn't mention anything about chances. If these companies wanted they could decrypt all traffic and it's easier than how you said (just swap out a web server binary or something). Although i must admit cloudflare has a worse track record
His last source is a word for word excerpt from a BBC article about Cloudflare, with the information coming directly from their reporter talking to the founder of Cloudflare. As far as I can tell the only thing the site he linked to added was they underlined some phrases.
When you say it is conspiracy theory shit (CTS) do you mean that what the text says is CTS, or do you mean that whatever inference the site that copied the text from the BBC is trying to get you to infer from their underlining is CTS?
The latter. For example, what is "tracked them” (going off memory here) even supposed to imply? Log the spammer email address and send it off whereever (which most mail services do), says the context. Just looks like a poor attempt to make cf look bad, unlike the others which cite real incidents
Your sources are ass man. Yah newsflash, CF is a hosting site and people make phishing pages. This shit is true with literally any cloud provider today that’s relevant on the internet.
The difference is, legitimate non-criminal providers don't flagrantly ignore abuse reports, but thanks for leading with a petty criticism of my citations rather than refuting the core of my argument, which you can't do.
In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]
They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.
It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.
If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.
[1] https://www.malwarebytes.com/blog/news/2014/12/free-ssl-cert...
[2] https://forum.spamcop.net/topic/14194-cloudflare-bulletproof...
[3] https://thehackernews.com/2023/08/cybercriminals-abusing-clo...
[4] https://www.threatdown.com/blog/cloudflare-tunnel-increasing...
[5] https://any.run/cybersecurity-blog/clouflare-phishing-campai...
[6] https://venturebeat.com/security/rogue-ad-network-site-likel...
[7] https://portswigger.net/daily-swig/cybercriminals-use-revers...
[8] https://www.trendmicro.com/vinfo/us/security/news/cybercrime...
[9] https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/
[10] https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-...
[11] https://bgp.he.net/report/tophosts
[12] https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master...