Stay away from CloudFlare
Published on 2017-12-20.
CloudFlare has become one of the fastest growing DNS and CDN hosters on the Internet delivering some of the best DNS speeds worldwide, but if you value customers or visitors to your website you maybe need reconsider using CloudFlare.
CloudFlare delivers great DNS speeds worldwide and they have a really well designed control panel for managing DNS hosting, combine that with a premium free service and you get a powerful and very attracting DNS hosting solution for bloggers, webshop owners, and anyone else who owns a website. However, what most people overlook is that CloudFlare, in the name of security, every day blocks millions of valid users from visiting the websites that CloudFlare has registered in their hosting service.
In the control panel for DNS setup you have an option called "Firewall", and within that option there is a setting called "Security level".
By default it is set to "Medium", which means that a lot of people will be blocked from your website by a very annoying and time consuming CAPTCHA. And the problem with this option is that it cannot be disabled in the free service. You actually has to pay for the Enterprise edition, which is more that 200 dollars a month per domain, in order to disable the feature. Even if you set the setting to the lowest available value in the free service, which is Essentially off, many of your visitors will still be blocked.
In case you haven't seen it, this is how it looks:
The CAPTCHA may look harmless enough, but often it gets repeated several times displaying different puzzles to solve. Many times a fadeout effect has been inserted when you click on a picture and the picture takes about 3-4 seconds before it vanishes only to be replaced by yet another picture. The process is extremely annoying and many people will simply leave your website.
The demand for privacy on the Internet is growing rapidly and every day more and more people are signing up for VPN services around the world. These services are often blocked by default by CloudFlare and this is a serious problem.
Here's an example on YouTube on how annoying it can be if you're using a VPN service and an anti-tracking plug-in for Firefox:
The CAPTCHA solution that CloudFlare throws in the face of people has absolutely nothing to do with security and it will never block anyone with an evil intent from achieving whatever they want on your website. Professional hackers has huge botnets to work from, botnets consisting of thousands of compromised computer world wide with very different IP addresses. There is no way CloudFlare can protect your website with their stupid CAPTCHA, the only thing they can do is to block and harrash people who value privacy from visiting your website. You need to understand this well if you value your visitors.
Nobody wants to fill out an annoying CAPTCHA just to visit your website, no matter what you have to offer. And just as rapidly growing as CloudFlare is, just as rapidly do people boycott websites that are using the CloudFlare DNS hosting solution.
CloudFlare as MITM (man-in-the-middle)
Another very serious problem with CloudFlare is that they act as a MITM (man-in-the-middle) with their CDN (content delivery network) service in which they, amongst other things, cache your website content and display that to your visitors. If you're running a normal website, like a blog, many times people will never actually visit your website, they'll just get the content from CloudFlare. However, this is not the serious problem, the serious problem is that they provide SSL connections for all who use their service in a way that they become a man-in-the-middle. Your connection is only really encrypted up until the CloudFlare servers, after that the connection can simply be clear text. The connection is encrypted between the browser and CloudFlare, and between CloudFlare and the website if the website has a SSL certificate, but the communication in-between remains completely visible to CloudFlare.
You can check this by going to any website that uses a CloudFlare's SSL connection. Check the certificate for the website. You'll notice that it's a CloudFlare certificate and not a certificate for the website you're actually visiting.
How does this pose a problem?
Imagine B as your browser and S as the webserver. In a normal communication flow it would look like this:
B <---> S
When you visit a website with a SSL connection, your browser (B) checks the encryption certificate and if it validates, an encrypted connection is established between your browser (B) and the webserver (S). Now imagine that we setup another computer in between your browser and the webserver.
B <---> C <---> S
In this setup both the computer in the middle (C) and the webserver has a SSL certificate. When your browser requests an encrypted connection to the website, it gets the certificate from the computer in the middle, in this case CloudFlare, then an encrypted communication is established between these two. Then the computer in the middle does the same with the webserver, and an encrypted connection is established between the computer in the middle and the webserver. However, the computer in the middle now sees everthing.
Let's say you click on something on the website. The "click" gets encrypted in the SSL communication and send to the computer, then the computer in the middle decrypts the communication and sees the address of the "click", it then encrypts the communication again and sends it to the webserver, which again decrypts the communication in order to deliver the content of your "click".
So do you really want CloudFlare to snatch the communication between your website and your visitors or customers? CloudFlare will be able to see everything even when you have a SSL certificate running on your webserver.
You need to understand that users, the visitors to your website, are being mislead by the padlock icon that falsely state that the connection to your website is secure. Users believe, when they see the padlock icon, that the have a secure end-to-end tunnel to your website, while they unwittingly have a tunnel to CloudFlare, who sees all the trafic before it reaches your website.
This is NOT OK.
It means that sensitive data is being disclosed to CloudFlare without the consent or knowledge of your visitors.
This list has been put together by "joepie91" on Hacker News
If you're looking for DDoS mitigation, use basically any of the providers that offer it on a network level - it's really not necessary to have access to HTTP traffic to mitigate attacks. Also, don't run Apache - it's notoriously vulnerable to various low-bandwidth attacks.
A non-exhaustive list of "real" mitigation providers (note that I am not making any particular recommendations):
- Akamai (formerly Prolexic)
- Level3 (formerly Black Lotus)
- Psychz Networks
- OVH (not as a separate service, but their entire network is covered)
You'll want to avoid anything HTTP-specific (as it will be prone to the same privacy issues as CloudFlare), and opt for layer 3/4 mitigation only. Another option, if you're running at a larger scale, is to purchase mitigation appliances and just set up your own mitigation infrastructure. This will not be cheap and require some serious connectivity, but beyond a certain point it'll be more cost-effective. If you're looking for a WAF, run one on your own backend server(s) and/or loadbalancer(s). There's no benefit to doing this remotely, really. Even something relatively simple like ModSecurity will cover a wide array of problems.
If you're looking to save bandwidth: don't bother. Traffic costs virtually nothing nowadays, and saving a few dollars by having another provider cache your assets hardly outweighs having the privacy (and potentially security) of all your users compromised. If you find traffic to be expensive, you should probably look for a different provider - some providers (like AWS) notoriously overcharge for it.
If you're looking for better performance: CloudFlare doesn't really provide that to begin with. There's an extra hop for non-static assets, and depending on the location of your server and users, it can actually slow things down. If your performance is really critical to the millisecond - and chances are, it isn't - look into hosting providers that offer anycast.
If you're looking for DNS hosting: plenty of options. Many providers offer it for free if you host with them, Hurricane Electric offers it for free regardless of where you are hosted, and if you need an SLA, there's Rage4 and Route 53. Pretty much every DNS hosting provider uses anycast.
If you're looking for magic SSL/TLS: Use Caddy https://caddyserver.com/, which is a HTTPd that will automatically set up and renew certificates for you through Let's Encrypt, as well as greatly simplifying TLS configuration. It's essentially zero-effort.
Trying to outsource this to a third party (like CloudFlare's "Universal SSL/TLS" does) defeats the point - it means that the third party can see all of your traffic, all the while providing a false sense of security to your users. They see the padlock, but their traffic is not secured end-to-end.
In short: the only correct place to terminate TLS is on your own servers!
This Firefox plug-in detects CloudFlare and lets you know: Detect CloudFlare plug-in