CloudFlare is a world-wide web-proxy that works by hijacking DNS requests, making a request the origin server, altering content and then sending the result back to the client. CloudFlare bolsters a "free" plan, where you only have to sign-up in order to set your domain's nameservers to CloudFlare's nameservers.

CloudFlare is designed as a lock-in service where the moment you opt in and depend on CloudFlare, it becomes difficult to opt-out. In fact, one of the more apathetic "features" of CloudFlare is the inability to turn off its security features unless you pay money. Even with the setting "Essentially Off", you can wave goodbye to a bunch of customers that may consider that you are just not that important in order to waste minutes solving CloudFlare CAPTCHAs.

Unde the guise of providing "security", CloudFlare outright breaks the security and confidentiality of your customers as well as barring your customers from service entirely. This section will discuss the malpraxis of CloudFlare and summarize a few reasons why you should do what you can in order to disable and never use CloudFlare again.

When clients connect through CloudFlare to your website, the connecting IP address is checked by CloudFlare against some sort of blacklist. In case the client's IP is on the blacklist, CloudFlare prompts for captchas.

Unfortunately, as it stands, most of the IPv4 address pool has been exhausted - except for AFRNIC that is expected to be exhausted in a few years. That means that it is very unlikely that, wherever you travel to in this world, you would get a fresh and non-tainted IP address.

It one of our endeavours, we have witnessed angry customers unable to access a gaming platform that was designed to run over HTTP(s). After long debugging sessions, we found out that the game client attempted to connect to the server, but the customer being from a blacklisted address in China, and was rejected due to CloudFlare finding the IP address on a blacklist. Since the game client was not browser-based, CloudFlare most likely prompted for a Captcha, at which point the game client did not receive the output it expected and thew an error.

Since cca. 2015, CloudFlare has been offering an option to activate HTTPs for your website for free by using the option Flexible SSL. What "flexible" SSL does is essentially a Man-In-The-Middle attack: it intercepts clients connecting through HTTPs, decrypts the traffic, forwards the plaintext traffic to the origin server and when it receives the data back, it re-encrypts it and sends it to the client.

This feature is solidly half-useless because half of the entire roundtrip the traffic is sent unencrypted from CloudFlare to the origin server. Furthermore, the point of SSL is to privatize and encrypt the communication between a client and a server - by decrypting the traffic, any credentials sent over HTTPs to CloudFlare will be decrypted and CloudFlare would be able to recover them.

By videogramedunkey (all of the presented clips are indeed real).

Obnoxious CAPTCHA prompts have been broken consistently over the years using OCR - nevertheless, the security circus of doom still considers them a viable option for preventing automated requests to websites as well as, allegedly, distinguishing between humans and robots.

Unfortunately, the CAPTCHA prompts used by CloudFlare are broken - frequently unsolvable (as we have posted pictures numerous times on our website), other times not leading anywhere after they have been solved and countless times we have witnessed never-ending CAPTCHA prompts where solving one CAPTCHA leads to another CAPTCHA and so on, forever - all the while with the, most likely, deliberately ironic title "Just One More Step"…

Traveling to a different part of the world and not being able to log-in to your own website does not mean you are "secure", it is just about as ridiculous and stupid as locking yourself out of your own home would be.

CloudFlare is adamant about persecuting darkweb users - fact which has been documented thoroughly by the activists. Although it is indeed a "meme" that the darkwebs are associated with illicit behaviour and dubious taste, cases where people that need to access websites such as Amnesty International get the brunt of the beating stick.

By delegating your security to a service such as Cloudflare, you inherit a black-box filled with value judgements that may not suit everyone and in all circumstances. Companies like Cloudflare or Digital Ocean become a hype through advertisement and freemium models up to the point where they become deluded enough and self-annoint themselves as beacons of morality.

More and more cases arise where Cludflare (and others) mass-block sites based on their own judgement:

• Daily Stormer: Cloudflare drops neo-Nazi site.

Blanket-bans are very prevalent and censorship or, conversely, propaganda is easy to deploy when there is a dependency constructed between the consumer and the provider.

Yet more unfortunate, is the fact that just delgating trust to some company that seems or appears to be competent does not imply directly that the company is competent:

• Service used by 5.5 million websites may have leaked passwords and authentication tokens.

and Cloudflare does not seem to be competent company judging from their flawed approach to security or computer science in general.

Alternatives consist in following common sense and creating your own blacklist and adding what you see as harmful instead of trusting cargo-load security.

Cloudflare overtly advertises for MITM as a feature. MITM is carried out by Cloudflare by decrypting all traffic between a client and the target website. The advertised purpose is to provide SSL to websites that do not have a certificate set up or providing "flexible SSL" - the latter s done by providing the client with a certificate, and then using a separate certificate to route the traffic to the destination website. Unfortunately, this is MITM by design and Cloudflare itself does have the plaintext data from the transmission.

When inquired on this topic, Cloudflare officially just uses liability dumping and claims that setting up a website is "up to the customer" (the operator of the website "protected" by Cloudflare). Unfortunately, this is no more than a confidence trick, since, even if the operator of a website would be aware of the problem, the problem would still be opaque to the person browsing the website. It is fair to assume, based on the principles of HTTPs (and SSL/TLS) that a browser will divulge its traffic patterns to a designation website (since SSL/TLS provides point to point encryption), however, the user of the browser is not made aware that Cloudflare as a third party has the capability of intercepting the traffic as well (or others snooping on Cloudflare itself, for instance, without Cloudflare's knowledge).

For both anonymizing users and clearnet browsers, the following addon will simply use a domain matcher and redirect all requests to Cloudflare "protected" websites to archive.is:

• Block CloudFlare MITM Attack.

If you run a personal blog and you do not want to configure your Apache properly to equate the "free" plan, then perhaps CloudFlare can be an option - yet brace yourself for angry followers.

In case you have a business to run - anything, in practice, that spans more than a few chums on a forum, then you better stop using CloudFlare and come up with alternative solutions since it is better to lose a little performance (or search for alternatives) than outright loosing customers.