CloudFlare

CloudFlare is a world-wide web-proxy that works by hijacking DNS requests, making a request the origin server, altering content and then sending the result back to the client. CloudFlare bolsters a "free" plan, where you only have to sign-up in order to set your domain's nameservers to CloudFlare's nameservers.

CloudFlare is designed as a lock-in service where the moment you opt in and depend on CloudFlare, it becomes difficult to opt-out. In fact, one of the more apathetic "features" of CloudFlare is the inability to turn off its security features unless you pay money. Even with the setting "Essentially Off", you can wave goodbye to a bunch of customers that may consider that you are just not that important in order to waste minutes solving CloudFlare CAPTCHAs.

The Security Circus of Doom

Unde the guise of providing "security", CloudFlare outright breaks the security and confidentiality of your customers as well as barring your customers from service entirely. This section will discuss the malpraxis of CloudFlare and summarize a few reasons why you should do what you can in order to disable and never use CloudFlare again.

Shadowbans due to Outsourcing Blacklists

When clients connect through CloudFlare to your website, the connecting IP address is checked by CloudFlare against some sort of blacklist. In case the client's IP is on the blacklist, CloudFlare prompts for captchas.

Unfortunately, as it stands, most of the IPv4 address pool has been exhausted - except for AFRNIC that is expected to be exhausted in a few years. That means that it is very unlikely that, wherever you travel to in this world, you would get a fresh and non-tainted IP address.

It one of our endeavours, we have witnessed angry customers unable to access a gaming platform that was designed to run over HTTP(s). After long debugging sessions, we found out that the game client attempted to connect to the server, but the customer being from a blacklisted address in China, and was rejected due to CloudFlare finding the IP address on a blacklist. Since the game client was not browser-based, CloudFlare most likely prompted for a Captcha, at which point the game client did not receive the output it expected and thew an error.

CloudFlare started as Project Honeypot and became over the years a glorified blacklist with preferential treatment to various geographical areas such that it is completely plausible that different levels of blocking are in effect when accessing websites that are proxied by CloudFlare.

Flexible SSL

Since cca. 2015, CloudFlare has been offering an option to activate HTTPs for your website for free by using the option Flexible SSL. What "flexible" SSL does is essentially a Man-In-The-Middle attack: it intercepts clients connecting through HTTPs, decrypts the traffic, forwards the plaintext traffic to the origin server and when it receives the data back, it re-encrypts it and sends it to the client.

This feature is solidly half-useless because half of the entire roundtrip the traffic is sent unencrypted from CloudFlare to the origin server. Furthermore, the point of SSL is to privatize and encrypt the communication between a client and a server - by decrypting the traffic, any credentials sent over HTTPs to CloudFlare will be decrypted and CloudFlare would be able to recover them.

CAPTCHAs

By videogramedunkey (all of the presented clips are indeed real).

Obnoxious CAPTCHA prompts have been broken consistently over the years using OCR - nevertheless, the security circus of doom still considers them a viable option for preventing automated requests to websites as well as, allegedly, distinguishing between humans and robots.

Unfortunately, the CAPTCHA prompts used by CloudFlare are broken - frequently unsolvable (as we have posted pictures numerous times on our website), other times not leading anywhere after they have been solved and countless times we have witnessed never-ending CAPTCHA prompts where solving one CAPTCHA leads to another CAPTCHA and so on, forever - all the while with the, most likely, deliberately ironic title "Just One More Step"…

Traveling to a different part of the world and not being able to log-in to your own website does not mean you are "secure", it is just about as ridiculous and stupid as locking yourself out of your own home would be.

Darkweb (tor and i2p)

CloudFlare is adamant about persecuting darkweb users - fact which has been documented thoroughly by the activists. Although it is indeed a "meme" that the darkwebs are associated with illicit behaviour and dubious taste, cases where people that need to access websites such as Amnesty International get the brunt of the beating stick.

Cargo Security and Security Through Censorship

By delegating your security to a service such as Cloudflare, you inherit a black-box filled with value judgements that may not suit everyone and in all circumstances. Companies like Cloudflare or Digital Ocean become a hype through advertisement and freemium models up to the point where they become deluded enough and self-annoint themselves as beacons of morality.

More and more cases arise where Cludflare (and others) mass-block sites based on their own judgement:

Blanket-bans are very prevalent and censorship or, conversely, propaganda is easy to deploy when there is a dependency constructed between the consumer and the provider.

Yet more unfortunate, is the fact that just delgating trust to some company that seems or appears to be competent does not imply directly that the company is competent:

and Cloudflare does not seem to be competent company judging from their flawed approach to security or computer science in general.

Alternatives consist in following common sense and creating your own blacklist and adding what you see as harmful instead of trusting cargo-load security.

The Overt MITM Problem

Cloudflare overtly advertises for MITM as a feature. MITM is carried out by Cloudflare by decrypting all traffic between a client and the target website. The advertised purpose is to provide SSL to websites that do not have a certificate set up or providing "flexible SSL" - the latter s done by providing the client with a certificate, and then using a separate certificate to route the traffic to the destination website. Unfortunately, this is MITM by design and Cloudflare itself does have the plaintext data from the transmission.

When inquired on this topic, Cloudflare officially just uses liability dumping and claims that setting up a website is "up to the customer" (the operator of the website "protected" by Cloudflare). Unfortunately, this is no more than a confidence trick, since, even if the operator of a website would be aware of the problem, the problem would still be opaque to the person browsing the website. It is fair to assume, based on the principles of HTTPs (and SSL/TLS) that a browser will divulge its traffic patterns to a designation website (since SSL/TLS provides point to point encryption), however, the user of the browser is not made aware that Cloudflare as a third party has the capability of intercepting the traffic as well (or others snooping on Cloudflare itself, for instance, without Cloudflare's knowledge).

security_services_cloudflare_mitm.jpg

You vill get ze IPv6 and ze vill be 'appy!

Given the network configuration:

Cloudflare populates the CF-CONNECTING-IP header that it passes back to the webserver behind Cloudflare with the IPv6 address of the connecting client whilst completely disregarding whether the backend webserver supports IPv6 or not. In principle, the webserver logs will end up with access lines from IPv6, an event that would require a paranormal investigation due to the mysterious way how a client managed to connect via an IPv6 address to a server that (even explicitly) does not support IPv6! Even at the time of writing IPv6 is completely irrelevant and seems to be fad that will more than likely be outgrown by other emerging technologies such that running a network with two addressing stacks will lead to security issues.

On a security note however, clients circumvent the security of web server by accessing websites via IPv6 and thereby using CloudFlare as a staging attack, in order to bypass bans, throttling and other mitigations that are to be found on the backend server. At the time of writing, it is impossible to switch off IPv6 without paying; in fact, the only option to bring it close to something sensible is to use "pseudo IPv4" that does not pass "tunnel IPv4 addresses" or similar, but rather passes the IPv6 address in some funged format (in other words, worthless).

Has a website banned you or throttled you? No problem, use Cloudflare to bypass the block by surprising them with your "real IP" in IPv6 format that will surprise their servers because it is not possible to connect with IPv6 to a server that has IPv6 disabled! As a real-case scenario, Semrush is back, and now it's on IPv6!

Of course that the model depicted in the image poses a problem where something must be done to resolve the issue. Some solutions would include:

  • using the classic 6to4 IP tunneling (Tunnelbroker from Hurricane Electric),
  • outright rejecting the request with Cloudflare (sorry, why can't I connect via an IPX connection to your website?!),

but definitely "surprising" backend users with IPv6 when their whole network might be just IPv4 is just offering a "surprise backdoor" into your customer's network. Furthermore, having to just put up with it without being able to turn it off yet under the guise of a hostage with a financial gun pointed at you where you would have to spend money to "buy a solution to a problem that did not exist before using Cloudflare" (ie: try connecting with IPv6 to an IPv4 network and notice how it does not work) is just glaringly bad and noncesecurity.

Mitigations

For both anonymizing users and clearnet browsers, the following addon will simply use a domain matcher and redirect all requests to Cloudflare "protected" websites to archive.is:

Conclusions

If you run a personal blog and you do not want to configure your Apache properly to equate the "free" plan, then perhaps CloudFlare can be an option - yet brace yourself for angry followers.

In case you have a business to run - anything, in practice, that spans more than a few chums on a forum, then you better stop using CloudFlare and come up with alternative solutions since it is better to lose a little performance (or search for alternatives) than outright loosing customers.


security/services/cloudflare.txt · Last modified: 2024/06/12 20:10 by office

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.