They get shit on a lot here. Why? What do they do and how is that different from other companies that offer similar services?
What I know of them: they offer DDS brute force/spam protection for websites.
They get shit on a lot here. Why? What do they do and how is that different from other companies that offer similar services?
What I know of them: they offer DDS brute force/spam protection for websites.
I wouldn’t call it hate, just concern.
Cloudflare acts as a front door to many sites and as such your TLS session is terminated at Cloudflare, then CF makes a additional session from themselves to the target site.
This is concerning as that means CF can see all of your data.
It’s worth mentioning the advantage of why they do this. There are several reasons, but the two most common are:
Seeing the data means they can do a better job at detecting attacks and fending them off.
They can issue certificates with longer lives from their private CA which simplifies certificate management for their customers.
considering they are a US company they are bound by US warrantless wiretapping laws.
Plus other capabilities like injecting banners, caching, etc
you say, “caching,” CF says, “ca-ching!”
There is https://developers.cloudflare.com/ssl/keyless-ssl/
If you don’t own your private keys, wtf are you doing anyway? People are fucking lazy and they are paying for it.
While true, and I am not a hater of Cloudflare:
I’m not part of any Enterprise organization and I’m too poor to sign up for Enterprise level service, and so I am unable to use their Keyless SSL.
Just for example. Sometimes it’s not that we don’t want to but can’t afford to, especially if we’re just Joe Schmoe running a handful of services on a server box.
Once again, I have no issues with Cloudflare myself, and personally have a decent amount of respect for them.
I’m just saying getting access to the Keyless SSL is less easy than you made it sound.
I get that. If you’re not paying for a service, there’s still a price. There are no companies out there doing you any favors, only those that make you believe they do.
Clouflare is okay. Don’t trust anything apparently free ever
If you’re not paying money for a service, you’re paying another way
How much the Enterprise plan on cloudflare cost? $300/mo?
Right?? To let your website be susceptible to that kind of act by anyone means that you probably didn’t really care about security in the first place, so much as just getting the magic lock icon happy.
Magic lock icon is easy, hard is it to block attacks and being able to do very little about it.
Spoofed packets, server providers not caring what their customers do, many abuse email adresses dont even work.
Keyless SSL would be nice and i’d use it. I have my own keys, but its for Enterprise customers only.
I am not using Cloudflare as i dont like them handling like 80% of all traffic. But as website owner i can understand why someone would still choose them…