The only important/interesting quote from the article:
> That particular customer had set up their configuration in such a way that the connection from Cloudflare back to the customers origin was not passed over an encrypted link. Clouldflare has the ability to pass that over an encrypted link. We don’t have any idea why this particular customer chose to do that, but that’s the customers decision.
And it's Cloudflare's decision to expose the endpoint as HTTPS, suggesting to visitors that it's a secure endpoint when Cloudflare knows that it is not.
Not really. He did agree to their traffic being intercepted as a plausible reason as to how this can be explained.
> MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
> Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
The background to this is that when a security researcher discovered that CloudFlares upstream connections are being tampered with, Airtel issued a denial. Matthew Prince's answers here contradict Airtel's statement.
This title is misleading and borderline incorrect. He accepts that unencrypted traffic to specific IPs can be intercepted in accordance with a government order. He does not accept that all unencrypted traffic can be sniffed, or that any encrypted traffic can be decrypted.
> MediaNama: As far as I understand, they wouldn’t know the IP address of the host server?
> Matthew Prince, Cloudflare: They should not. That is true.
> MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
> Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
For those who missed the background to this, CloudFlare’s Indian ISP was modifying the response from the upstream server to their proxy servers; Unable to detect this, CloudFlare serves the fake response to users under an authentic SSL certificate for that domain.
An interesting aside: CloudFlare is likely inadvertently exporting Indian censorship to neighboring countries like Sri Lanka, Nepal and Bangladesh.
Can someone explain this to an encryption dummy? The 'customer' the CEO is talking about, who chose to not encrypt traffic from cloudfare back to the origin is the PirateBay? So airtel could be sniffing all the unencrypted packets going from cloudfare to other cloudfare customers if the content is stored in cloudfare's india data centers?
MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
The headline provided is hardly a fair description of the content of the article. Matthew Prince, CEO of Cloudflare, just states the technical facts of how a https->http proxy works in the context of present day surveillance.
One might argue that Cloudflare’s UI should be a bit more forthcoming and warn customers against blindly turning on what they call "Flexible SSL", which is the issue here. I’m of the opinion that this behavior creates a false sense of security for end users.
A few days ago, I made this humble argument as a reply to John Graham-Cumming, @jgrahamc, an industry rockstar who works at Cloudflare.
https://news.ycombinator.com/item?id=12094057
Flexible SSL is Cloudflare’s term for enabling SSL from the proxy servers to the client, when no encryption is present in the connection back to the origin server. This can protect against things like ISP level snooping, or code insertion and curious local network admins. But it undermines the perceived benefits of https, without the end user knowing.
I personally choose to never activate Cloudflare's SSL without origin SSL, for the reason I stated above: regular people trust that "green lock" in their browser.
But then, there are those who argue that any SSL use through something like Cloudflare muddies the water, as a service like this, acts as a Man in the Middle out of necessity. Furthermore, CDN providers like Cloudflare are by their very nature entrusted with a lot of data which they could mine for nefarious purposes, or leak to local authorities. Another black box to trust, sadly.
This matters for a lot more people than one might assume. One of the central points of CDNs is of course that they try to find the closest/fastest Point of Precence/data center. And now, unfortunatelty, my residential ISP here in Helsinki, Finland (TeliaSonera) routes me to Cloudflare’s new Moscow PoP/data center most of the time.
Previously, my Cloudflare traffic got routed to their Stockholm PoP, as is still the case with other local ISPs I use at work, on mobile etc. For TeliaSonera, Moscow just happens to be the best route at the moment.
This, in turn, causes me to feel slightly more creeped out about potential Russian mass surveillance targeting than I did previously about the Swedes, Germans and other Western actors. Just my personal preference. Also, one would have to ask how Cloudflare will handle Russia’s new, totally batshit anti-crypto legislation ( https://www.theguardian.com/world/2016/jun/26/russia-passes-... )
In this case, I’m in luck, because CEO Matthew Prince recently said that Helsinki, Finland will get its own PoP "very soon" (https://blog.cloudflare.com/brussels/ ).
But all of this if of course something to keep in mind for internet users, that their traffic might take unexpected routes, through areas with totally batshit laws. You can check which Cloudflare PoP you are served by currently through the url below. "Colo" marks the data center, named after the closest airport. https://www.cloudflare.com/cdn-cgi/trace
With all this said, I’m still loyal user and customer of Cloudflare’s. Despite the inherent problems, and the ongoing issues Tor user face.
I would go as far as to say that Cloudflare is something of a dream machine for someone like me who supports a bunch of websites, varying from small to quite heavy on traffic, while still having other work to attend to.
Combining Cloudflare and basic disk based caching found in CMSs, you really can do things like viral web content very cost efficiently. And you get a little help against automated CMS vulnerabilities without paying for their full DDoS protection.
yoo1I|9 years ago
> Cloudflare is a proxy. [...] We don’t have any idea why this particular customer chose to do that, but that’s the customers decision.
Or in other words:
> "We are just a proxy, we are not responsible for anything".
-- https://news.ycombinator.com/item?id=12092188
... it's getting a bit old hearing CloudFlare have the same response every time someone raises an issue with them.
apeace|9 years ago
The only important/interesting quote from the article:
> That particular customer had set up their configuration in such a way that the connection from Cloudflare back to the customers origin was not passed over an encrypted link. Clouldflare has the ability to pass that over an encrypted link. We don’t have any idea why this particular customer chose to do that, but that’s the customers decision.
gkop|9 years ago
pvk84|9 years ago
> MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
> Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
aravindet|9 years ago
The background to this is that when a security researcher discovered that CloudFlares upstream connections are being tampered with, Airtel issued a denial. Matthew Prince's answers here contradict Airtel's statement.
jballer|9 years ago
harshilmathur|9 years ago
> Matthew Prince, Cloudflare: They should not. That is true.
> MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
> Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
aravindet|9 years ago
An interesting aside: CloudFlare is likely inadvertently exporting Indian censorship to neighboring countries like Sri Lanka, Nepal and Bangladesh.
rm2889|9 years ago
unknown|9 years ago
[deleted]
harshilmathur|9 years ago
MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
apecat|9 years ago
One might argue that Cloudflare’s UI should be a bit more forthcoming and warn customers against blindly turning on what they call "Flexible SSL", which is the issue here. I’m of the opinion that this behavior creates a false sense of security for end users.
A few days ago, I made this humble argument as a reply to John Graham-Cumming, @jgrahamc, an industry rockstar who works at Cloudflare. https://news.ycombinator.com/item?id=12094057
Flexible SSL is Cloudflare’s term for enabling SSL from the proxy servers to the client, when no encryption is present in the connection back to the origin server. This can protect against things like ISP level snooping, or code insertion and curious local network admins. But it undermines the perceived benefits of https, without the end user knowing.
I personally choose to never activate Cloudflare's SSL without origin SSL, for the reason I stated above: regular people trust that "green lock" in their browser.
But then, there are those who argue that any SSL use through something like Cloudflare muddies the water, as a service like this, acts as a Man in the Middle out of necessity. Furthermore, CDN providers like Cloudflare are by their very nature entrusted with a lot of data which they could mine for nefarious purposes, or leak to local authorities. Another black box to trust, sadly.
This matters for a lot more people than one might assume. One of the central points of CDNs is of course that they try to find the closest/fastest Point of Precence/data center. And now, unfortunatelty, my residential ISP here in Helsinki, Finland (TeliaSonera) routes me to Cloudflare’s new Moscow PoP/data center most of the time.
Previously, my Cloudflare traffic got routed to their Stockholm PoP, as is still the case with other local ISPs I use at work, on mobile etc. For TeliaSonera, Moscow just happens to be the best route at the moment.
This, in turn, causes me to feel slightly more creeped out about potential Russian mass surveillance targeting than I did previously about the Swedes, Germans and other Western actors. Just my personal preference. Also, one would have to ask how Cloudflare will handle Russia’s new, totally batshit anti-crypto legislation ( https://www.theguardian.com/world/2016/jun/26/russia-passes-... )
In this case, I’m in luck, because CEO Matthew Prince recently said that Helsinki, Finland will get its own PoP "very soon" (https://blog.cloudflare.com/brussels/ ).
But all of this if of course something to keep in mind for internet users, that their traffic might take unexpected routes, through areas with totally batshit laws. You can check which Cloudflare PoP you are served by currently through the url below. "Colo" marks the data center, named after the closest airport. https://www.cloudflare.com/cdn-cgi/trace
With all this said, I’m still loyal user and customer of Cloudflare’s. Despite the inherent problems, and the ongoing issues Tor user face.
I would go as far as to say that Cloudflare is something of a dream machine for someone like me who supports a bunch of websites, varying from small to quite heavy on traffic, while still having other work to attend to.
Combining Cloudflare and basic disk based caching found in CMSs, you really can do things like viral web content very cost efficiently. And you get a little help against automated CMS vulnerabilities without paying for their full DDoS protection.
unknown|9 years ago
[deleted]
unknown|9 years ago
[deleted]