Home > Articles > Say no to Cloudflare
Say no to Cloudflare - Robin Wils's website
Last modified: Sat, Dec 7, 2019
- What is Cloudflare?
- Privacy problems
- Think about your visitors
- How can you fight against Cloudflare?
- Even more reasons
- Knowing this, also changed me
- I changed again, after a few extra months
What is Cloudflare?
Say no to Flarecloud logo By Robin Wils - CC0 licensed.
Cloudflare is: Cloudflare is a content delivery network, which means that it has different servers in different locations. Websites which use Cloudflare should be better reachable, so faster in different countries.
Cloudflare is not just a content delivery network. Cloudflare is also a reverse proxy (= a middleman between the user and a website), a DDoS mitigation service (= a service which tries to resist or make the impact of a DDoS attack less painful).
Cloudflare is even more as that. Many websites are a part of the Cloudflare content delivery network.
In easy words: Cloudflare claims to try to make sites faster and more secure. It is a service which a lot of websites use.
Sounds pretty nice, right?
Do you want to disallow people who need and deserve the right on privacy from using your website?
Great! Use Cloudflare!
Cloudflare sites usually block Tor. Cloudflare does not provide you anonymity even if it wouldn't block Tor. If Cloudflare really cares about security, then they should at least let people use Tor. Tor is made for security.
They technically don't block Tor access, but the reCAPTCHAs don't function correctly, which can make it hard to visit a Cloudflare site through Tor.
You might be able to change the security settings for your site, but not all sites do this. There are more important problems, which deserve more focus.
Source: The Trouble with Cloudflare - Tor Blog
A reverse proxy acts as a man-in-the-middle, which means that it might spy on everything which your users do. Cloudflare is a reverse proxy.
Not all sites with Cloudflare use CAPTCHAs, but many do. CAPTCHAs are the things which try to check if you are “human”.
It sends your personal data to Google, since it uses the CAPTCHA from Google, which does more than just checking if you are a robot. Some people even claim that it tries to find out which human you are.
The funny thing is that there are computer programs (robots), which can solve the “prove you are human” CAPTCHAs.
Buster is a browser extension which can solve reCaptchas. CAPTCHAs can be solved by clicking on the extension button at the bottom of the reCAPTCHA widget.
Project Honey Pot
Project Honey Pot is a project which collects a lot of user data and much of that data is from innocent users who deserve privacy. Cloudflare was created by people who worked on that project.
Cloudflare has leaked private user data before, so it has something in common with “Project Honey Pot”.
Companies which don't show the source code probably don't show it for a reason. Spying might be one of them. Showing the source code is usually a great way to find bugs and to improve your code.
I will probably say more about this in another article.
Firefox and Cloudflare
Mozilla (Firefox) has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare. Cloudflare will then be able to read everyone's DNS requests.
You can disable it in “about:config”. The string value of “network.trr.uri” should be empty. Some other settings can also contain Cloudflare URLs. It is recommended to search for “cloudflare”. GNU Icecat and older Firefox versions are not affected yet. Tor Browser is also Firefox based, but you don't have to use Tor Browser to use Tor.
(Screenshot) The Firefox about:config Cloudflare DNS settings By Robin Wils - CC0 licensed.
Keep in mind that the configured DNS resolver of your computer might be Cloudflare DNS. You can find guides on the internet about setting the DNS nameservers.
I recommend the Quad9 DNS resolver. Some of their DNS nameservers use DNSSEC, which means that your DNS queries aren't in plain text. This means that it provides you extra privacy. Quad9 is a nonprofit organisation. It looks trustworthy enough.
Keep in mind that DNS is just a pretty insecure protocol by default.
Most GNU and/or Linux systems have a /etc/resolv.conf file, but programs like wicd and NetworkManager change these settings. Those programs usually have a settings menu to set the DNS nameservers.
Think about your visitors
Do you like it when websites ruin a bit of your experience?
In other words: Would you love to visit a website which forces you to solve a annoying timewasting puzzle usually after waiting five seconds which also cost you valuable time?
Awesome! Use Cloudflare!
Your users matter
Every visitor helps. Think about their experience. They make your website succesful. They like to see your content. They probably would like it when the website opens quickly without too many junk.
Who is your userbase… and what do they like?
Focus on them. Some of them probably care about their privacy. You will have less visitors if you don't support them. That influences the success of your website.
I highly doubt that they will like:
- To solve a CAPTCHA;
- To wait for five seconds for no good reason.
What possible users which care about privacy probably won't like:
- That your site isn't easily reachable through Tor;
- That your site is hosted by some company which many people don't trust. (I know that this site still uses the Google servers, I still need to fix that, but I currently don't spend any money on this website.);
Just to be clear
People who care about privacy aren't criminals, or at least not always. In fact, everyone needs privacy in one way or another. Everyone has the right to privacy.
People who really think that they don't need privacy should be ok with sending me their address, private conversations, access to their webcam, passwords and more. Don't actually do this.
An important example are whistleblowers. They have in many cases shared useful information. Many of them can lose their job if they aren't annoymous enough.
Legal “.onion” sites exist. Some examples of this are:
- Facebook (closed source social media)
- DuckDuckGo (Search engine, the core of this search engine is closed source)
- Protonmail (webmail, the mobile app is closed source)
More information about Tor
How can you fight against Cloudflare?
That is a really good question.
It isn't simple to not use websites which aren't served by things like Cloudflare without any extra tools. Cloudflare is a big privacy problem. I however have tips for the people who care about privacy.
There are browser extensions which fight against this problem. I recommend the Cloud Firewall add-on.
The Cloud Firewall add-on can block connections to pages and web resources hosted in major cloud services if the user wishes to do so. Supports blocking Google, Amazon, Facebook, Apple, Microsoft and Cloudflare. Cloud Firewall has a whitelisting option, so that it can disable blocking on specific websites.
A bash script which I wrote
I wrote a simple bash script which can be used to block or unblock the Cloudflare IPs by using iptables. This script was made for GNU and Linux operating systems. I wrote this before I knew about the Cloud Firewall add-on.
I started writing an add-on which can be used to block Cloudflare. I discontinued the project when I heard about the Cloud Firewall add-on.
Tell others about the danger of Cloudflare
You can ask websites to not use Cloudflare. Please do so in a respectful way. Mentioning why Cloudflare is not the best option might help. I recommend that you recommend them an alternative. (Feel free to send me some alternatives, I want to list some of them on this website)
You could write an article or share other people their articles with other people. Make more people aware of this problem.
Feel free to use the images on my site which are CC0 licensed. CC0 means that it is public domain licensed, which means that you can use it for any purpose. There are no restrictions.
Even more reasons
The CrimeFlarE repository
The following git repository contains more reasons and links to articles of other people. I highly recommend checking it out.
It is an amazing source of information. The structure of the repository might make it a bit hard to look through it. Many who read this probably wouldn't have problems with finding what they are looking for.
Cloudflare article.txt from the crimeflare/cloudflare-tor repository .
Knowing this, also changed me
Matrix.org apparently also uses Cloudflare, so I decided to remove my matrix account after writing this article. I don't see it as something which offers you privacy if it decides to use Cloudflare.
I won't recommend Matrix because of this problem. Even if it might be solvable by self-hosting, since you probably will recommend it to friends. Those friends might decided to use the official Matrix server. Those friends could be using Cloudflare without knowing the dangers of it.
Avoiding all Cloudflare sites is probably not easy, but I will do what I can. The content on the Fediverse can be served by Cloudflare, but it only serves the content of other instances which use Cloudflare through Cloudflare.
I use the Cloud Firewall add-on and won't whitelist the instance which I use, which means that I can't see the pictures and some other media when I amusing Mastodon or Pleroma.
I changed again, after a few extra months
Is privacy worth it?
I think that productivity matters more than privacy. There are tools which provide productivity while also being better for security and privacy. Take a look at KeePassXC for example.
I would go for the more secure alternative if it doesn't hurts my productivity too much. I do this because I still want to support privacy for the people who need it.
- Privacy focused software - contains reasons to care about privacy
- How important is online privacy? - contains thoughts about online privacy, is the extra effort worth it?
Home > Articles > Say no to Cloudflare