Home > Articles > Say no to Cloudflare

Say no to Cloudflare - Robin Wils's website

Last modified: Sat, Dec 7, 2019

Table of Contents

What is Cloudflare?

A cloud which is filled with flares. The cloud has the same shape as the Cloudflare logo. There is a big red cross through the logo.

Say no to Flarecloud logo By Robin Wils - CC0 licensed.

Cloudflare is: Cloudflare is a content delivery network, which means that it has different servers in different locations. Websites which use Cloudflare should be better reachable, so faster in different countries.

Cloudflare is not just a content delivery network. Cloudflare is also a reverse proxy (= a middleman between the user and a website), a DDoS mitigation service (= a service which tries to resist or make the impact of a DDoS attack less painful).

Cloudflare is even more as that. Many websites are a part of the Cloudflare content delivery network.

In easy words: Cloudflare claims to try to make sites faster and more secure. It is a service which a lot of websites use.

Sounds pretty nice, right?

Privacy problems

Do you want to disallow people who need and deserve the right on privacy from using your website?

Great! Use Cloudflare!

Tor

Cloudflare sites usually block Tor. Cloudflare does not provide you anonymity even if it wouldn't block Tor. If Cloudflare really cares about security, then they should at least let people use Tor. Tor is made for security.

They technically don't block Tor access, but the reCAPTCHAs don't function correctly, which can make it hard to visit a Cloudflare site through Tor.

You might be able to change the security settings for your site, but not all sites do this. There are more important problems, which deserve more focus.

Source: The Trouble with Cloudflare - Tor Blog

Reverse proxy

A reverse proxy acts as a man-in-the-middle, which means that it might spy on everything which your users do. Cloudflare is a reverse proxy.

A man-in-the-middle service is something which is between the site and the user. This means that they can easily add JavaScript which spies on you.

Google CAPTCHAs

Not all sites with Cloudflare use CAPTCHAs, but many do. CAPTCHAs are the things which try to check if you are “human”.

It sends your personal data to Google, since it uses the CAPTCHA from Google, which does more than just checking if you are a robot. Some people even claim that it tries to find out which human you are.

Remember that Google is an advertisment company. Most of their money comes from selling your data. In fact the privacy policy which you accept by using almost any Google product allows them to do this.

The funny thing is that there are computer programs (robots), which can solve the “prove you are human” CAPTCHAs.

Google Privacy Policy

Buster

Buster is a browser extension which can solve reCaptchas. CAPTCHAs can be solved by clicking on the extension button at the bottom of the reCAPTCHA widget.

License: GPLv3

Project Honey Pot

Project Honey Pot is a project which collects a lot of user data and much of that data is from innocent users who deserve privacy. Cloudflare was created by people who worked on that project.

Cloudflare has leaked private user data before, so it has something in common with “Project Honey Pot”.

Companies which don't show the source code probably don't show it for a reason. Spying might be one of them. Showing the source code is usually a great way to find bugs and to improve your code.

I will probably say more about this in another article.

Firefox and Cloudflare

Mozilla (Firefox) has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare. Cloudflare will then be able to read everyone's DNS requests.

You can disable it in “about:config”. The string value of “network.trr.uri” should be empty. Some other settings can also contain Cloudflare URLs. It is recommended to search for “cloudflare”. GNU Icecat and older Firefox versions are not affected yet. Tor Browser is also Firefox based, but you don't have to use Tor Browser to use Tor.

The about:config page which shows the Cloudflare DNS address in the network.trr.uri string.

(Screenshot) The Firefox about:config Cloudflare DNS settings By Robin Wils - CC0 licensed.

Keep in mind that the configured DNS resolver of your computer might be Cloudflare DNS. You can find guides on the internet about setting the DNS nameservers.

I recommend the Quad9 DNS resolver. Some of their DNS nameservers use DNSSEC, which means that your DNS queries aren't in plain text. This means that it provides you extra privacy. Quad9 is a nonprofit organisation. It looks trustworthy enough.

Keep in mind that DNS is just a pretty insecure protocol by default.

Most GNU and/or Linux systems have a /etc/resolv.conf file, but programs like wicd and NetworkManager change these settings. Those programs usually have a settings menu to set the DNS nameservers.

Think about your visitors

Do you like it when websites ruin a bit of your experience?

In other words: Would you love to visit a website which forces you to solve a annoying timewasting puzzle usually after waiting five seconds which also cost you valuable time?

Awesome! Use Cloudflare!

Your users matter

Every visitor helps. Think about their experience. They make your website succesful. They like to see your content. They probably would like it when the website opens quickly without too many junk.

Who is your userbase… and what do they like?

Focus on them. Some of them probably care about their privacy. You will have less visitors if you don't support them. That influences the success of your website.

I highly doubt that they will like:

What possible users which care about privacy probably won't like:

Just to be clear

People who care about privacy aren't criminals, or at least not always. In fact, everyone needs privacy in one way or another. Everyone has the right to privacy.

People who really think that they don't need privacy should be ok with sending me their address, private conversations, access to their webcam, passwords and more. Don't actually do this.

An important example are whistleblowers. They have in many cases shared useful information. Many of them can lose their job if they aren't annoymous enough.

Legal “.onion” sites exist. Some examples of this are:

More information about Tor

How can you fight against Cloudflare?

That is a really good question.

It isn't simple to not use websites which aren't served by things like Cloudflare without any extra tools. Cloudflare is a big privacy problem. I however have tips for the people who care about privacy.

Extensions

There are browser extensions which fight against this problem. I recommend the Cloud Firewall add-on.

Cloud Firewall

The Cloud Firewall add-on can block connections to pages and web resources hosted in major cloud services if the user wishes to do so. Supports blocking Google, Amazon, Facebook, Apple, Microsoft and Cloudflare. Cloud Firewall has a whitelisting option, so that it can disable blocking on specific websites.

License: GPLv3

A bash script which I wrote

I wrote a simple bash script which can be used to block or unblock the Cloudflare IPs by using iptables. This script was made for GNU and Linux operating systems. I wrote this before I knew about the Cloud Firewall add-on.

I started writing an add-on which can be used to block Cloudflare. I discontinued the project when I heard about the Cloud Firewall add-on.

Tell others about the danger of Cloudflare

You can ask websites to not use Cloudflare. Please do so in a respectful way. Mentioning why Cloudflare is not the best option might help. I recommend that you recommend them an alternative. (Feel free to send me some alternatives, I want to list some of them on this website)

You could write an article or share other people their articles with other people. Make more people aware of this problem.

Feel free to use the images on my site which are CC0 licensed. CC0 means that it is public domain licensed, which means that you can use it for any purpose. There are no restrictions.

Even more reasons

The CrimeFlarE repository

The following git repository contains more reasons and links to articles of other people. I highly recommend checking it out.

It is an amazing source of information. The structure of the repository might make it a bit hard to look through it. Many who read this probably wouldn't have problems with finding what they are looking for.

Cloudflare article.txt from the crimeflare/cloudflare-tor repository .

Knowing this, also changed me

Removing Matrix

Matrix.org apparently also uses Cloudflare, so I decided to remove my matrix account after writing this article. I don't see it as something which offers you privacy if it decides to use Cloudflare.

I won't recommend Matrix because of this problem. Even if it might be solvable by self-hosting, since you probably will recommend it to friends. Those friends might decided to use the official Matrix server. Those friends could be using Cloudflare without knowing the dangers of it.

Fediverse problems

Avoiding all Cloudflare sites is probably not easy, but I will do what I can. The content on the Fediverse can be served by Cloudflare, but it only serves the content of other instances which use Cloudflare through Cloudflare.

I use the Cloud Firewall add-on and won't whitelist the instance which I use, which means that I can't see the pictures and some other media when I amusing Mastodon or Pleroma.

I changed again, after a few extra months

Is privacy worth it?

I think that productivity matters more than privacy. There are tools which provide productivity while also being better for security and privacy. Take a look at KeePassXC for example.

I would go for the more secure alternative if it doesn't hurts my productivity too much. I do this because I still want to support privacy for the people who need it.

Home > Articles > Say no to Cloudflare