Re: Cloudflare Considered Harmful
Time for another Hugo Landau blog post. This particular one, “Cloudflare considered harmful”, was written in 2019, but it’s even more relevant given that Cloudflare has since expanded.
First I just want to say that I fully agree with Hugo’s post.
I will never MitM my websites with Cloudflare. For one, there’s no need for it. That I’m aware of, my site has never been DoSed and it gets on my nerves seeing websites use Cloudflare that don’t need it. I often stumble across a website in Tor Browser that I can’t access because of Cloudflare and think to myself “Is this website important enough to need Cloudflare? I doubt anyone has ever cared to DoS it.” And second, as Hugo Landau points out, there are other ways to mitigate DoS that don’t involve MitMing one’s site and making it stochastically fail.
Another important point Hugo makes is that Cloudflare is potentially a global active adversary, calling it “essentially the world’s premier global MitM agency” which causes massive centralization and represents a huge step backwards in the progress we’ve made in TLS support since 2013. Given the nature of Cloudflare’s business, I agree with Hugo that it’s highly likely that it’s cooperating with the NSA. Even if by some miracle it’s not wittingly or willingly cooperating with the NSA, the nature of Cloudflare’s business makes it a high-value target for US intelligence. In other words, if the G men want the data badly enough, and they do, then they’ll find a way.
Finally, I agree with Hugo that the idea of web application firewalls (WAFs) is fundamentally flawed:
“The “web application firewall” concept is fundamentally flawed in all instances, because it falsely presupposes that a blind intermediate proxy can reliably assess the semantic meaning of data transmitted, which is in actual fact impossible. Since this kind of “service” is part of the Cloudflare value proposition and an attempt to add a profit-making value-add, Cloudflare has essentially built their entire business on doing something which is a bad idea and which cannot be reliably implemented.”
I wouldn’t deny that WAFs can increase security. They are defense-in-depth. But they come at the cost of increasing coupling and complexity and, in Cloudflare’s case, blocking valid requests and mangling harmless HTML. Like Hugo says, it’s not the place of intermediate proxies to assess the semantic meaning of transmitted data.
So that’s about all I have to add. In summary, don’t use Cloudflare. If you find yourself tempted to use a WAF, maybe look for another solution.