Archives

All posts for the month April, 2015

CloudFlare is horrible for many reasons. It might make everything super easy. You get DDoS protection, seamless SSL integration, very simple DNS management, ability to hide your server’s IP. But with all of that convenience you lose control of your data and your sites are now open to MITM attacks by Big Brother. Data going through their servers is encrypted/decrypted on their servers, they retain the private key (unless you pay $5,000/mo for their enterprise plan).

Their snake-oil security

cloudflare_ssl

What worries me the most is that more and more sites across the web are starting to use CloudFlare especially with their free-tier SSL certificates. This creates a false sense of security as people think their information is encrypted and no one can read it, but in reality it’s going through CloudFlare’s network who is most likely working with 3 letter agencies directly or indirectly in their SIGINT programs to store exabytes of traffic data from sites that could contain valuable information to them.

As we’ve seen in the Snowden docs intelligence agencies horde zero day exploits and use them on their targets. I speculate that CloudFlare could be used to deliver those exploits en masse or to deliver them to a target who visits a site that uses CloudFlare. CloudFlare’s entire model could definitely make it easier for intelligence agencies to deliver their nasty exploits. The NSA has already broken into some of the biggest companies in the world, it would only make sense for them to have done this to CloudFlare as well.

Of course this is all speculation, but who are we kidding we haven’t even seen half of the Snowden docs. The NSA is capable of so much more than we’ve seen and I’ll tell you “told ya so” if my speculations become known facts. 🙂