website source; use git clone git:// to clone this repository.

cloudflare-email-template.txt (6004B)

      1 <<This template is specifically for my own use, but it should be easily
      2 adaptable for yours as well if you wish to take up the cause of
      3 informing Cloudflare users about exactly what product they are using in
      4 front of their websites. I encourage anyone interested to join; I
      5 encourage feedback for improvements on this template as well, so feel
      6 free to contact me <> if you have any
      7 suggestions or simply if you are making use of this yourself. As with
      8 most of my site's content, I release this template into the public
      9 domain under the Creative Commons Zero licence.>>
     12 Hi,
     14 May I ask what influenced your decision to place your website behind
     15 Cloudflare? <<Information about how I discovered your site>>
     17 While Cloudflare is easy and free to use and set up (I made an account
     18 a while back to test it out) it is not without issue. Along with the
     19 fact it seems to discriminate against legitimate Tor and other
     20 VPN/proxy users, despite claims that Cloudflare is doing its best not
     21 to impede upon Tor traffic, there are other problems with its current
     22 implementation and its design. It is a central entity, which means any
     23 attacks on Cloudflare affect many or all of its users, regardless of
     24 website; as long as it's behind Cloudflare it is affected, and it could
     25 cause anywhere from downtime [1] to security vulnerabilities and
     26 personal information leaks [2].
     28 In addition, people using your website must not only agree to your
     29 and your hosting provider's terms of service, but also Cloudflare's
     30 terms, and Google's terms as well if they get served a reCAPTCHA from
     31 the "One more step" page. ReCAPTCHA is difficult to solve on a good day
     32 and impossible to solve behind an IP address with a "bad reputation"
     33 such as with Tor's exit nodes. The solution to reCAPTCHA (and Google
     34 designed it this way) is to keep one's browser logged into Google
     35 across all sites, which requires a trade-off on privacy that Tor and
     36 other VPN users do not want to risk -- if they did, then they would
     37 likely not be behind a proxy anyway.
     39 You might be wondering why Tor is important: not only is it good for
     40 privacy-conscious people, but it helps people access websites otherwise
     41 censored by ISPs and governments. My choice to use Tor is thankfully
     42 just that, a choice, but it is one I make because I believe in the
     43 power of privacy and in strengthening the anonymity set of the network.
     44 With my normal browsing traffic mixed into the network, it becomes more
     45 difficult for adversaries to track the browsing habits of people who
     46 "shouldn't" have unbridled access to the Internet. While it's true that
     47 Tor is also used by criminals and spammers, it is a vocal minority, and
     48 websites such as your own are more likely to attract undesired traffic
     49 coming from people with access to thousands of open proxies and botnet
     50 computers. I personally have much experience dealing with Tor traffic
     51 because I help administrate Tor-only as well as Tor-friendly websites,
     52 and with proper caching and security, I am able to keep my websites
     53 maintainable and moderatable.
     55 There is also the fact that Cloudflare is, simply put, a
     56 man-in-the-middle service. It's their business; it's the only
     57 technically possible way they can achieve layer-7 DDoS mitigation.
     58 Thankfully, layer-7 mitigation can be done from your own server; like I
     59 said, caching web pages for logged-out users does wonders and you most
     60 likely do not have to worry about any other server configuration other
     61 than keeping all your software up to date.  Lower layer mitigation is
     62 offered by many providers and tunnel services; just do a search for
     63 DDoS-mitigated providers if this is a concern of yours.
     65 Again, the MITM trait of Cloudflare matters because user data has
     66 another terms-of-service to transport through, another security weak
     67 point to transport through, and potentially the eyes of several
     68 three-letter agencies to worry about, should any of them decide to
     69 reach out to Cloudflare in request of any information or metadata.
     70 Also, it means Cloudflare can terminate anyone and do anything they
     71 want with customer and end-user information, which they had
     72 demonstrated in the past [3]. Thankfully the CEO of Cloudflare learned
     73 from his mistake and promises his business will not make any similar
     74 rash choices again, but next time it may not be up to him but by
     75 another disgruntled employee. This final concern might not affect you,
     76 but it is a concern nonetheless, and it demonstrates the power
     77 Cloudflare has over its business due to its MITM nature of a majority
     78 of the Internet. I have a strong desire to see decentralisation on the
     79 Internet, given it is a naturally-decentralised network that spans
     80 across nations and websites. If all websites with their own interests
     81 and policies tunnel through Cloudflare, are they our websites anymore? I
     82 have similar concerns with other large hosts such as Google, Amazon AWS,
     83 and Github, but I believe that simply addressing my concerns to sites
     84 behind Cloudflare is a large enough goal to focus on. These other
     85 companies I have a watchful eye for, and I personally do not host my
     86 content with any of them because again, I believe I must avoid placing
     87 all my eggs in one basket.
     89 I have used a public template [4] as a base for this message, as I only
     90 wish for Cloudflare users to be aware of the product they are using. It
     91 is ultimately your choice as a website administrator to use Cloudflare,
     92 but be aware of its impact on all of your users, and if you wish to at
     93 least be indiscriminate toward Tor users, you should look into lowering
     94 your site's protection settings and only have the reCAPTCHA page served
     95 when your site is actively under attack. Again, there are a lot of
     96 legitimate users who simply wish to read the content published online.
     98 [1]<>
     99 [2]<>
    100 [3]<>
    101 [4]<>
    103 Thanks,