Say no to Cloudflare — Robin Wils's website
Last modified: Sun, Jan 10, 2021Say no to Flarecloud logo By Robin Wils - CC0 licensed.
- What is Cloudflare?
- Think about your visitors
- Privacy problems
- How can you fight against Cloudflare?
- Even more reasons
- Is privacy worth it?
What is Cloudflare?
Long complex description
Cloudflare is a content delivery network, which means that it has different servers in different locations. Websites which use Cloudflare should be better reachable, so faster in different countries.
Cloudflare is not just a content delivery network. Cloudflare is also a reverse proxy (= a middleman between the user and a website), a DDoS mitigation service (= a service which tries to resist or make the impact of a DDoS attack less painful).
Cloudflare is even more than that. Many websites are a part of the Cloudflare content delivery network.
Cloudflare claims to try to make sites faster and more secure. It is a service which a lot of websites use.
Sounds pretty nice, right?
Think about your visitors
Do you like it when websites ruin a bit of your experience?
In other words: Would you love to visit a website which forces you to solve a annoying time wasting puzzle usually after waiting five seconds which also cost you valuable time?
Awesome! Use Cloudflare!
Your users matter
Every visitor helps. Think about their experience. They make your website successful. They like to see your content. They probably would like it when the website opens quickly without too much junk.
Your users are basically everything.
Who is your user base… and what do they like?
Focus on them. Some of them probably care about their privacy. You will have fewer visitors if you don’t support them. That influences the success of your website.
I highly doubt that they will like:
- To solve a CAPTCHA;
- A website which sometimes goes down for long periods, because of Cloudflare;
- To wait for five seconds for no good reason.
What possible users which care about privacy probably won’t like:
- That your site isn’t easily reachable through Tor;
- That your site is hosted by some company which many people don’t trust. (I know that this site still uses the Google servers, I still need to fix that, but I currently don’t spend any money on this website.);
Just to be clear
People who care about privacy aren’t criminals, or at least not always. In fact, everyone needs privacy in one way or another. Everyone has the right to privacy.
People who really think that they don’t need privacy should be ok with sending me their address, private conversations, access to their webcam, passwords and more. Don’t actually do this.
An important example are whistleblowers. They have in many cases shared useful information. Many of them can lose their job if they aren’t anonymous enough.
Legal “.onion” sites exist. Some examples of this are:
- Facebook (social media)
- DuckDuckGo (search engine)
- ProtonMail (webmail)
More information about Tor
Do you want to disallow people who need and deserve the right on privacy from using your website?
Great! Use Cloudflare!
A reverse proxy acts as a man-in-the-middle, which means that it might spy on everything which your users do. Cloudflare is a reverse proxy.
It keeps a globally-unique ID
Cloudflare creates a cookie which gives your browser a globally-unique ID. This even happens when the website is using SSL and shows a little padlock in your browser.
This pretty much kills privacy. A globally-unique ID can easily be used to track you.
Not all sites with Cloudflare use CAPTCHAs, but many do. CAPTCHAs are the things which try to check if you are “human”.
Cloudflare suddenly uses hCAPTCHA, which is not accessible at all. It is hard to find accessible CAPTCHAs in general. This Captcha is hard to solve in my opinion.
Also it is on a blockchain, so it makes Cloudflare money.
The funny thing about CAPTCHAs is that there are computer programs (robots), which can solve the “prove you are human” CAPTCHAs.
Buster is a browser extension which can solve reCaptchas. CAPTCHAs can be solved by clicking on the extension button at the bottom of the reCAPTCHA widget.
My current CAPTCHA recommendation is Friendly Captcha.
It seems like the best CAPTCHA at the moment, but you don’t always need a CAPTCHA in the first place. You can find the Friendly Captcha website below.
Project Honey Pot
Project Honey Pot is a project which collects a lot of user data and much of that data is from innocent users who deserve privacy. Cloudflare was created by people who worked on that project.
Cloudflare has leaked private user data before, so it has something in common with “Project Honey Pot”.
Firefox and Cloudflare
Mozilla (Firefox) has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare. Cloudflare will then be able to read everyone’s DNS requests.
You can disable it in “about:config”. The string value of “network.trr.uri” should be empty.
Some other settings can also contain Cloudflare URLs. It is recommended to search for “cloudflare”.
(Screenshot) The Firefox about:config Cloudflare DNS settings By Robin Wils - CC0 licensed.
Keep in mind that the configured DNS resolver of your computer might be Cloudflare DNS. You can find guides on the internet about setting the DNS nameservers.
I recommend the Quad9 DNS resolver. Some of their DNS nameservers use DNSSEC, which means that your DNS queries aren’t in plain text. This means that it provides you extra privacy. Quad9 is a nonprofit organization. It looks trustworthy enough.
Keep in mind that DNS is just a pretty insecure protocol by default.
Most GNU/Linux systems have a /etc/resolv.conf file, but programs like wicd and NetworkManager change these settings. Those programs usually have a settings menu to set the DNS nameservers.
How can you fight against Cloudflare?
That is an excellent question.
It isn’t simple to not use websites which aren’t served by things like Cloudflare without any extra tools. Cloudflare is a big privacy problem. I however have tips for the people who care about privacy.
Tell others about the danger of Cloudflare
You can ask websites to not use Cloudflare. Please do so respectfully. Mentioning why Cloudflare is not the best option might help. Stay kind.
I recommend that you recommend them an alternative. You can find Cloudflare alternatives here.
You could write an article or share other people their articles with other people. Make more people aware of this problem.
Feel free to use the images on my site which are CC0 licensed. CC0 means that it is public domain licensed, which means that you can use it for any purpose. There are no restrictions.
There are browser extensions which can block Cloudflare. I recommend the Cloud Firewall add-on if you want to do that.
This is an extreme way of fighting against Cloudflare. I suggest that you spread the word instead. Mention the problem online.
Try to reach people. Dare to use stuff which you are against, so that you can reach more people. Connections with people are important.
The Cloud Firewall add-on can block connections to pages and web resources hosted in major cloud services if the user wishes to do so.
Supports blocking Google, Amazon, Facebook, Apple, Microsoft and Cloudflare. Cloud Firewall has a whitelisting option, so that it can disable blocking on specific websites.
Even more reasons
The Stop Cloudflare repository
The following git repository contains more reasons and links to articles of other people. I highly recommend checking it out.
It is a good source of information. The structure of the repository might make it a bit hard to look through.
Stop Cloudflare repository
Forking the repository
I am thinking of forking the repository, because they have made some decisions which I find pretty dumb.
I am a maintainer, but I will probably leave the project, and I haven’t been very active anyways. Their mission isn’t bad though.
Translating the README
This was a good idea, but not when the translations aren’t accurate at all. It just went through Google Translate.
The maintainers aren’t too open-minded
The maintainers are in general privacy geeks, which are not too open with spreading the sources on closed source stuff, so the word doesn’t get spread that well.
I don’t think that many of them get how the world works. They aren’t influencing many people.
The maintainers have removed stuff before. There often isn’t much communication between them. Some removed stuff was actually good for the user experience.
The user experience
The README is pretty hard to read, especially for people who aren’t computer nerds.
It is kinda, a mess and looks childish. It contains much complaining, but not that many solutions. Keep it short and get to the point.
Is privacy worth it?
I think that productivity matters more than privacy. There are tools which provide productivity while also being better for security and privacy. Take a look at KeePassXC for example.
I would go for the more secure alternative if it doesn’t hurt my productivity too much. I do this because I still want to support privacy for the people who need it.
Don’t get me wrong privacy is important, but not enough people fight for it. Make sure that you are a bit more secure than average users, but don’t overdo it.
Just know that privacy almost does not exist, but it is worth fighting for, some people really need it.
- How important is online privacy? - contains thoughts about online privacy, is the extra effort worth it?