30 July 2016
Russia Doesn't Like CloudFlare
Daniel Brandt writes:
Russia doesn't like CloudFlare
Nearly 30 percent of the IP addresses that are banned by the official Internet
regulatory agency in Russia, are domains protected by CloudFlare:
http://www.crimeflare.com/russia.html
Why CloudFlare's reckless and crazy version of free speech on the Internet,
protected by their half-baked SSL, will ultimately fail as a business model
( from two new paragraphs added to
www.crimeflare.com/cfssl.html
):
CloudFlare's 86 "data centers" around the world are typically a rack or two
of equipment that CloudFlare ships to a real data center, along with installation
instructions. We asked CloudFlare to confirm that sniffing is possible at
these so-called "data centers," but they didn't respond. By now we're wondering
if there's a plaintext Ethernet port at the back of their equipment rack
that makes interception easy and convenient. If so, it would make no difference
whether the origin server has its own certificate.
CloudFlare may claim that there is no way plaintext can be accessed from
their equipment racks, despite the fact that some sort of decrypt and re-encrypt
must occur there due to the nature of their role as a CDN. After all, CloudFlare
has engineers who come up with clever techniques to enhance SSL. But imagine
that you are a government regulator in a country where a big ISP hosts a
CloudFlare "data center." Your job is to consider the Internet in terms of
public safety and current laws, and you go to that ISP with a list of
CloudFlare-user domains you want blocked. The ISP replies that everything
is encrypted, and CloudFlare traffic cannot be intercepted. In other words,
nothing can be done about the ISIS sites, carders, booters, gamblers, escorts,
phishers, malware, and copyright infringers that CloudFlare protects. How
would you respond? It's fairly obvious -- you ask this ISP to block the
CloudFlare IP addresses used by the offending domains (this is already happening
in Russia). If those IPs change, then block CloudFlare's entire IP space,
and continue to monitor the situation. If CloudFlare's traffic still gets
through, you ask the ISP to pull the plug on CloudFlare's racks. This is
why CloudFlare will add a plaintext port to their own hardware someday, if
they haven't already.
END
|