Donate for the Cryptome archive of files from June 1996 to the present


30 July 2016

Russia Doesn't Like CloudFlare


Daniel Brandt writes:

Russia doesn't like CloudFlare

Nearly 30 percent of the IP addresses that are banned by the official Internet regulatory agency in Russia, are domains protected by CloudFlare:

http://www.crimeflare.com/russia.html

Why CloudFlare's reckless and crazy version of free speech on the Internet, protected by their half-baked SSL, will ultimately fail as a business model ( from two new paragraphs added to www.crimeflare.com/cfssl.html ):

CloudFlare's 86 "data centers" around the world are typically a rack or two of equipment that CloudFlare ships to a real data center, along with installation instructions. We asked CloudFlare to confirm that sniffing is possible at these so-called "data centers," but they didn't respond. By now we're wondering if there's a plaintext Ethernet port at the back of their equipment rack that makes interception easy and convenient. If so, it would make no difference whether the origin server has its own certificate.

CloudFlare may claim that there is no way plaintext can be accessed from their equipment racks, despite the fact that some sort of decrypt and re-encrypt must occur there due to the nature of their role as a CDN. After all, CloudFlare has engineers who come up with clever techniques to enhance SSL. But imagine that you are a government regulator in a country where a big ISP hosts a CloudFlare "data center." Your job is to consider the Internet in terms of public safety and current laws, and you go to that ISP with a list of CloudFlare-user domains you want blocked. The ISP replies that everything is encrypted, and CloudFlare traffic cannot be intercepted. In other words, nothing can be done about the ISIS sites, carders, booters, gamblers, escorts, phishers, malware, and copyright infringers that CloudFlare protects. How would you respond? It's fairly obvious -- you ask this ISP to block the CloudFlare IP addresses used by the offending domains (this is already happening in Russia). If those IPs change, then block CloudFlare's entire IP space, and continue to monitor the situation. If CloudFlare's traffic still gets through, you ask the ISP to pull the plug on CloudFlare's racks. This is why CloudFlare will add a plaintext port to their own hardware someday, if they haven't already.

END