The Wikipedia article says Cloudflare has been used to host hate speech, websites with illegal content and forums connected to all sorts of illegal activities. And I see them being used by a lot of decent webservices but shady ones as well.

So my question, can Cloudflare be used for something alike “bulletproof hosting”? Does anyone know if they collaborate with law enforcement or care once someone sends a mail to the abuse contact? Or if there’s a way to find information about a Cloudflare protected server for the public?

Hypothetical question, I’m just curious and I thought maybe someone here has first-hand experience with getting their account terminated or reporting content or doing piracy via them or whatever…

  • Auli@lemmy.caEnglish
    4·
    5 hours ago

    No they do not, and yes they are an American company they have to follow the rules. They also MITM, I wonder how many of the self hosters who use their tunnels realize this. Hosting a password manager behind them would be funny since they can scrape all your passwords.

    • hendrik@palaver.p3x.deOPEnglish
      2·
      4 hours ago

      Yes, I rarely see this being discussed. Cloudflare terminates the encryption, hopefully re-encrypts it on the way upstream, but they have access to all the content in the forwarded traffic. Not sure about the password managers, though. I believe most of them encrypt stuff on the device itself before sending it over the network, and there are no cleartext passwords transferred or stored on the servers.

  • nuggie_ss@lemmings.worldEnglish
    42·
    14 hours ago

    If you’re doing anything risky, then you can’t rely on a service like cloudflare.

    They are 100% in bed with all of the 3 letter agencies.

    If, for whatever reason, someone with power deems your website unpleasant, it will be taken down unceremoniously and any information that links it to you will be used to find and punish you.

    • FreedomAdvocateEnglish
      1·
      5 hours ago

      Just a clarification - theyre not “in bed” with anyone, they just comply with legal orders.

  • darvocet@infosec.pubEnglish
    391·
    1 day ago

    I have experience working in large data centers that provide hosting. What I can tell you is that various government agencies do and will randomly come by the data center with warrants and court orders for things. I’ve literally had NASA show up (wtf?) and have to pull a server offline while they mirror the hard disk. All very hush hush make excuses to the customer when they open a ticket. Another thing that happens is that the FBI has placed their servers within internal spaces of the network. When they get a court order they can open a ticket with our abuse department and whatever switch port the feds are interested in can be mirrored and sent to their packet capture servers.

      • darvocet@infosec.pubEnglish
        1·
        5 hours ago

        Yea that’s the point it didn’t make sense. The literal “national aeronautics and space adminiatraton” sent tech and security people to a physical data center to copy a hard drive.

    • darvocet@infosec.pubEnglish
      13·
      1 day ago

      I’ll add to this that I’m old - these days in a cloud environment they don’t even have to come to the data center to image the hard drive.

      • madasi@lemmy.dbzer0.comEnglish
        7·
        1 day ago

        Exactly. Most cloud virtualization providers you just take a snapshot of the virtual disk and provide that when requested and the customer never has a clue that is happened. I’d get contacted by our legal department, told that my boss was only to be told that I was working for them for now and no other details, and then directed on what they needed a copy of and how to send it to them.

      • hendrik@palaver.p3x.deOPEnglish
        3·
        22 hours ago

        Thanks for your insight. Reading these stories always makes me feel data should stay on own premises with extra security measures. And yes, on my VPS, imaging the storage is one click and I believe it’s done online without any interruption of service. Not that I do a lot of illegal stuff on the internet. But with the current situation in the US and the general overboarding surveillance, I think i’d like to keep their government and agencies out of my emails and personal stuff… (And maybe even what I do publicly and within legal limits.)

        Though I didn’t ask about privacy here, but anonymity. And I guess selfhosting stuff at home isn’t an option either. Everyone can tell my ISP and location to like 30km with that. And link the IP to other activities.

          • hendrik@palaver.p3x.deOPEnglish
            1·
            5 hours ago

            Sure, email is bad and we don’t have any worthy successor. I can only deal with the most problematic aspects. Keep my inbox stored somewhere where people can’t just easily go through all my stored mails and I guess it’s transport encrypted more often than it’s not… But yeah, it’s only a little bit and “secure” shouldn’t be in one sentence with email, I guess 😟

  • Typewar@infosec.pubEnglish
    4·
    17 hours ago

    Cloudflare takes a neutral response in general but are not resistant to law enforcement demands.

    What you can do is to create a cloudflare account on Tor, buy a privacy-focused VPN that supports port forwarding, connect your server to the VPN and point the DNS record to the VPN ip address. And then create a port rewrite rule in cloudflare settings (because port forwarding supported VPNs rarely support lower than 1024 ports). Atleast in this case, law enforcement notices won’t be forwarded to your ISP… still not bulletproof, but good enough for most stuff if you have concerns.

  • _cryptagion [he/him]@anarchist.nexusEnglish
    18·
    1 day ago

    Does anyone know if they collaborate with law enforcement

    yes, they do. they aren’t there to provide bulletpoof hosting, they are there to make your site resistant to DDoS attacks. as an added bonus, if you are selfhosting they also provide you with a bit of anonymity, in the sense that someone can’t just figure out your general location from your ISP.

    that doesn’t mean people can’t figure out who you are from the content you host. and if you are hosting content that is illegal, even if it’s illegal in another country, then you are likely to be exposed when their courts subpoena cloudflare. cloudflare isn’t going to fight too hard to protect your identity against a government, and honestly I don’t blame them for that because they never said that was their mission or purpose. they are DDoS protection, with a few other features that might be useful to you.

    • FreedomAdvocateEnglish
      1·
      5 hours ago

      Calling cloudflare “DDOs protection, with a few other features that might be useful to you” is so insanely downplaying what cloudflare provides.

  • Irdial@lemmy.sdf.orgEnglish
    14·
    1 day ago

    According to W3Techs, Cloudflare is used for 80.9% of all known reverse proxy endpoints which account for 19.8% of the entire Internet. It’s safe to say it’s used to host both legal and illegal content with that broad of a scope.

    They are an American company and must cooperate with law enforcement when abuse is reported. If you’re planning on hosting pirated content, that most definitely violates their terms of service and will get you in trouble.