The Hacker‘s ChoiceSep 26, 2023
CF is amassing a lot of power. With 30% of all Internet Traffic going through CF and them decrypting all HTTPS traffic at the Edge...and able to change any or all of it transparently. This extract from CF's blog reads like a Government/Thread Actor's dream come true....
Show threadSeirdySep 27, 2023

@thc The image in the parent post is a screenshot of the first paragraph of the “Parsing and modifying HTML on the fly” section of this Cloudflare blog post.

I don’t like seeing people take my side for reasons I disagree with, so:

On-the-fly HTML rewrites are standard features for any website hosting provider, esp. classic PHP-enabled web hosts. The “HTTPS-compromising intermediary” argument” doesn’t hold water if you treat a CDN as a hosting provider.

There are much better reasons to oppose CloudFlare: their “hate credits”, scope creep, and undermining of browser diversity (by sending uncommon TLS fingerprints through CAPTCHA hell) are better reasons, especially given their market share.

Incident report on memory leak caused by Cloudflare parser bug

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

The Cloudflare Blog
Show threadMortSinyxSep 27, 2023
Agreed, @Seirdy, although as @thc mentioned, 30% of the interwebs traffic (BTW , commonly cited figure last year was 20%) being visible gives clownflare a lot of power to abuse. The line between a backup key for a friend and a master key that can unlock every door in the neighborhood is not so fine IMHO.
Show threadSeirdy
@cnx @thc Agreed, their market share makes their anti-browser-diversity TLS fingerprinting-based CAPTCHA hell extremely problematic.
Sep 27, 2023 at 4:52amWeb