Dan GoodinI'm looking for recent examples of Cloudflare not responding to verified complaints of abuse by customers using its service, particularly its pass-through service. Additionally, how does Cloudflare's abuse policy compare with those of competitors such as Fastly? Please text me on Signal at DanArs.82 or DM me here.
Bob Roberts@dangoodin Does this have to do with Encrypted Client Hello since non-decrypting middle boxes won't know the real destination?
Not specifically. My inquiry is mainly related to a post Spamhaus published yesterday:
Blog | Too big to care? - Our disappointment with Cloudflare’s anti-abuse posture | Resources
We're deeply concerned about the abuse management and prevention policies of Cloudflare, read the full article to understand what we're seeing, the critical issues, and our recommendations for change.
@dangoodin Now imagine that those millions of websites all look exactly the same on the wire, so any network-level controls are useless unless they're decrypting. If Cloudflare isn't taking down malicious sites it's front-ending, it's a huge threat vector for companies.
It's awesome for personal privacy tho!
IrishMASMS@dangoodin Dan, any reports going to abuse@cloudflare are ignored
More so if they are sent via the spamcop service
Quinn Comendant@dangoodin Please keep us informed what you find.
Evan B🥥ehs@dangoodin I can provide the Cloudflare narrative: They state that they aren't the justice system, and as a provider of critical internet infrastructure becoming one would be a bad idea:
- https://blog.cloudflare.com/why-we-terminated-daily-stormer
- https://gizmodo.com/cloudflare-ceo-on-terminating-service-to-neo-nazi-site-1797915295
I, personally, agree with this perspective, though notably Cloudflare has deviated from these principles on occasion, eg. in the case of KiwiFarms.
https://torrentfreak.com/daily-stormer-termination-haunts-cloudflare-in-online-piracy-case-170929/
Why We Terminated Daily Stormer
Earlier today, Cloudflare terminated the account of the Daily Stormer. We've stopped proxying their traffic and stopped answering DNS requests for their sites. We've taken measures to ensure that they cannot sign up for Cloudflare's services ever again.
Swift (will be at EMF)@eb @dangoodin sounds like they shouldn't have been allowed to become critical Internet infrastructure.
@swift @dangoodin what is this statement in direct response to? their stated policy of not making ethical calls, or their occasional divergence from said policy?
@eb @dangoodin the former, primarily. If it isn't appropriate for them to take that responsibility, then they shouldn't be in that position.
@swift @dangoodin I think my argument hinges upon the assertion that Cloudflare is a critical infrastructure provider. If they, in this position, begin making judgement calls, this is a slippery slope, as there is no objectivity in ethics. For instance, a homophobe might request Cloudflare stops protecting a LGBTQ site because think of the children. It’s just not their role to make these choices
1/?
@swift @dangoodin This argument also hinges on the fact that the anti-DDoS infrastructure is free. I think the “we can’t make decisions about who we take money from” argument is weak.
To make an analogy, the former is building a wall for protection around a city but excluding populations you as ruler find unfavorable.
The latter is a fencing company that builds fences around homes that pay them to do so
Greg Wittel@dangoodin I can’t say much about passthrough. We see it but the report mechanism itself is flawed as they can share the reporters’ info with the CF customer. More often, we see cloudflare turnstile heavily abused by various threat actors. It makes phish analysis at scale hard (keeps some automated analysis machinery out); Cloudflare has been not helpful at all and won’t meaningfully partner with security orgs to make this easier.
Austin Danger Spires@dangoodin hey there, [email protected] is the right place to email to get the details on Fastly's specific policies and procedures
I'm interested in knowing what the experience is of people who make abuse requests to Fastly et al. I know how to get Fastly's stated policies.