Regardless of whether you agree or disagree with their "arguments", I'm pretty sure dismissive name calling has no place in an adult discussion. That was my point.
Thank you, it looks like you have your moral compass pointed to the right direction :-)
While I applaud the things above I'm concerned about Cludflare's (growing) size. If it handles so many websites' traffic it's an interesting target for NSA, hackers and other malicious actors. I assume that most of your users use the free SSL certs, meaning Cloudflare possesses their private keys.
The more Cloudflare grows, the faster and the more encrypted "the internet" becoems. But the more Cloudflare grows, the bigger the single point to attack gets (I'm even assuming Cloudflare is and always will be a good actor).
What's your stance on this? Could you comment on this?
I/we worry about hackers and malicious actors all the time. One of the reasons we're greatly expanding our infosec department and hired Joe Sullivan [1] is to help keep us safe. We're doing a lot of work with memory-safe languages (hello, Rust!) to help stop Cloudbleed from repeating itself. [2] We're doing stuff around physical location of private keys [3]. And so on and so on.
We're open about government requests [4] and we've been pretty robust with stuff like NSLs; we went to court to be able to release NSLs [5] and were able to release two. [6]
Call me a tinfoil hatter but I've always assumed that the likes of Cloudflare, knowingly or not, are a key part of the Internet surveillance state.
It would be relatively easy for the likes of the NSA to infiltrate DDoS protection companies, then DDoS dark target sites until they choose cheap DDoS mitigation and bring their users' traffic into the clear.
>" One of the reasons we're greatly expanding our infosec department and hired Joe Sullivan [1] is to help keep us safe."
I am assuming this is the same Joe Sullivan, the former CSO at Uber who was fired for failing to disclose the 2016 data breach to regulatory officials or notifying the 600K drivers and 57 million customers that were affected? [1][2][3]
And keeping it secret for more than a year? I am not sure that association instills confidence.
Then he should have blown the whistle no? I mean his title was CSO. Wasn't there a moral imperative there to notify millions of users who were affected? I don't think its a stretch to say by participating in a cover up you are complicit even if the original decision wasn't yours.
I don't believe we ever wrote it up, it was just an internal algorithm change made in 2016. I can see the internal pull request but don't think we blogged about it.
Seems like an oversight to not promote this change. The way Cloudflare completely crippled the user experience of using Tor, plus the subsequent condescending and poorly handed PR responses I saw on HN and elsewhere, was the reason why I completely stopped using Cloudflare and stopped recommending it to people.
> And who was it that changed their algorithm for handling TorBrowser traffic so that there's no need to show those CAPTCHAs? Oh. Cloudflare.
If you're checking for a custom user agent, you're doing it wrong. Not all people using Tor to try and browse the web limit their browser choice like that.
I still have the terrible experience of having to train Google's ANNs every 5 minutes when using regular Firefox and Chromium over a Tor SOCKS proxy and I blame CloudFlare for single-handedly destroying web browsing over Tor.
And who was it that changed their algorithm for handling TorBrowser traffic so that there's no need to show those CAPTCHAs? Oh. Cloudflare.
And who was it that gave our customers control over how Tor traffic is handled? Oh. Cloudflare. [2]
[1] https://blog.cloudflare.com/cloudflare-supports-privacy-pass... [2] https://support.cloudflare.com/hc/en-us/articles/203306930-D...