Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

And who was it that worked with researchers on Privacy Pass to provide anonymous access for web users? Oh. Cloudflare. [1]

And who was it that changed their algorithm for handling TorBrowser traffic so that there's no need to show those CAPTCHAs? Oh. Cloudflare.

And who was it that gave our customers control over how Tor traffic is handled? Oh. Cloudflare. [2]

[1] https://blog.cloudflare.com/cloudflare-supports-privacy-pass... [2] https://support.cloudflare.com/hc/en-us/articles/203306930-D...




(For those of you who missed it. parent poster @jgrahamc is CTO of Cloudflare. )

Don’t get too snarky, John. Thanks for working with the Tor community, but haters gonna hate.


I think changing "And who was it that" in every sentence to "We" and removing "? Oh. Cloudflare." automatically would remove the snarkiness.


I think "We did" would be better, especially when you play the appropriate The Simpson's song in the background...


Yes indeed, that comment was more about tone than content.


I for one would like to see more snarky CTOs on HN


So someone expressing an opinion contrary to your own makes them a "hater"? Wow.


No, but his arguments do.


Regardless of whether you agree or disagree with their "arguments", I'm pretty sure dismissive name calling has no place in an adult discussion. That was my point.


Welcome to modern internet "discourse"...


Thank you, it looks like you have your moral compass pointed to the right direction :-)

While I applaud the things above I'm concerned about Cludflare's (growing) size. If it handles so many websites' traffic it's an interesting target for NSA, hackers and other malicious actors. I assume that most of your users use the free SSL certs, meaning Cloudflare possesses their private keys.

The more Cloudflare grows, the faster and the more encrypted "the internet" becoems. But the more Cloudflare grows, the bigger the single point to attack gets (I'm even assuming Cloudflare is and always will be a good actor).

What's your stance on this? Could you comment on this?


I/we worry about hackers and malicious actors all the time. One of the reasons we're greatly expanding our infosec department and hired Joe Sullivan [1] is to help keep us safe. We're doing a lot of work with memory-safe languages (hello, Rust!) to help stop Cloudbleed from repeating itself. [2] We're doing stuff around physical location of private keys [3]. And so on and so on.

We're open about government requests [4] and we've been pretty robust with stuff like NSLs; we went to court to be able to release NSLs [5] and were able to release two. [6]

[1] https://blog.cloudflare.com/why-im-joining-cloudflare/ [2] https://blog.cloudflare.com/writing-complex-macros-in-rust-r... [3] https://blog.cloudflare.com/geo-key-manager-how-it-works/ [4] https://www.cloudflare.com/transparency/ [5] https://blog.cloudflare.com/ninth-circuit-rules-on-nsl-gag-o... [6] https://blog.cloudflare.com/cloudflares-transparency-report-...


Call me a tinfoil hatter but I've always assumed that the likes of Cloudflare, knowingly or not, are a key part of the Internet surveillance state.

It would be relatively easy for the likes of the NSA to infiltrate DDoS protection companies, then DDoS dark target sites until they choose cheap DDoS mitigation and bring their users' traffic into the clear.


>" One of the reasons we're greatly expanding our infosec department and hired Joe Sullivan [1] is to help keep us safe."

I am assuming this is the same Joe Sullivan, the former CSO at Uber who was fired for failing to disclose the 2016 data breach to regulatory officials or notifying the 600K drivers and 57 million customers that were affected? [1][2][3] And keeping it secret for more than a year? I am not sure that association instills confidence.

[1] https://www.darkreading.com/informationweek-home/ubers-respo...?

[2] https://www.engadget.com/2017/12/01/uber-but-for-toxic-techb...

[3] https://www.technologyreview.com/s/609539/uber-paid-off-hack...


From what I understood, it wasn’t his choice to keep it secret was it? I mean they lobotomized his team and everything it felt like.


Then he should have blown the whistle no? I mean his title was CSO. Wasn't there a moral imperative there to notify millions of users who were affected? I don't think its a stretch to say by participating in a cover up you are complicit even if the original decision wasn't yours.


> And who was it that changed their algorithm for handling TorBrowser traffic so that there's no need to show those CAPTCHAs? Oh. Cloudflare.

Thanks, that'd be great news! I couldn't find any information about that, any chance you could pull out a link like for your other points?


I don't believe we ever wrote it up, it was just an internal algorithm change made in 2016. I can see the internal pull request but don't think we blogged about it.


Seems like an oversight to not promote this change. The way Cloudflare completely crippled the user experience of using Tor, plus the subsequent condescending and poorly handed PR responses I saw on HN and elsewhere, was the reason why I completely stopped using Cloudflare and stopped recommending it to people.


Thanks for that, don't forget to change it to conform with the upcoming Tor Browser for Android and ESR60-based alpha releases.


Thank you!


have to give props for that, using Tor for daily browsing was annyoing and horrible a few years back, it got a lot better


Good. And if it ever degrades again because we've broken something and not realized my email address is jgc (you guess the domain).


Hey, that's pretty cool, glad you sorted the second one out. Never heard about the first one and the third, well, double edged sword.


> And who was it that changed their algorithm for handling TorBrowser traffic so that there's no need to show those CAPTCHAs? Oh. Cloudflare.

If you're checking for a custom user agent, you're doing it wrong. Not all people using Tor to try and browse the web limit their browser choice like that.

I still have the terrible experience of having to train Google's ANNs every 5 minutes when using regular Firefox and Chromium over a Tor SOCKS proxy and I blame CloudFlare for single-handedly destroying web browsing over Tor.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: