> When OpenDNS was first ordered to block pirate sites in France, the company made a simple but drastic decision to leave the country entirely, effectively affecting all French users. Last week, it repeated this response in Belgium following a similar court order.
Who would have thought that Cisco would be on the side of the good guys for once?!
As for Cloudflare, what they do is scary. The screenshot clearly shows a valid HTTPS certificate, so either they don't do DNS blocking but instead implement the block on their loadbalancer side or they mis-issue HTTPS certificates. The former is only possible when the target site is also served by Cloudflare (which leaves the question what Cloudflare does for domains that are targetted by a court order but not using Cloudflare loadbalancing), the latter would be a serious breach of how HTTPS certificates should be issued.
And in the end I believe that courts need to be educated on how the Internet works. Companies should not be allowed to target DNS, they should be forced to target the actual entities doing the infringement - and if the target isn't in the scope of Western jurisdictions (that have various legal-assistance treaties), it's either tough luck (e.g. if the pirates are in Russia, China or other hostile nations) or they should get their respective government involved to use diplomatic means.
> And in the end I believe that courts need to be educated on how the Internet works
This is not an education issue. Rights holders want to use every tool in the box to add friction and barriers to piracy, courts offer pushback only when that would result in a marked loss in utility for ordinary users. They do not care about the sanctity of DNS or whatever engineer-brained ideals are being violated.
The sanctity of TLS certificates is the backbone of internet banking and basic privacy for everyday users. It's surprising that you or the courts would see this as a problem that only affects engineers, when it weakens the guarantees that everyday people and businesses rely on to conduct their business safely.
The trust we have in the CAs who are embedded in our root stores is very important - yes.
Thankfully, in this case the issue at hand is entirely unrelated to TLS, rogue CAs etc. Or even DNS record manipulation (for now)...
Cloudflare put a 'You're blocked' page, on the web server that Cloudflare are already running for their customer. The customer being the website that Cloudflare is being ordered to block (for users in certain countries).
Cloudflare's actions seem to me to be similar to sending out letters saying "this client has been banned from using our services" using that client's own letterhead. Are they not misrepresenting the communication as though it's from the client, when really it's from Cloudflare? Sure, it's benign, but it's an unnecessary muddying of the waters.
> The screenshot clearly shows a valid HTTPS certificate, so either they don't do DNS blocking but instead implement the block on their loadbalancer side or they mis-issue HTTPS certificates. The former is only possible when the target site is also served by Cloudflare (which leaves the question what Cloudflare does for domains that are targetted by a court order but not using Cloudflare loadbalancing), the latter would be a serious breach of how HTTPS certificates should be issued.
Cloudflare's statement in that screenshot:
> Given the extraterritorial effect as well as the different global approaches to DNS-based blocking, Cloudflare has pursued legal remedies before complying with requests to block access to domains or content through the 1.1.1.1 Public DNS Resolver or identified alternate mechanisms to comply with relevant court orders. To date, Cloudflare has not blocked content through the 1.1.1.1 Public DNS Resolver.
I interpret this part of what Cloudflare said to mean, that so far every domain they've been asked to block has either been appealed successfully or they were using Cloudflare's CDN, DDoS mitigation & WAF services therefore they could just selectively block the visitors with HTTP 451. If they were asked to block a domain that wasn't using Cloudflare, I'm sure that would be the first instance of them having to modify the DNS response - but they would have to, or stop doing business in that jurisdiction like what OpenDNS did.
Cloudflare is quite notorious about not policing the content being fronted by their service, and are quite popular with less than legal (but still clearnet) sites.
In the example cases, they already had TLS certificates issued and were using them for the legitimate traffic of that domain as it was fronted by Cloudflare.
Not really sure what you find scare about that. If you set cloudflare as your dns provider, they own the dns response they give you. If they get court ordered to redirect you to a site saying this is illegal. Is your preference for this to be over plaintext?
Cloudflare is a public CA. Your browser or OS trusts it implicitly. If you don’t trust Cloudflare, remove it from that list I guess.
>If you set cloudflare as your dns provider, they own the dns response they give you. If they get court ordered to redirect you to a site saying this is illegal. Is your preference for this to be over plaintext?
Very important distinction here, the people being 'impacted' by this court order are end-users who decide to use Cloudflare's recursive DNS resolver (1.1.1.1 / 1.0.0.1 etc).
There's also the topic of what authoritative nameserver a domain uses. And also if a domain uses Cloudflare's WAF/CDN services to front their website.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
In this case, every domain that's been ordered to be blocked was already using Cloudflare's WAF/CDN service. So Cloudflare did the block at that level, rather than changing how Cloudflare's recursive DNS resolver responds to DNS queries.
No additional TLS certificates were issued - they already had valid certs because they're fronting the domain.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
Is this true for the free accounts? My understanding was that only enterprise and possibly pro accounts permitted this. I thought that people using free accounts had to point their entire zone entirely to CF to be managed only by CF. I could be wrong.
I believe you're thinking of the domain registration side. If you want to use Cloudflare as your domain registrar, you must use their authoritative nameservers - unless you're on the enterprise plans.
I don't use them for either, they've got too much market share for my comfort.
No I am not referring to domain registration. I am fairly certain that if I want to use their free accounts I would have to point the root servers at them to manage my zones even though they are registered through a dozen other registrars. In other words I can not manage my own DNS if I use their free accounts. It's not a big deal since I also do not use them. I make my own tiny CDN's when I need one. It's all hobby sites for me these days, retired from tech and no longer manage big zones.
So in other words, instead of being able to have the root servers provide the IP addresses of my bare metal servers running NSD NS records I would have to tell the root servers via the registrars I use to give the NS names/IP's of cloudflares DNS servers. The domains are still on the dozen registrars I use but CF have to be authoritative for them for the free accounts or at least that is they way it was when I first played with CF after they stopped being honeypots that I contributed to. I would say custom DNS but nowadays that means 50 different things to 50 different DNS admins on HN. It's just apex NS records in the root anycast clusters.
You're right, I was mistaken. Using a CNAME or A record as the only method to direct traffic at a label towards Cloudflare's reverse proxy is not available on the Free or Pro tier.
For me it’s Cloudflare circumventing its transparency reporting. That’s lying. If they’re willing to lie about something like this, I wonder what else they found a technical workaround for.
Note that the CA's that Cloudflare uses have not mis-issued any certificates in this case, the certificate was legitimately issued for Cloudflare to front the site in question with their CDN/WAF services. It just happens that the court order will make Cloudflare front them with a HTTP 451 instead, for visitors from the relevant countries.
There is no bypassing of certificate transparency, as there was no additional TLS certificate issued, it was already in use.
If Cloudflare was demanded to block a different site that did not use Cloudflare's WAF service, they would have to do something else at the recursive DNS resolver level. So far that hasn't happened, because Cloudflare is incredibly popular, especially so for less-than-legal sites.
> There is no bypassing of certificate transparency
Transparency as in their reporting, not the technical details of certificate issuance.
FTA: “Interestingly, Cloudflare maintains in its transparency report that it is not blocking content through its public DNS resolver. Instead, it points out that it uses ‘alternate mechanisms’.”
> That's accurate, the DNS responses for these domains previously did, and still do, point to Cloudflare's WAF/CDN. They haven't said anything like '...never blocked access to customer content...'.
It’s accurate in that bullshit isn’t technically a lie. If they’re willing to do this, they’re potentially willing to use their CDN to MITM DNS requests. Because after all, they’d be leaving the DNS request unmolested while doing the dirty work on their CDN.
Cloudflare are not a public CA (see bottom), they use public CAs just like the rest of us. I'm sure they have special enterprise arrangements with each of them.
Those public CAs have to verify domain ownership via the methods outlined in the CA/Browser Forum's baseline requirements. None of which Cloudflare would be able to follow (on behalf of these domains in question) if they did not use either of Cloudflare's authoritative nameservers or WAF/CDN.
Now, if Cloudflare were a public CA, they would still have to behave correctly and follow the baseline requirements otherwise they would be distrusted by clients.
Note that Cloudflare have a certificate authority called 'Origin CA' https://blog.cloudflare.com/cloudflare-ca-encryption-origin/, it is not publicly trusted though. It doesn't need to be, it's for website operators to install on their own web server, before it gets fronted by Cloudflare - rather than just running a self-signed cert or serving plaintext.
Cloudflare have only ever been able to do their job (on the reverse proxy CDN/WAF side), by doing full TLS interception. They see the session in plaintext.
The customer grants Cloudflare a TLS certificate for their site either by uploading a cert manually, or letting Cloudflare issue a cert via the ACME protocol. They use that to present the site to the world. Cloudflare connects back to the origin site, and the origin either uses HTTP (bad! but possible), HTTPS with a self signed cert, HTTPS with another publicly trusted cert, or a cert that Cloudflare issues with their own (not publicly trusted) CA called Origin CA.
As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
> As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
In that case there is no way that company is not hooked into the intelligence services. I am certain they do go through the ceremony of legality for many actions but it is unreasonable to think no intelligence service has attempted to critically penetrate it. Add the mix of ideology du jour of the SV "VC intelligentcia" and software youth brigades.
You are entirely correct to point out that it is our "trust" that is taken for granted. And granted to CloudFlare by SV, YCombinator, and of course HackerNews itself that dumps on any voices raising concerns over these obvious "massive risks" so that the unauthorized delegation of trust is done behind our backs by capital and other interested parties. DDoS prevention is kind of like kiddie porn prevention, a perfect pretext for openning the door to equally serious violations, of our trust and rights.
Who would have thought that Cisco would be on the side of the good guys for once?!
As for Cloudflare, what they do is scary. The screenshot clearly shows a valid HTTPS certificate, so either they don't do DNS blocking but instead implement the block on their loadbalancer side or they mis-issue HTTPS certificates. The former is only possible when the target site is also served by Cloudflare (which leaves the question what Cloudflare does for domains that are targetted by a court order but not using Cloudflare loadbalancing), the latter would be a serious breach of how HTTPS certificates should be issued.
And in the end I believe that courts need to be educated on how the Internet works. Companies should not be allowed to target DNS, they should be forced to target the actual entities doing the infringement - and if the target isn't in the scope of Western jurisdictions (that have various legal-assistance treaties), it's either tough luck (e.g. if the pirates are in Russia, China or other hostile nations) or they should get their respective government involved to use diplomatic means.