Thib's Fellowship Blog


Archive for the ‘Uncategorized’ Category

CloudFlare in the middle

Sunday, June 22nd, 2014

What would happen if a lot of websites were all giving out their data (including login data) to a single entity?
What if those websites included www.cyanogenmod.org, en.bitcoin.it, blockchain.info, mywot.org, thedaywefightback.org, stopwatching.us, www.resetthenet.org, puu.sh, pastebin.com, www.blendernation.com, news.ycombinator.com, or 4chan.org?
Well, I don’t know what would happen, but a single entity does have access to all that data, has access to it live, and can even alter it on the fly, which they actually do as part of the service they provide.
No, SSL/TLS won’t save you, as this entity is the “secure” endpoint.
This entity is CloudFlare, an increasingly popular Content Delivery Network whose main selling point is protection against DDoS attacks, and for this purpose, they act as the perfect Man in the Middle.

Now, I’m not saying they’re a bad company. Their service is probably top notch, and they might even not peek at the data they have in their hands, as they promise!

But they have the technical ability to save each and every request on the aforementioned websites (and a lot more), and you would have no way to tell.
They could link your e-mail from thedaywefightback.org with the posts you’ve made on 4chan, for instance, or stealing your credentials on any of the websites they provide their service for.
They could also alter the data, censoring stuff on 4chan, misplacing information on mywot.com, giving you a malicious download link from cyanogenmod.org. The possibilities are endless.

Again, I am not claiming they are doing any of this stuff, but they could, and it would be extremely hard to detect.
Furthermore, they are a US-based company, and may be subject to FISA requests and gag orders.

Therefore, I have decided to block all of CloudFlare’s hosts from my personal computer.
That’s a bit extreme, but it was the easiest way I found to avoid those issues altogether.
To find out CloudFlare’s IP addresses ranges, you can get them directly from them (here for IPv6) or query a whois database such as whois.radb.net (“whois -h whois.radb.net !gAS13335” for IPv4, “whois -h whois.radb.net !6AS13335” for IPv6).

PS: When I first started to write about this, imgur.com and www.humblebundle.com, amongst others, were behind CloudFlare too. They now have transitioned away to different services, that may or may not have the same issues.