This might seem strange at first - why would you need a program to access a web resource?
But there's many things that work on the web like this, including RSS, podcasts, and anti-virus definitions[57][58] which are completely broken by a CAPTCHA appearing mid stream[11].
This software stack includes human language: the CAPTCHAs are in English, giving non-english speakers around the world at a disadvantage[13]. Attempts to fix this are bound by the fact that they also leak language information to Cloudflare[21]
More important, though is it starts to form a ratchet for web browser technology - the captchas are upgraded all the time, and if you use an older web browser you risk being left behind even if it works now.
"When you fetch a page from a website that is served from CloudFlare, Javascript has been injected on-the-fly into that page by CloudFlare. And they also plant a cookie that brands your browser with a globally-unique ID. ID. This happens even if the website is using SSL and shows a cute little padlock in your browser" [10]
"The short version, a rhetorical question: Would you trust a key escrow regime, in which an “authorized” entity was entrusted with the potential to decrypt all communications at will? If not, why would you trust a de facto mass decryption chokepoint at which many communications are actually decrypted?"[34]
"CAPTCHA remains the most problematic item indicated by respondents"
Cloudflare is one of the largest, if not the largest source of unconsensual CAPTCHAS, making them quite possibly the biggest impediment in accessibility efforts worldwide.
- Cloudflare makes Tor frustrating, making efforts to become anonymous more
difficult and making it more likely that people will use non-tor connections
for some or all of their web browsing traffic. The problem is getting worse[13] with time
- It's not just Tor[19], but tor users are the biggest group of people who've noticed it, and organizing against it so far.
- In particular, the model of Project Honeypot depends on one IPv4 IP address, meaning one person. As IPv4 addresses become scarce, more and more ISPs(and whole countries[22]) are forced to use higher and higher levels of NAT. The result is, the kinds of treatment of tor users by cloudflare starts to be not just for tor, but for all web users. "Tor is just being slightly ahead of what the IPv4 Internet is going to look like pretty soon."
And the next time a large group wakes up it might be millions of websites being down (including critical ones) across a whole continent, which has happened already[49]
"It was made clear in the Snowden leaks that GCHQ, the NSA etc would like people to stop using Tor, so I am sure they are very happy to see CF make general web browsing difficult and frustrating for ordinary users."[12]
- Worse, Cloudflare makes using tor *dangerous* because enabling Javascript and images to deal with their system makes it likely that some people will enable Javascript and images on other websites, which even if Cloudflare wasn't threatening them, would.[9]
- Cloudflare can target individual users with Javascript malware, since you usually wind up enabling their Javascript to use websites you fall into their trap. Since they track users, and are giving users per-user specific code and work directly with the US government/DHS there's no reason why they can't tailor attacks to users for them.
- Even if they aren't doing it yet, they are at any point one US government administration, one vulture capital funding purchase[26], or one internally rogue element away from executing javascript code on hundreds of millions of people's computers a "highly attractive" target[7] with no oversight. The code CAPTCHA itself protects attempts to detect such things from happening.
- The way that Cloudflare is constructed means that even by accident, billions of people can be analyzed by their government[51], and can have their access cut at the government's whim.
unless you have the right kind of US government approved credential, contingent
perhaps on running software that only they approve of.
It is becoming a single point of failure for the internet[39]
Right now there are alternative sources for, for example the US constitution[17]. But it's not unthinkable that Cloudflare is getting big enough to threaten that.
"A.1 sometimes there are necessary websites for some degree of necessary. Government websites, public service, etc. How long until those are behind the "Great Cloudwall"?
B: Not long. Our service is competitive and convenient. If public service websites choose to use our service for awesome DDoS protection, it's their choice."[36]
cementing their power is to attack DNS. Their 1.1.1.1 DNS server, like Google's 8.8.8.8, is marketed to people so that even for websites who don't use cloudflare, cloudflare will still be able to see you're going to them, further data for them to track you with.
" a service that positions itself as some kind of a grassroot-y anti-spam registry, but in reality seems to be a pro-corporate law enforcement tool with the specific aim of entrapping and prosecuting spammers/phishing scammers in a way that’s friendly to the marketing industry ""
Cloudflare has a history of shutting down open DNS and open NTP servers.
"It would be great if they allowed GET requests - for example - such requests should not and generally do not modify server side content. They do not do this - this breaks the web in so many ways, it is incredible. Using wget with Tor on a website hosted by CF is... a disaster. Using Tor Browser with it - much the same. These requests should be idempotent according to spec, I believe."
Cloudflare has a history of closing tickets that are critical of it without
actually resolving the issue[29][30][32]
" Cloudflare is based in a country with secret courts, secret police and secret prisons that are above the law -- and this secret government has characterized Cloudflare's data as extremely valuable"[28]
"The CEO says "Cloudflares strength lies in the DATA it collects -- not in its CODE."[28]
"The U.S. federal government is a Cloudflare customer"[28]
"Cloudflare has never stated that a government agency did not install wiretapping equipment or software on the same premises as a Cloudflare server"[28]
"Cloudflare has never indicated that the architecture of its content distribution network is resistant to warrantless mass surveillance"[28]
"Cloudflare has given the Chinese government unprecedented censorship capability"[28]
"Cloudflare has no intention to shut down as Lavabit did in order to protect the user from unlawful surveillance"[28]
"Some Cloudflare customers are paying over 1 million dollars per year for an undisclosed service"[28]
*But Cloudflare is really necessary, the web is a nasty place*
- The more of the web is held within cloudflare the more pressure will be on
websites not behind cloudflare
- As of 2016, by cloudflare's own data tor was not as bad as normal internet connections.
- "But we need Cloudflare to protect from DDoS.” Hey, that’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t you let us decrypt all your TLS sessions[59], so we can protect you?"[14]
"DNS[50] is around, servers are insecure, proper end-to-end crypto isn't the norm hence MITM goes unnoticed, anonymity is an edge case, routing lacks built-in resiliency to disruption, we're always going to have actors building a bus.ness model around cobbling together superficial, overapproximating mitigations."[20]
"At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests. "
Learn more about cloudflare, and make sure the people around you know about cloudflare. Use tor by default to be more exposed to the blocks. Go to the anti-cloudflare collaboration repository[41] and make sure websites you use don't use them, and if they do, contact the people who run the website requesting that they no longer use cloudflare. Get involved!
[49] slashgeek. CloudFlare is ruining the internet (for me) https://www.slashgeek.net/2016/05/17/cloudflare-is-ruining-the-internet-for-me/
[50] Hamid Sarfraz. How likely is it that CloudFlare is an NSA operation? https://www.quora.com/How-likely-is-it-that-CloudFlare-is-an-NSA-operation/answer/Hamid-Sarfraz
[51] Karthik Balakrishnan. Airtel is sniffing and censoring CloudFlare’s traffic in India and CloudFlare doesn’t even know it. https://medium.com/@karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98
