5

We're running a web service in Europe, secured with TLS and we're using private keys generated on our private hardware.

We would like to use CloudFlare for DDoS protection and caching reverse proxy.

However, putting my tinfoil hat on, I'm wondering is there any technical way to avoid being potentially MitM'd by NSA or any other entity that FISA likes to support? Let's assume that I can trust CloudFlare to not leak any secrets for extra money only. If I have understood correctly, CloudFlare is able to generate certificates for any domain they want (they are a CA) and NSA or FISA should be able to get backdoor to reverse proxies run by CloudFlare because CloudFlare headquarters are in the USA. If I point our DNS entries to CloudFlare, that is a free pass to read and modify any traffic on our site.

The problem with FISA is that its decisions are not public. If CloudFlare was forced to work against my will by any public court orders, I could just switch to another CDN. However, when CloudFlare is forced to do something by secret FISA court order, nobody is any wiser and I cannot switch.

(I guess the same applies to Akamai and any other reverse proxy CDN administered by any company with headquarters located in the USA.)

Mikko Rantalainen
  • 513
  • 2
  • 11

1 Answers1

9

First of all, just because you use CloudFlare does not mean that the traffic will pass through the US. CloudFlare currently has 102 edges, and requests will be sent to the nearest one. This is what is called "anycast". So if someone in Europe requests your page the request will go from them to an edge somewhere in Europe, and from there to your origin. In other words, using CloudFlare will not force the majority of your traffic through the US.

Concerning the use of TLS, CloudFlare offers three different models:

  • Flexible SSL: Traffic is only encrypted between the end user and CloudFlare, and not between CloudFlare and your origin. Obviously, this is not safe against government actors...
  • Full SSL: Traffic is encrypted all the way, but you have to give CloudFlare your private key so they can decrypt traffic. So your private key is only a court order away from the NSA.
  • Keyless SSL: You do not how to give them your private key, but they still "decrypt, inspect and re-encrypt traffic". Read about how it works here. You don't need to have your tin foil hat on to suspect that the US government could preassure a US company into providing data from servers located outside the US.

So, in conclusion, what you need to worry about is not the traffic passing through the US, but that CloudFlare will share your decrypted traffic with the US government. There is no way for a CDN to get around this - to do their job as a reverse caching proxy, they need to decrypt the traffic. Either you trust your CDN, or you don't use one.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • Yeah, I trust that CloudFlare is not going to pass all the traffic trough the US because latency would be too bad. However, as long as they have headquarters in the US, FISA court orders can have an effect and as long as FISA works the way it does, the customers of CloudFlare cannot be informed about the fact. – Mikko Rantalainen Feb 20 '17 at 12:36
  • 1
    What FISA does and doesn't do is a legal question that I will not try to answer here, but I think the important point is this: CloudFlare will *always* be able to decrypt your traffic, and therefore they will *always* be able to share it with others. If you don't trust CloudFlare not to do that, for legal reasons or otherwise, you can not consider CloudFlare safe. – Anders Feb 20 '17 at 12:45
  • Given that "trust" includes whatever FISA or any other government body enforces, I agree. I personally believe that CloudFlare does not share the traffic without court order but after that they will do whatever the court is ordering. The problem with FISA is that the court order is not public. – Mikko Rantalainen Feb 20 '17 at 13:22
  • 1
    @MikkoRantalainen Then you will have to live without a CDN. If you find one that doesn't need to be able to decrypt traffic you could still benefit from the DDoS protection, but obviously you would get no cache benefits. – Anders Feb 20 '17 at 13:27
  • 1
    I think a CDN located in a country with less insane jurisdiction than FISA would work pretty fine, too. All the big ones (e.g. CloudFlare and Akamai) have headquarters in the US, though. – Mikko Rantalainen Feb 20 '17 at 13:32
  • Headquarters location is pretty much not relevant here. A secret court could potentially order Cloudflare (or any other CDN provider) to snoop on a traffic passing through their regional servers without informing CloudFlare's headquarter. CloudFlare works by inherently MITM-ing the traffic between your server and the users, if you can't trust them, then you shouldn't be using them. – Lie Ryan Feb 22 '21 at 23:09
  • @LieRyan: if users and the servers are located in Europe, the CloudFlare traffic never passes via any server under US jurisdiction. However, when CloudFlare headquarters is in the US, FISA court order can force them to copy data from Europe to US, too, that CloudFlare can access. I *think* that if they had headquarters in Europe, FISA court order couldn't force them to transfer data from Europe to US even if CloudFlare had some business in the US, too. – Mikko Rantalainen Feb 23 '21 at 09:41
  • What about unproxied traffic? Is it completely off the reach of Cloudflare, if I have a subdomain with proxy off? (Eg: Emails through mail.mydomain.com) – Lucas Bustamante Mar 07 '21 at 23:15
  • @LucasBustamante Good question. I don't know. Try asking it as a new question and you might get a good answer. – Anders Mar 08 '21 at 07:49
  • @Anders I think your answer could be slightly adapted to be more accurate. With Full SSL, you don't have to give your private key to Cloudflare, instead, Cloudflare receives the request from the visitor through HTTPS, processes it internally, and forwards it to your server using SSL, either verifying it through a CA (if strict). But either way, Cloudflare has access to the decrypted packages, since it is the one in the other end of the request – Lucas Bustamante Sep 17 '21 at 12:33