2

So I recently started using the free Cloudflare plan for my website to provide any sort of protection. And I noticed that, given they do the whole "We'll accelerate your website by caching parts of your pages!" they need to MITM the connections to your server, even if you were using HTTPS.

I understand why they do this; I mean obviously they need access to the actual web content so they can determine what to cache. But it still got me a little bit concerned. This is how a connection to my website works now:

User---Cloudflare HTTPS--->Cloudflare>---My HTTPS--->My Server

Based on this, even though you're using SSL, Cloudflare does have access to the unencrypted content. This includes any type of login data sent to/from the my server which, under normal circumstances, would've been end-to-end encrypted from the user to my server. Now that Cloudflare has access to that data, do people worry about the "malicious Cloudflare employee who steals the login information"? Or do we just trust Cloudflare because it's "just too big to fail"

TheFuzzyFish
  • 25
  • 2
  • 1
    This previous question on StackExchange might provide an answer: https://security.stackexchange.com/questions/167172/is-cloudflares-ssl-half-baked-since-they-become-the-man-in-the-middle-mitm?rq=1 I do not know if the information there is biased for or against CloudFlare, or if it is neutral and factual. – RealDrGordonFreeman Apr 05 '19 at 14:12
  • The short answer is yes, they could. It's a matter of the threat model that you are trying to defend against. Are you more concerned about denial of service attacks, or confidentiality/integrity. What is the level of sophistication of the threat actors you are trying to protect against? – Dan Landberg Apr 05 '19 at 16:43
  • Cloudflare will also give up data to US law enforcement if that matters to you. – Steve Apr 05 '19 at 22:55
  • Strictly speaking, your database could also be sniffing your data and sending it off who-knows-where, as could your webapp (the interpreter might run something without your knowledge, or the compiler could insert code). In general, yeah, we trust Cloudflare, because their _entire business_ would immediately be ruined if they compromised their clients' security. – Nic Jul 09 '19 at 16:46

2 Answers2

5

Now that Cloudflare has access to that data, do people worry about the "malicious Cloudflare employee who steals the login information"? Or do we just trust Cloudflare because it's "just too big to fail"

Yes, this is essentially boiling down to whom you trust. If you enter data into some website you trust the owners of the website to handle these data in a secure way and make sure that no unauthorized access is possible (but yes, there are lots of examples where sites fail to meet these expectations).

Similar the owners of the website need to trust their service since many such sites are located in some external data centers, might run in shared hosting or might be hosted in the cloud. This means that others outside the company would theoretically be able to get to the sensitive data.

And the same is true with CDN like Cloudflare or Akamai. It is not that they are too big too fail but they have simply too much reputation to lose. While they are big they are not a monopoly. If it gets public that they don't meet the trust expectations then other services will be happy to point that out and fill the gap for switching customers. And compared to other services the switching costs from one CDN to the other are not that big.

forest
  • 64,616
  • 20
  • 206
  • 257
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • "It is not that they are too big to fail but they have simply too much reputation to lose" Thank you for this perspective. It makes a lot of sense why they'd strive to uphold their reputation – TheFuzzyFish Apr 06 '19 at 21:41
3

You could ask the same question about AWS. In theory, a malicious operator working for Amazon could steal all your encryption keys and other sensitive data straight out of memory from your virtual machines.

You could put your own physical hardware in a colo facility, but then you're still trusting that the facility employees with the physical security of your machine. They could easily go open up your box, yank the RAM chips, and read everything that was in them (yes, this is possible even after they lose power). Or maybe they could just install a PCI card that exfiltrates the memory live.

You could run the server in a facility you operate yourself... but you're still relying on the hardware to be secure. Intel or Supermicro or any of the manufacturers of your hardware could in theory have inserted a back door.

In the real world, to get things done, at some point you need to trust people. If you want to use a cloud service provider, you probably need to trust them. You do, of course, get to choose who you want to trust, and as a result, these providers work very hard to implement good security practices that make them trustworthy.

I happen to be a Cloudflare employee -- I'm the tech lead for the Cloudflare Workers product. I personally do not have permission nor technical ability to log into any production machine, much less look at live data passing through it. I could perhaps add some code to my project which steals data, but I'd have to get it past code review and approved for release. But sure, several Cloudflare employees working together could maybe do something bad -- just as several AWS, Equinix, or Intel employees working together could do something bad. If they were caught, they'd probably go to jail, but it's still theoretically possible.

It's up to you to decide who you trust with your service, and up to us to earn that trust through our security track record.

Kenton Varda
  • 131
  • 2
  • 1
    You can generally secure a server in a colo facility to a certain extent, e.g. with encrypted memory (either via kernel hacks like vCage or with Intel TME), and you can use remote attestation when inputting an encryption key. A proper IOMMU will also prevent evil busmastering over PCI, and you can destroy the JTAG traces. I believe there was also a recent DEF CON talk on rigging a server for physical colo security giving it a sort of chassis intrusion detection system on steroids (light and vibration sensing, etc.). – forest Apr 06 '19 at 07:44
  • I'm sorry if my question seemed pointed or cynical, I certainly meant no offense. I know that you and others at Cloudflare put a lot of effort into making your service as secure as possible, and you've got a wonderful reputation. I trust and will continue to use Cloudflare because of the hard work you've put into making it as reliable as possible. Thank you for the insight into your workflow process – TheFuzzyFish Apr 06 '19 at 21:39
  • @TheFuzzyFish I wasn't offended at all! Sorry if it came off that way. This is a totally fair question. There are people who don't trust us (and people who don't trust AWS, etc.). It's not an unreasonable position to take -- but it does make it awfully hard to run a modern web service... – Kenton Varda Apr 07 '19 at 17:44