0

If I understand correctly, they can see all the requests that are coming in to your server. So, all POST requests (user credentials, comments user posts, and many more) can be seen by Cloudflare (responses are protected if your site just allows https). How is having one entity not a security hazard not just for your company, but for the whole internet in general? Or it's not and I'm misunderstanding something?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Tomas
  • 13
  • 2
  • Google result for "can cloudflare see user passwords?" : https://community.cloudflare.com/t/what-data-does-cloudflare-actually-see/28660 – schroeder May 06 '20 at 08:16
  • Chrome can see all passwords ever entered on any site anywhere. Does that create a potential hazard? Sure. As the link above points out, the issue is *trust*. – schroeder May 06 '20 at 09:11
  • @schroeder I was thinking more about how extremely powerful it could be for US (or any for that matter) government to have access for that kind of information. – Tomas May 06 '20 at 09:12
  • Uh, authorised parties have or can get access to all kinds of data throughout the Internet infrastructure. If they want access to a person's account on a site, they would just go to the site with a court order. – schroeder May 06 '20 at 09:14
  • If you are asking about Cloudflare in particular, then this is a duplicate question (type "cloudflare" in the search bar). But if you are asking about the risks related to the excessive centralization and monopolization of a service, then you should change your question and at least also add Google and Microsoft to the equation. – reed May 06 '20 at 10:05
  • @schroeder If I am not from US and my server is neither, US government will have difficulties doing that. And if they do, I will at least know it and be able to tell my users that. With Cloudflare I have no clue. – Tomas May 06 '20 at 10:18

2 Answers2

0

Your understanding is a little confused, but to address the central question first: Sure, but so is running your server on hardware owned by Amazon or Microsoft or Google, much less ever running apt install or pulling something from NPM or whatever. Just using an operating system you didn't write (or at least audit) yourself, on hardware you didn't personally create, introduces some risk... heck, I bet you even trust Let's Encrypt to have actually verified that the site you sent your password to was owned by StackExchange, rather than just issuing a cert for StackExchange to anybody who wanted one!

People trust Cloudflare for a few reasons:

  • The people behind Cloudflare have a reputation. It's a lot harder to get started in a field like that but once you are known to be trustworthy it's your company's most valuable asset.
  • It would be devastating to them, as individuals and as a business, if they were ever caught abusing that trust. The amount of money it would take to be worth more than the business as a whole or even any individual stakeholder's share is a lot.
  • They make a lot of legally-enforceable guarantees about how they use the access they have to your connections. Again, any breach of that would have to be tremendously valuable to make up for everything they'd lose.

At the end of the day, you have to choose who you trust. Using Cloudflare is definitely exposing yourself to some risks, but they also provide benefits (including security ones).

Not really the topic of the post, but you've got some things wrong about the risks.

  • If you don't use Cloudflare's proxies to any site with sensitive content (and just use them for DNS configuration and as a caching layer for your static content, with the option of quickly enabling DDOS protection if needed), Cloudflare can't see any of your requests or responses.
  • If you enable their proxy for a site, they can see requests and responses involving that site, regardless of whether TLS (HTTPS) is used between the user and the proxy, the proxy and your server, or both. Their proxies have to decrypt the user's request to provide the services you want (like caching responses or dealing with some kinds of attacks), and that means they also need to encrypt the response and could read or edit it before doing so (the user's TLS session is negotiated with Cloudflare, not with your server).
  • Putting Cloudflare in charge of your DNS in general, and particularly pointing your DNS entries at their servers and providing them with a valid TLS server cert for your domain names (which is how the proxy works), means Cloudflare is "same-origin" as your actual domain as far as the browser is concerned, and that means Cloudflare could make arbitrary requests against your server and see the responses (even if they somehow weren't visible to the proxy anyhow) just by injecting a script that makes XHR/fetch calls.

Also, Cloudflare has competition. Many cloud providers offer at least some of what Cloudflare does (though often only for back-end server hosted on their cloud), and there exist other companies that provide cloud-hosted reverse proxies for security, reliability, metrics, and/or performance benefits.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

In my opinion, the way that most people use cloudflare is a security risk, but not necessarily for the reasons that you may think. Yes, cloudflare, by design is a man-in-the-middle service. As mentioned, this is necessary for them to provide the service that they offer. In my opinion, whether or not it is a security risk for that reason depends on your threat model and what you are doing. For example, I personally would not ever transmit private cryptocurrency keys through a service like cloudflare. However, I personally do use cloudflare for all sorts of things like protecting buisiness and personal websites.

My problem with Cloudflare is that they have a feature called "flexible-ssl" which gives users the illusion that there data is securely being transmitted with TLS. This service encrypts traffic from the users computer to cloudflares servers, but then data from cloudflare to the actual destination server is not encrypted at all. I think this is ridiculous and God only knows how many websites on the internet are setup this way. It would be one thing if there was some way for a user to know about this, like a little orange thing in a padlock icon somewhere.. but as far as I know there is not. I suppose that this setup is "more" secure than no ssl anywhere though...

Chev_603
  • 236
  • 1
  • 8
  • "... but then data from cloudflare to the actual destination server is not encrypted at all" That doesn't sound correct. It's my understanding that you just use another cert for that. – pcalkins Jun 17 '22 at 18:19
  • Out of the box if you put a website behind cloudflare and your site is using http and does not offer SSL, than the connection from cloudflare back to the origin server will be over plain old HTTP. "Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin." https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/ – Chev_603 Jun 17 '22 at 21:50
  • It'd be pretty silly not to use a cert, but I suppose there might be some sites that dont... They seem to offer "origin certs" for free so anyone out there without SSL on their cloudflare site, get one!: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/ – pcalkins Jun 17 '22 at 22:45
  • I mean, IMO flexible SSL should not exist. – Chev_603 Jun 17 '22 at 22:47