Cloudflare is one of the Content Delivery Networks on the Internet. It’s responsible for serving at least 10% websites, while also providing VPN and DNS resolver services.
Unfortunately, there are many issues with Cloudflare's services, which could have an impact on the stability and safety of the internet as a whole. There have been some major internet disruptions as a result.
Cloudflare is an American public company, focusing on providing website acceleration and Distributed Denial of Service (DDOS) attack protection services. Among other things, they are also operating a public DNS recursor "184.108.40.206" and a VPN service of a similar name, "220.127.116.11 WARP".
The internet was built upon foundations of decentralization. In a traditional scenario, many internet services are provided by completely different subjects.
You might wonder, how exactly is this harmful? There are two main concerns - robustness and privacy.
Cloudflare's outages are impacting more and more services. Trusting a single company to do everything right and to have a 100% stability and availability is never a good idea.
They actively discourage combining the use of their services with services of other companies as well.
For example, if you register a domain with Cloudflare, you cannot use your own nameservers unless you pay for a Business or an Enterprise plan.
Having vast amounts of data at their disposal, Cloudflare can aggregate information from all of their various services to accurately pinpoint individual users as well.
A picture from Cloudflare's very own blog article helpfully illustrates the concept.
Instead of the user directly connecting to the intended website, the user is connected to Cloudflare's servers instead. The connection then gets decrypted, processed, analyzed and then finally sent to the intended destination. Hopefully encrypted.
While this is generally necessary to leverage the use of features like static file caching, it also means Cloudflare gets to see the billing details and possibly payment information of customers shopping on a Cloudflare protected e-shop.
In addition to that, while your browser may show that the connection is encrypted using HTTPS, it does not necessarily mean that the connection between Cloudflare and the target site is encrypted as well.
Cloudflare's marketing for their VPN application includes slogans like "You’re one tap away from a safer Internet". Unfortunately, that is not how the internet works.
By using a VPN application like WARP, all you are doing is shifting who is able to read your traffic to someone else. While your Internet Service Provider is not able to track your activity (all they would see is a stream of traffic to Cloudflare), Cloudflare now sees the entirety of your decrypted traffic. This information can be combined with other data Cloudflare has (logs from CDN and DNS queries) to more accurately track individual users.
Cloudflare is the home of DDOS-for-hire (website/server stresser) services. While being a DDOS attack protection firm themselves, they do not seem too bothered about some of their customers hosting the very services they strive to protect against, on their own platform.
Cloudflare's most recent marketing campaign includes a creation of this page, which is meant to "test the security of your ISP" and then publicly name and shame on Twitter.
Deploying RPKI is not as easy as flipping a switch as some sites would like to imply, it requires very careful planning, which can take months or years (in case equipment needs to be replaced and upgraded). While RPKI is something that needs to be deployed, the world is trying to fight a global pandemic and network operators will not make any breaking changes to their network - and Cloudflare knows this.
The only thing this sort of page does is scare people into thinking that their internet providers are somehow insecure. This leads to an increase in unnecessary support workload, which is not something anybody likes