Cloudflare recently hijacked the domain of one of their customers (RaidForums), then cloned the RaidForums login page, and ran a phishing campaign at the behest of the FBI for two weeks.
I understand that you have to comply with law enforcement, but actively attacking the users of one of your customer's websites is super rude.
It is a problem when you centralize the Internet like this though.
The more of the Internet you've got running through your service, the more appealing a target you are for not only domestic government pressure, but attempts from foreign state actors to compromise the service (through not only hacking, but espionage and blackmail as well).
I'm no fan of centralization but if you think that it makes any difference to the FBI, you're mistaken. The tiniest providers are obligated to do the exact same thing. This has nothing to do with domestic pressure.
When the FBI asked Apple to build tools to attack customers, Apple said no. Cloudflare could have just dropped RaidForums as a customer, but they went the extra mile and built tools to facilitate an attack of RF users.
I did a bit of reading on this, and it looks like the main admin was arrested weeks before the phishing campaign went up.
It seems therefore entirely plausable that the admin handed they keys to the castle to the FBI anyway, or at least gave Cloudflare the okay to go ahead.
I can't find a shred of evidence that Cloudflare were involved directly in making the phishing page or even complying with the FBI.
Also I feel like Raid Forums is a bit mis-characterized in the article. It was largely a forum for people who collect OSINT about breached websites, not really a market place, and in the years that I spent there, I never saw people selling actually carding details, like they claim in the article. I used it regularly for my day job.
We used it at a job I had and it made sense for business continuity reasons. But it is centralizing the internet and they are the gatekeepers. Not a good thing
"Your ISP looks at which websites your browsing, oh the horror! Instead trust us, as an internet behemoth bigger than any ISP in the world with that data!"
Your ISP can collect your traffic history AND trivially connect that history to your identity, and sell/provide data to brokers, TLAs, police etc.
Cloudflare can collect your traffic history, but can only connect that history to your originating IP + timestamp. Their official client may be able to collect more info though. But, warp is just wireguard, so you do not need to run their official client there are shell/python scripts floating around to get the keys / endpoint IPs setup for Warp to use with std. in-kernel wireguard.
Further, all the telcos in the US are known to have colluded in illegal NSA spying on Americans. Cloudflare has not been caught at this yet. So, you can look at it as a choice of exposing your browsing history to an entity that may be not be lying and actually is not snooping vs. telcos that are known to have lied and definitely have and are likely still snooping.
> Your ISP can collect your traffic history AND trivially connect that history to your identity, and sell/provide data to brokers, TLAs, police etc.
That's exaggerating quite a bit. Maybe in 2005 they had that sort of insight, but with HTTPS everywhere things are different. Your ISP can only see which IPs you're connecting to, possibly which hosts you're looking up depending on your setup but DNS-over-TLS and the like will put a wet blanket on that.
Cloudflare (even without warp) has a much clearer picture of your browsing habits. Not only do they see which webpages you are requesting since they're situated as a MITM between you and a significant chunk of the servers online, they do quite a lot of browser fingerprinting and tracking for bot mitigation that could, theoretically, be used to identify humans as well.
SNI is majority clear-text today, so your ISP can collect the sites you are visiting and not just their IPs even with TLS. Hopefully that changes soon.
Your point about cloudflare having even more access to your browsing details than the list of sites you have visited that your ISP can collect is a good point. It is kinda crazy how so many companies are OK with a 3rd party terminating TLS for them. And, back on the first point, most sites that do support ESNI today are behind Cloudflare (makes your point even stronger).
But, still, Cloudflare would have to be snooping on content to correlate identity (at Cloudflare scale, that means they would have to already be targeting you), while your ISP already has it.
For me personally (stuck with Verizon which is known to snoop and sell data), I prefer "trusting" Cloudflare until they are shown to be a bad actor like Verizon too.
Yes, but it's not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev options.
My ISP has openly stated that they're selling my data for marketing purposes. If CF claims to not be doing that today, then they could at least be temporarily superior.
Even though there's no visible abuse right now, you know, Google's motto also used to be "don't be evil".