> Cloudflare has become a highly attractive target for state-sponsored attacks, suffering from recurring breaches. Their sheer scale, considering that they are serving a substantial portion of the internet, means that an outage or compromise could have widespread, costly consequences.
I'm unsure how much of these can actually be called "attacks" rather than "complying with local laws" that lets them operate in a lot of countries. Including hostile ones.
They really don't segment customer data sufficiently to mittigate this either. CloudFlare even officially says that they don't actually enforce even Regional Services and you have to do that yourself as a customer. Rest of customers get even fewer guarantees than that.
> Regional Services operates on your hostname's IPs. We recommend using DNSSEC and/or DNS over HTTPS to ensure that DNS responses are secure and correct.
This of course is funny considering how CloudFlare has used the same DNSSEC key signing key for ⪆10 years. It also doesn't mention BGP hijacks or similar MITM attacks, because there's also not much anyone besides CloudFlare can do against that.
“complying with local laws” isn’t always a good thing. Here’s some behaviours that you need to report in some countries in order to comply with local laws:
* someone is a homosexual
* someone had sex out of wedlock
* someone is a communist
* someone is right-wing
* someone is a Muslim
* someone is _not_ a Muslim
* someone spoke ill of the current ruler
* someone hosted a messaging service, and didn’t ask users for a copy of their id
Author did a surprisingly good job hanging on to all the receipts to support his claim "cloudflare bad." But his alternatives are all CDN providers - which is not even the side of the business that makes cloudflare unique and makes them money. The piece, thorough as it may be, does not offer alternatives to products that cover the exciting parts of their business and I was looking forward to seeing what those were - for example tailscale or Pangolin (Open source alternative to Cloudflare Tunnels) or equivalents for serverless/edge compute. This makes it feel as if the author does not _really_ understand cloudflare's role/position and that this article is just a collection of links that report of the company's (valid) imperfections. For example, their workers platform, DDoS protection, and software-defined network functions (WAN, firewall, Zero-trust, etc) have made my life as a developer in my last few roles very productive and successful. And migrating away from those services was just as easy as signing up.
It might sound like I am defending cloudflare, but I am not. I share the author's concern about them becoming a monopoly that MITM's a lot of the Internet. But the author provides no evidence of to this claim. My experience has been the opposite: cloudflare interoperated with legacy systems and other cloud providers without locking us in or using anti-competitive tactics. Their presence often improved integration even when other vendors didn’t reciprocate. When people flock to a service because it’s genuinely useful rather than "can't leave Hotel California", that’s not a monopoly — it’s market preference.
That said, there is a real risk if innovation stalls or leadership becomes greedy. Companies that stop innovating sometimes resort to aggressive or extractive practices to stay relevant. It seems to be the trend once companies get too big to die - innovation stalls and their flywheel slows and they become desperate (or greedy) to stay relevant. I would monitor for those signs before I sound any alarm.
The Internet runs at the will of the government(s). Every government (national, regional, local) has regulations that must be obeyed. Depending upon where you live, some of those regulations may be kept secret from those most affected. An entity like Cloudflare is a juicy target that can be used cooperatively, or abused uncooperatively by those enforcing the regulations.
So Cloudflare has solved one problem (DDoS), while creating several new ones, which most people feel is a fair trade, but it's not a prefect world and there is no perfect solution.
Exactly this - CDN is the one thing I don’t use Cloudflare for.
As a web developer, I love how effortless it is to spin up a static site for free using their Pages or Workers features. Sure, I could rent a small server or even host projects on a home setup, but often I just want something simple, fast, and hassle-free - and Cloudflare delivers that at zero cost.
Has this convenience led me to spend money with them? Absolutely. These days I even rely on Cloudflare for DNS management, simply because their interface and overall experience are far better than what I was using before I found them.
That said, I’m not here to defend the company uncritically. I recognize the valid concerns and criticisms that exist. But no platform is without flaws, and in some situations I simply can’t — or don’t want to — prioritize the idealistic view. Sometimes I just want to experiment and build, and Cloudflare makes that easy.
I am using Cloudflare as a back-end and only using workers (can disable all their security, performance, caching, and whatever stuff they offer; which is really just a worker). The product (workers) is differentiated and I don't think there is any company/service out there that is offering an equivalent.
I do not think that's the author complaint, though. I frequently get these cloudflare captachas and it is why I disabled their firewall (it's pure garbage) for my own sites. Cloudflare does not have any monopoly over the services you mentioned (workers, tunnels, images, etc.) but they do have a kind-of-monopoly over DNS/CDN.
I think it's not just about proving a claim. The same argument that in a democracy, you should build checks and balances to avoid sleepwalking into a dictatorship, is valid for companies, especially internet companies. Look at Google, Apple, Microsoft, Facebook and friends. Cloudflare plays nice because it wants to frictionlessly slide into a position where it can extract rent. Today, they are powerful but are not there yet. They're easy to migrate out of because their offerings, amazing as they are, are not irreplaceable so people cannot yet be made hostages. Mostly what happens is your customers feel like CF is holding you for ransom without you knowing it.
When they start charging per packet and making you money, you will become as dependent on them as Apple developers are on Apple, and you'll find out how nice they are.
I have the same fear of tailscale. They are so amazing I just want to move every piece of my infra to them, business and personal, my family's devices, everything. But over time I've gained this instinctive distrust for low friction from startups, especially when the effect (intended or not) is you forgetting how to manage your own tech.
> ... build checks and balances to avoid sleepwalking into a dictatorship.
This resonates well with me. I don't personally know the checks and balances that need to exist so that Cloudflare, or any big influential company, refrains from becoming evil. I find CF relying on open protocols for interoperability with vendors a very positive sign. I don't ever see them (or any company) backtracking of supporting some open standard once they already have support for it. I'm not aware of them having "custom" solutions that also don't have a spec for them. For example, they are absolutely best suited for the pay-per-[ai]crawl business model and if they wanted they could have easily taken advantage of their position. Instead they are relying on open standards and contributing to them. Paint me naive but this gives me a good deal of confidence of the short and medium term.
But I confess that I don't follow the company/market closely enough to know if that is enough or more is needed. More check and balances always seems good but I have no creativity in this regard. Perhaps that was one of my criticisms with the author's post - to collect all the bad press and identify the shortcomings but to stop short of digesting all those findings into a meaningful resolution.
It's pretty disappointing that the author (writing in 2025) says "perhaps to maintain its status as the world’s largest botnet operator," and links to a Spamhaus report from Q1 of 2020.[0]
If you check the most recent version of the report from Spamhaus (Jan to June 2025)[1], Cloudflare is nowhere to be seen, and Digital Ocean, who they recommend as a Cloudflare alternative is listed as third largest botnet host in the world.
Looking back through the historical reports this isn't a new phenomenon, in Q4 of 2022 Digital Ocean was ranked #2 and Cloudflare was down at #17.
If it wasn't on HN, being upvoted by some, I wouldn't have clicked on the link judging from the domain name. Turns out it is unicode issues. I wonder if HN will ever fix it.
I once had to migrate a good number of web properties off of Cloudflare for a client. They were an agency that had used it as a go-to for many years and many clients, until the CEO of the company stated publicly that they would no longer use cloudflare as a political thing (there had been a news story that Cloudflare was providing ddos protection for some Nazi websites and refused to take them down, or something similar enough).
My takeaway was basically that people use Cloudflare a lot because it is a strong service with a ton to offer at a very low price point. It's a bit like gmail - just very convenient and offers a lot for free or very cheap. Switching at that scale made a significant increase in their monthly bill.
I do applaud people who go out of their way to create alternatives to major services like cloudflare, gmail, chrome, etc. As an individual it can be hard to do though, or at least not always the path of least resistance.
Very good post. Cloudflare is continuously adding services to their cloud offerings (the latest being Email delivery) in a familiar pattern of "let's make it impossible to switch".
What we really need is more IPV6 deployment so normal people can have plenty of routable addresses and we can go back to hosting more things on the edges like we used to, on computers we physically control.
There are plenty of applications where the bandwidth of PON fiber commonly deployed to homes is more than sufficient, and the extra latency is irrelevant.
Sure, it may be susceptible to DDoS attack, but if tens of millions of people were running personal and business systems from home it's debatable this would be less resistant than having a few centralized companies own us all.
Tangential nitpick: I wish HN would display the punycode IDN in the submission URL as the intended マリウス.com
I mean, I understand the opportunity for abuse, but if it displays fine as UTF8 in comments in the previous sentence it might make sense to display it correctly over there in the submission.
I actually looked at all the alternatives listed by the author. Here is the problem: none of them are competitive with Cloudflare. With Cloudflare you don't even need to provide a credit card, just setup with your website and it is "free" for lifetime.
They might pressure you to switch to paid plans if you start getting PBs of traffic, but until that point they will deliver your content for free. It is a huge advantage. Specially when you consider the egress pricing of major cloud providers.
That's like saying your cloud providers are stealing and looking at all your code. Technically you might be right but it is still somewhat disingenuous.
Not to mention all the alternatives are doing MITM anyway. So why single out Cloudflare?
Cloudflare isn’t perfect but people do have other options, and yet they come back to Cloudflare. Without Cloudflare it is more likely the internet would be a shittier less secure place. I think there are worse companies to worry about out there.
Load of bull.
Every article linked in this is either wrong or mischaracterized.
Cloudflare does not facilitate phising - it just made proxying and tunneling easier.
The breaches and bypasses mentioned are anything but - they are linking to a successful mitigation of an attack as if the attacker got away with something of value.
This entire article reeks of trying to fit the evidence to an agenda.
Considering they couldn't find actual evidence of problems and had to resort to mischaracterization this is actually a great reason to use Cloudflare.
I dislike how Cloudflare wants to do everything the Cloudflare way. A lot of their services are legit good and insanely cheap though, and containers have the potential to be a game changer that takes them from occasionally useful to the backbone of your cloud.
Any infrastructure can be abused, but that doesn't negate its legitimate uses.In fact, it is precisely because of the popularity of free services such as CloudFlare that the threshold for network security has been significantly lowered.
27 comments
[ 1.5 ms ] story [ 53.4 ms ] threadI'm unsure how much of these can actually be called "attacks" rather than "complying with local laws" that lets them operate in a lot of countries. Including hostile ones.
They really don't segment customer data sufficiently to mittigate this either. CloudFlare even officially says that they don't actually enforce even Regional Services and you have to do that yourself as a customer. Rest of customers get even fewer guarantees than that.
Have fun, three-letter agencies.
https://developers.cloudflare.com/data-localization/limitati...
> Regional Services operates on your hostname's IPs. We recommend using DNSSEC and/or DNS over HTTPS to ensure that DNS responses are secure and correct.
This of course is funny considering how CloudFlare has used the same DNSSEC key signing key for ⪆10 years. It also doesn't mention BGP hijacks or similar MITM attacks, because there's also not much anyone besides CloudFlare can do against that.
* someone is a homosexual * someone had sex out of wedlock * someone is a communist * someone is right-wing * someone is a Muslim * someone is _not_ a Muslim * someone spoke ill of the current ruler * someone hosted a messaging service, and didn’t ask users for a copy of their id
It might sound like I am defending cloudflare, but I am not. I share the author's concern about them becoming a monopoly that MITM's a lot of the Internet. But the author provides no evidence of to this claim. My experience has been the opposite: cloudflare interoperated with legacy systems and other cloud providers without locking us in or using anti-competitive tactics. Their presence often improved integration even when other vendors didn’t reciprocate. When people flock to a service because it’s genuinely useful rather than "can't leave Hotel California", that’s not a monopoly — it’s market preference.
That said, there is a real risk if innovation stalls or leadership becomes greedy. Companies that stop innovating sometimes resort to aggressive or extractive practices to stay relevant. It seems to be the trend once companies get too big to die - innovation stalls and their flywheel slows and they become desperate (or greedy) to stay relevant. I would monitor for those signs before I sound any alarm.
So Cloudflare has solved one problem (DDoS), while creating several new ones, which most people feel is a fair trade, but it's not a prefect world and there is no perfect solution.
As a web developer, I love how effortless it is to spin up a static site for free using their Pages or Workers features. Sure, I could rent a small server or even host projects on a home setup, but often I just want something simple, fast, and hassle-free - and Cloudflare delivers that at zero cost.
Has this convenience led me to spend money with them? Absolutely. These days I even rely on Cloudflare for DNS management, simply because their interface and overall experience are far better than what I was using before I found them.
That said, I’m not here to defend the company uncritically. I recognize the valid concerns and criticisms that exist. But no platform is without flaws, and in some situations I simply can’t — or don’t want to — prioritize the idealistic view. Sometimes I just want to experiment and build, and Cloudflare makes that easy.
I do not think that's the author complaint, though. I frequently get these cloudflare captachas and it is why I disabled their firewall (it's pure garbage) for my own sites. Cloudflare does not have any monopoly over the services you mentioned (workers, tunnels, images, etc.) but they do have a kind-of-monopoly over DNS/CDN.
When they start charging per packet and making you money, you will become as dependent on them as Apple developers are on Apple, and you'll find out how nice they are.
I have the same fear of tailscale. They are so amazing I just want to move every piece of my infra to them, business and personal, my family's devices, everything. But over time I've gained this instinctive distrust for low friction from startups, especially when the effect (intended or not) is you forgetting how to manage your own tech.
> ... build checks and balances to avoid sleepwalking into a dictatorship.
This resonates well with me. I don't personally know the checks and balances that need to exist so that Cloudflare, or any big influential company, refrains from becoming evil. I find CF relying on open protocols for interoperability with vendors a very positive sign. I don't ever see them (or any company) backtracking of supporting some open standard once they already have support for it. I'm not aware of them having "custom" solutions that also don't have a spec for them. For example, they are absolutely best suited for the pay-per-[ai]crawl business model and if they wanted they could have easily taken advantage of their position. Instead they are relying on open standards and contributing to them. Paint me naive but this gives me a good deal of confidence of the short and medium term.
But I confess that I don't follow the company/market closely enough to know if that is enough or more is needed. More check and balances always seems good but I have no creativity in this regard. Perhaps that was one of my criticisms with the author's post - to collect all the bad press and identify the shortcomings but to stop short of digesting all those findings into a meaningful resolution.
If you check the most recent version of the report from Spamhaus (Jan to June 2025)[1], Cloudflare is nowhere to be seen, and Digital Ocean, who they recommend as a Cloudflare alternative is listed as third largest botnet host in the world.
Looking back through the historical reports this isn't a new phenomenon, in Q4 of 2022 Digital Ocean was ranked #2 and Cloudflare was down at #17.
[0]https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-thre...
[1]https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-thre...
My takeaway was basically that people use Cloudflare a lot because it is a strong service with a ton to offer at a very low price point. It's a bit like gmail - just very convenient and offers a lot for free or very cheap. Switching at that scale made a significant increase in their monthly bill.
I do applaud people who go out of their way to create alternatives to major services like cloudflare, gmail, chrome, etc. As an individual it can be hard to do though, or at least not always the path of least resistance.
If the all the ISPs can get the their networking knowledge up-to-date I can remove it.
I have set the protection level to the lowest setting to not trigger unnecessary capatchs.
There are plenty of applications where the bandwidth of PON fiber commonly deployed to homes is more than sufficient, and the extra latency is irrelevant.
Sure, it may be susceptible to DDoS attack, but if tens of millions of people were running personal and business systems from home it's debatable this would be less resistant than having a few centralized companies own us all.
I mean, I understand the opportunity for abuse, but if it displays fine as UTF8 in comments in the previous sentence it might make sense to display it correctly over there in the submission.
They might pressure you to switch to paid plans if you start getting PBs of traffic, but until that point they will deliver your content for free. It is a huge advantage. Specially when you consider the egress pricing of major cloud providers.
Not to mention all the alternatives are doing MITM anyway. So why single out Cloudflare?
Will their power only grow? Yup.
Cloudflare does not facilitate phising - it just made proxying and tunneling easier.
The breaches and bypasses mentioned are anything but - they are linking to a successful mitigation of an attack as if the attacker got away with something of value.
This entire article reeks of trying to fit the evidence to an agenda.
Considering they couldn't find actual evidence of problems and had to resort to mischaracterization this is actually a great reason to use Cloudflare.