This is awesome to hear, and for all of the criticism Cloudflare has gotten in the past, they have spoken loudly against censorship, not just for people they like, but those they dislike as well. I'd much rather point my DNS at them than Google, an ad company where tracking is the whole business model.
On the other hand they've also censored some of their users without being legally obliged to do so on a couple occasions. They don't have a clean track record. I'd rather point my DNS settings at my own server than anyone elses.
I would much rather have a company with a long but nearly clean track record, than a short and spotless one.
The difference is that when a company with a spotless record decides it's time to change their ways, it can be a pretty radical change (look at Reddit). But with cloudflare I know we're a long way from that.
It's kind of absurd how everyone expects spotless companies. I'd like to live in that world as well but the reality of this one is that such companies do not exist. Cloudflare gets criticism on both too much censorship and not enough. I don't envy them...
My last point was that DNS is supposed to be decentralized. With a properly decentralized system, censorship becomes very difficult. We shouldn't rely on someone like Cloudflare or Google to provide us with DNS services.
It's a decentralized service, but at the end of the day, your PC's going to check one address. If it's not Cloudflare/Google/Quad9/etc., you're just going to be checking against your ISP. It's pretty beneficial, especially in certain countries, to have alternatives to the ISP's DNS.
So what's your thinking here? Cloudflare shouldn't offer to be one of the many pillars of that properly decentralized system?
I don't believe we are going to suddenly flock to cloudflare to provide all dns ever. Between ISPs hardcoding or force-defaulting their own (awful) dns servers, and the amount of geeks and IT techs who have memorized 8.8.8.8, we're safe for a long time. And if I'm wrong on that, that wouldn't speak highly of the "decentralized" nature of DNS, would it?
To sue someone for doing something illegal, you first need some evidence that they're doing it. Google heavily employs confidentiality for that reason. Case in point: Antitrust investigations across the globe were launched into the Android MADA... but that didn't happen until years later, when the confidential agreements were revealed in the Oracle v. Google case.
As long as nobody knew what was happening, it went unpoliced. One of the ongoing HR-related lawsuits explicitly claims Google prohibits employees from revealing illegal conduct that the company engages in.
How much tracking can you do on a v4 DNS? There can be thousands of people behind the same IPv4 at a given time, or it could change in a matter of minutes. A state could probably be able to exploit that (as in there is a political opponent living at this address) but if the aim is just to track an individual’s browsing habit I would think it is impractical.
My home IPv4 address from a major cable internet company hasn't changed in over a year and I don't have a static IP.
Even when they do change, knowing ping times plus IP address owner plus superficial usage patterns would easily be enough to narrow down to a single household. Many households will have a unique DNS footprint based on the exact makeup of internet connected devices in the household that are constantly phoning home.
People do often forget this about DHCP addresses: Most DHCP servers will renew your same IP for as long as practical, and this often spans years. At work, my NIC held its same lease for about two years, I was a little sad recently when I discovered it had finally changed.
How I monitor my house also lets me know when my public address changes, and its extremely rare.
I have an IPv6 address that has never changed. My IPv4 address changes fairly often. The DHCP servers most definitely log the end-point MAC which can be tied directly by the ISP to my modem and router behind it. It's fairly easy to trace this stuff, if somewhat impractical.
Well, they do seem to plan to offer IPv6 DNS. And you'll probably want to be using that anyway, although they don't seem to recommend using that, as they mention it only briefly.
The privacy statements on this service are vague. Google makes specific and strong guarantees about what it does with DNS service logs. Google does not keep DNS logs with client IPs longer than 48 hours.
I also note that Cloudflare doesn't make a performance comparison with Google DNS.
But it is. They don't say what they do log. For example if I zero out the highest octet of your IP address and I log the ASN, I have effectively identified you without "logging your IP address".
Had the Daily Stormer folks kept their mouths shut, they probably would've been fine.
And then Cloudflare continues on to describe why they don't think companies should censor content, whereas Google has numerous blogs and entire technologies revolving around how to censor content even more than they do now.
There's a difference between saying "[highly controversial statement]. We know company X will not censor us." and "[highly controversial statement]. We know company X will not censor us because the people at company X are really on our side!"
They really should have booted them for that reasoning rather than by feeling. They even have it in their Terms of Service (and when I looked, did have it at the time of terminating the site)
> Section 18 - Because Cloudflare has no control over such sites and resources, you acknowledge and agree that Cloudflare is not responsible for the availability of such external sites or resources, and does not endorse and is not responsible or liable for any content, advertising, products, or other materials on or available from such sites or resources.
It's a clear ToS breach, a bit of thought would have avoided the whole thing. You got lawyers on hand? Talk to lawyers!
There's a difference between supporting someone's free speech in general and whether you want to continue with them in a business relationship because they are abusing you specifically.
I may support my friend's right to free speech in general, but if they are at my house and start bad-mouthing myself and my family, I'll ask them to leave. They can still say what they want (if not libel/slander), but they don't need to do it in my house. They can go say it elsewhere.
> If this is true [Daily Stormer made the claim that CloudFlare were secretly supporters], then I agree with the takedown [...] But in this interview, the CEO says something totally different
to me thats almost the exception that proves the rule.
if someone tells me they have a 100% SLA I write them off as a liar, but tell me you have a 99.995% SLA and have only ever had this one exception and here's why, that builds much more trust with me.
Your reasoning is like saying "the canary only disappeared once, and knowing that it can indeed disappear bolsters my confidence in it now that it has returned."
No, it's a matter of reality matching expectations. If you expect that the SLA has very likely been violated at some point, hearing that it has not means you should believe you have just been very likely lied to given your existing knowledge, unless you are considering that statement as a source of truth itself.
If you expect that the SLA has very likely been violated at some point, hearing that it has at some point means that the statement confirms to what you already believe to be true given your existing knowledge. That doesn't mean the statement is true, but since it's not obviously conflicting with what you already believe to be true, it at least allows you to believe it is not immediately false.
Instead of thinking about it increasing the likelihood of being entirely true, think about it as decreasing the likelihood it's entirely false. Depending on your point of view that may not be much, but it's something.
>No, it's a matter of reality matching expectations.
What an agent tells me is what they choose to tell me. You're describing some sort of luck-based updating via that third party's choice.
I don't live in a tinseltown universe full of model trains and animatronic NPCs. None of us do. All reasoning about real-world agents is subject to incomplete information and uncertainty.
That much is trivial. More, it's mutually understood to be the case.
Also mutually understood: basic world knowledge stemming from the same. These are principles simple enough to be patronizing in written description, yet persistently ignored or misused at implementation-level. Like:
1. Actors are variably susceptible to errors in reasoning under uncertainty
2. Actors are variably skilled at exploiting 1 to modulate 3rd party behavior
3. Actors are variably motivated to make use of 1-2
It follows from the above that allowing an actor to subtly shift your expectations as if you ever held a platonic model of their behavior is simply a cognitive error. There's no way around it.
Take the "99.995% SLA" example.
In the absence of that figure, would you have assumed a God-Mode level of performance? Clearly not. You can cross all the factors like whether you care about the figure, whether it's above or below average, whether disclosure is standard in this context, … to just enumerate all the cases and see clearly that there's no time when this information is surprising.
I mean, just look at a top google hit for SLA⁽¹⁾. You really think a CIO reader is in any way surprised to hear that some metric they negotiated into a contract indeed holds? Or that it doesn't?
Continuing: A figure like 99.995% is well within reasonable bounds for any number of business processes, so it's not necessarily false precision here. What it almost definitely is, however, is precision in pursuit of persuasion.
There are plenty of industries for which exacting figures at the high end of some performance criterion — manufacturing quality, service availability, measurement accuracy, etc — are essential to informed consumer behavior. Those industries almost universally have norms or regulations setting out certain expectations about what will be found on a specsheet, how units will be tested, how this information will be reported. If not, the spiel is just spiel.
Facts and figures as token gestures of fallibility, however, are confidence tricks.
I already know you're fallible. You cannot sway this comprehension by reframing around some very likely sort of figure: charm pricing⁽²⁾ and related uses of odd figures are marketing weaselry targeting plebs. To point these things in the direction of clientele is to tell them how much you think of their ability to resist bullshit-fatigue.
My feels about whether I'd wanna have a beer with <The Guy>, modulated by his current demeanor toward me or whatever audience he imagines me to be a member of, do not determine his fitness for any high-stakes job.
The same is true here.
Cloudflare is in the MITM business. Absolutely trusted at no point in time, independent of whatever cost/benefit has gone into the decision to use a MITM. This isn't even defeated by being too big a client to lose: if you were big enough to be a lifeline for cloudflare, you'd have no need for cloudflare.
They also went out of their way to automatically treat them as more questionable by default. Unless the website operator explicitly whitelists tor, tor users are given a worse experience.
This probably isn't really correct. Their blog says that 94% of the traffic they were getting over Tor was malicious, and since they probably automatically put IPs where a lot of malicious traffic comes from on the CAPTCHA list, my guess is all the Tor nodes got flagged automagically.
What they went out of their way to do, was explicitly make it less painful for legitimate users to use Tor, despite the amount of malicious content they get from Tor. I'd argue for most companies, if 94% of the traffic from somewhere is malicious, the answer is "block it and be done with it", but clearly, Cloudflare actually values Tor and what it stands for enough to come up with a workaround.
"They also went out of their way to automatically treat them as more questionable by default."
nope, you're spreading un-sourced/unconfirmed FUD. Provide a source, or this is just FUD. Tor IPs are treated like any other IP by default, not "more questionable by default".
Perhaps they've changed it since last time I looked a few years ago. You're right, I can't find the tor-specific anything anymore. I ditched Cloudflare years ago and haven't checked back in a while. I rather distinctly remember a default setting that explicitly talked about how it treated Tor users. I don't see that setting anymore.
Not sure your point. Who exactly do you anticipate is opt-ing?
The website owner's settings defaults to secure, and they can intentionally take action to make the website less secure if they'd like to. That is their decision, of course we do not default to a less secure posture.
What I meant. This default setting is the reason why Cloudflare is not off the hook here. This is the default, so website owners who don't care or know about it won't change it. Like all default settings where you have to actively change it.
CF invest a lot of work into Privacy Pass, which is a crypto token system to allow TOR browsers to verify they're human without giving up anonymity: https://privacypass.github.io/
