Cloudflare's MITM attack
October 12, 2014
What’s a MITM attack?
There’s a good explanation here but the short version is MITM stands for man-in-the-middle attack.
Why do I say Cloudflare is MITM attacking us?
Because that’s what Cloudflare is doing.
As I mentioned in the last post, Cloudflare provides
- a CDN (content delivery network)
- content (such as JS and CSS) compression
- apps such as Google Analytics and A Better Browser
- offline cache in case of the unlikely event that Github Pages is offine
- free SSL
To do all these things, instead of the straightforward
User’s browser ↔ ↔ Github Pages’s server
Cloudflare does this (called Full SSL)
User’s browser ↔ ↔ Cloudflare’s server ↔ ↔ Github Pages’s server
Why trust Cloudflare?
- too much trust is placed in Cloudflare than is needed for the benefits it brings,
- there is no saying Cloudflare behaves the same way in the future,
- even if we trust Cloudflare, there may be security breaches, legal measures or other issues that effectively allowing a third party to MITM us via Cloudflare,
- and other arguments
These arguments are all very true. By putting Cloudflare in this position, they are given a lot of power to change what is served to visitors. Furthermore, it is not possible right now to lock down how Cloudflare changes the site. I can verify that Cloudflare is altering the site exactly as I tell them to do so by checking the source code constantly, but that’s tedious and time-consuming.
Given so many reasons against Cloudflare, there’s one big reason why Cloudflare is a trusted attacker: my time and money.
The main reason I outsource SSL, CDN and hosting to Github Pages and Cloudflare is to avoid setting up a server. Servers take time to maintain and keep up to date with security updates. The worst thing would be for my server to be part of a botnet (say via Shellshock remote code execution). Shared hosting often does not enable the newest features (SDPY or to-be HTTP/2, up-to-date SSL settings). Right now, using Cloudflare and Github Pages has saved me a bunch of time and money setting up the site. Without these services, this site would not exist at all. Without Cloudflare, this site would be served over HTTP, open for all.
In general, I view the biggest threat facing the Internet as the astonishing number of sites without SSL. Over HTTP, your ISP or the person sitting next to you in Starbucks can change you see at ease. ISPs can inject ads or change links to earn them money. The person at the next table? I agree with Alex Gaynor that HTTP should be considered unethical given how easily HTTP gives away the privacy of visitors. Enabling SSL with just a click lowers the barrier for many sites, and should be considered a big step forward.
Of course, things can change rapidly in the future. We’re in this situation right now because the CA model is very broken. A bad CA or Cloudflare turning rogue (no!) can churn out forged certs for major sites. Replacements have been proposed but there has been no major adoption yet. I look forward to a better model for the Internet, and maybe at that point this post can be updated.
Short URL: https://😂.cf/cfmitm