Cloudflare's MITM attack

October 12, 2014

Having recommended Cloudflare in my last post, this post seems to negate all of that. How can you use a service that is MITM attacking you?

What’s a MITM attack?

There’s a good explanation here but the short version is MITM stands for man-in-the-middle attack.

For a HTTPS MITM, a third party intercepts the secure HTTP connection between the user and the our server and injects data and code. Given the attacker’s intentions, it could be Google Analytics code letting us know how visitors use our websites, or Javascript redirecting users to the attacker’s site. So, the end result could be good, or very very bad.

Why do I say Cloudflare is MITM attacking us?

Because that’s what Cloudflare is doing.

As I mentioned in the last post, Cloudflare provides

  • a CDN (content delivery network)
  • content (such as JS and CSS) compression
  • apps such as Google Analytics and A Better Browser
  • offline cache in case of the unlikely event that Github Pages is offine
  • free SSL

To do all these things, instead of the straightforward

User’s browser ↔ :lock: ↔ Github Pages’s server

Cloudflare does this (called Full SSL)

User’s browser ↔ :lock: ↔ Cloudflare’s server ↔ :lock: ↔ Github Pages’s server

Cloudflare's Full SSL (Strict)

You can see nicer version of these diagram on Cloudflare’s blog. So by the definition of MITM, Cloudflare “attacks” the HTTPS connection, changes content (content compression) and injects Javascript (Google Analytics).

Why trust Cloudflare?

Obviously, I placed Cloudflare in this position because I trust them. There are some posts and others I haven’t linked here arguing that

  • too much trust is placed in Cloudflare than is needed for the benefits it brings,
  • there is no saying Cloudflare behaves the same way in the future,
  • even if we trust Cloudflare, there may be security breaches, legal measures or other issues that effectively allowing a third party to MITM us via Cloudflare,
  • and other arguments

These arguments are all very true. By putting Cloudflare in this position, they are given a lot of power to change what is served to visitors. Furthermore, it is not possible right now to lock down how Cloudflare changes the site. I can verify that Cloudflare is altering the site exactly as I tell them to do so by checking the source code constantly, but that’s tedious and time-consuming.

Given so many reasons against Cloudflare, there’s one big reason why Cloudflare is a trusted attacker: my time and money.

The main reason I outsource SSL, CDN and hosting to Github Pages and Cloudflare is to avoid setting up a server. Servers take time to maintain and keep up to date with security updates. The worst thing would be for my server to be part of a botnet (say via Shellshock remote code execution). Shared hosting often does not enable the newest features (SDPY or to-be HTTP/2, up-to-date SSL settings). Right now, using Cloudflare and Github Pages has saved me a bunch of time and money setting up the site. Without these services, this site would not exist at all. Without Cloudflare, this site would be served over HTTP, open for all.

In general, I view the biggest threat facing the Internet as the astonishing number of sites without SSL. Over HTTP, your ISP or the person sitting next to you in Starbucks can change you see at ease. ISPs can inject ads or change links to earn them money. The person at the next table? I agree with Alex Gaynor that HTTP should be considered unethical given how easily HTTP gives away the privacy of visitors. Enabling SSL with just a click lowers the barrier for many sites, and should be considered a big step forward.

The future

Of course, things can change rapidly in the future. We’re in this situation right now because the CA model is very broken. A bad CA or Cloudflare turning rogue (no!) can churn out forged certs for major sites. Replacements have been proposed but there has been no major adoption yet. I look forward to a better model for the Internet, and maybe at that point this post can be updated.

Short URL: https://😂.cf/cfmitm

Comment on this post...