TheAssassin
commented
7 years ago I highly dislike CloudFlare for several reasons. First of all, as a core infrastructure provider, they have way too much power and control about the internet and its contents. The CEO recently said self-mockingly, he can just order a shutdown of a page, and the page will die quickly. When the internet became part of all our lives, the decentral approach was a great idea, and highly appreciated. Nowadays, a few big companies have pretty much all the control about the internet and its contents, make money of users' data, and are able to spy on everyone, even track all page visits. I don't think any serious project should support these business models and expose their users to these risks.
As mentioned before, there's a lot of privacy issues. As a MITM proxy, the company reads any of the contents, re-encrypts it (actually, that's optional!), and sends it to the originating server. They can manipulate the data stream to their liking, and you can't do much about it. Passwords, sensitive private data, confidential information etc. is sent through their servers, because due to how they work, there can't be end-to-end encrypted connections any more. Thinking about them being a US company, while believing my data will reach the actual server correctly and unmodified, I have great doubts that they're not snooping and read/process the data in a way neither me nor the CloudFlare customer can control.
Then, they don't like Tor and make it really hard for users of it (and probably other VPNs as well) to visit such pages. You can't switch that off as far as I know, you can either accept this or even prohibit these technologies completely. People who rely on privacy enhancing technology like Tor or VPNs will have a terrible experience.
As an example, I recently saw such a "privacy enhancing feature" which they apparently activated without the service user's consent. They replaced an e-mail address with some backlink to their page explaining they removed it for privacy reasons. The problem was that it was a mailing list archive, where e-mail addresses are published on purpose. This doesn't have anything to do with a neutral internet. I even think their model might be illegal to some extent in the EU, considering these "enhancing" technologies are sometimes activated and enforced without either the user's or provider's consent.
Another problem with them is that since they are such a wide spread service, they can track you on most sites you use every day. They can create usage profiles, and you can never know who they share them with. There were rumors about CloudFlare being quite willing to share that data with law enforcement agencies. Since they are based in the USA, you can guess which agencies they'd most likely be interesting to. If you host your servers in the EU, but use this service, all your data is processed by a US company, and we all know how likely it is that the user privacy is compromised. (As a non-US citizen, you don't have any rights in the internet anyway, that's what the USA think and do. And as soon as some "crime" is somehow related to the internet, the US law enforcement agencies think they have world-wide power. Everyone is pretty much at the risk of being subject to law enforcement investigations, all the time.)
A lot of privacy advocates criticize their "free" business model. I guess anyone knows that you pay for "free" services as well, just not with money but rather with data. By using CloudFlare, you basically sell the data your users create to CloudFlare but get a "free" CDN service. I'd rather pay for the service and know that my users' privacy is protected.
Links:
- https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/
- https://blog.torproject.org/blog/trouble-cloudflare
- https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf
- https://www.privateinternetaccess.com/blog/2017/02/cloudflares-cloudbleed-worst-privacy-leak-recent-internet-history/
To be fair, some of the privacy related issues might not directly apply to your use case of CloudFlare. But the majority still applies. CloudFlare-side user tracking etc. is still a problem, just like all the data manipulation. As long as you don't necessarily have to use such a service (I accept that for services frequently being subject to DDoS attacks it is a must to use CloudFlare or some competitor, otherwise they couldn't operate at all... Thanks, asshole script kiddies who feel cool wasting others' time (user and provider), others' money (provider, mostly) and energy (power consumption for no reason isn't ecological)). The fact it's a US service doesn't make me a fan of it either, as AppImageHub could be hosted in the EU without much effort.
I'd like to cite one of the Reddit users whose post can be found on the link posted above:
The first step to data currency is having the data. You do this with promises of privacy protection, earning trust of customers. The second step is to monetize it and monetizing it almost always means data sharing. -- FluentInTypo, https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/cz1k89p/
P.S.: I don't like GitHub pages for most of these reasons either. For development, it's quite convenient, and even I use it. But I wouldn't want to host my web services on it, because non-developing users don't need to suffer from using a US service. This is why I strictly split up development and deployment.
TL;DR: I wouldn't use either GitHub pages or CloudFlare for hosting AppImageHub. The loss of control about most aspects of the communication between my users and my systems is not acceptable to me. Although there's no confidential data sent over their services, a lot of personal meta data is still generated. Both companies can and will track users. For these reasons, I'd rather go for self-hosting on infrastructure maintained by the AppImage maintainers, or pay for some webspace hosted by a privacy aware company.
P.S. the second: I also try to get rid of any kind of CDN in general, I replace any of that functionality in any CSS/JS/web framework as far as possible (most of them activate CDN functionalities, e.g. Gitea, which at least allows you to deactivate the CDN and serve the static files from the own server) as far as possible as well. They are not that evil, but still problematic.
probonopd
https://blog.cloudflare.com/secure-and-fast-github-pages-with-cloudflare/