Simplified Privacy

2nd Cloudflare hack reveals the dangers of them seeing ALL passwords

Cloudflare just revealed on their blog that back in November a sophisticated hacker, likely a nation state, got access to some of their servers. [1] They claim in their blog post that no customer data was stolen or accessed, however even if true, this is not the point.

The point is that it’s morally wrong for such a centralization of traffic to be going to a single entity. I have complained many times about how the bulk of the internet uses Cloudflare’s CDN and when they do, Cloudflare sees all SSL/TLS traffic, because you’re pointing the domain to them to distribute it. This means they see ALL passwords and have access to all cryptocurrency on centralized exchanges. One actor should not be securing all your secrets and act as a gatekeeper to all human knowledge.

To quote Hacker News,

This hack demonstrates that one entity seeing everything makes them into a big target.

Past Issues

In fact Cloudflare is so successful, that their size makes them a bureaucracy that can be exploited. In a completely separate incident, Certitude’s researcher Stefan Proksch discovered that Cloudflare is vulnerable through abusing Cloudflare itself. [3a] This vulnerability stems from the fact that Cloudflare whitelists all traffic from Cloudflare domains. [3b] So if someone found out the IP address of your VPS, they can point their own domain to it, and then register that domain with Cloudflare as a paying customer.

Then all traffic sent is whitelisted, and they can DDoS the VPS. [3c]

In fact, when told about this by Certitude, it was dismissed by Cloudflare as informational only, because CDNs hide the original IP of the VPS servers. But this information can be gotten through phising or psychological warfare. The email address of the domain registrant is public, and probably used to communicate with Cloudflare’s automated system. So an attacker can just fake being Cloudflare asking them to fill out a survey for a free bonus. And on the survey is asking the IP address.


You have more power than you realize. Your economic choices matter more than political votes. Tell website owners you won’t continue to use their service, if they’re going to force you to submit to Cloudflare’s empire. All it takes is one site to crack. Two makes a trend.

Change is not impossible, it’s all in your state of mind. But people need to be made aware.

Spread this: for privacy, for security, for freedom.

The sources for this article can be found here.

Related Articles