Cloudflare just revealed on their blog that back in November a sophisticated hacker, likely a nation state, got access to some of their servers. [1] They claim in their blog post that no customer data was stolen or accessed, however even if true, this is not the point.
The point is that it’s morally wrong for such a centralization of traffic to be going to a single entity. I have complained many times about how the bulk of the internet uses Cloudflare’s CDN and when they do, Cloudflare sees all SSL/TLS traffic, because you’re pointing the domain to them to distribute it. This means they see ALL passwords and have access to all cryptocurrency on centralized exchanges. One actor should not be securing all your secrets and act as a gatekeeper to all human knowledge.
To quote Hacker News,
“The incident involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian user account and established persistent access to its Atlassian server to ultimately obtain access to the Bitbucket source code management system by means of the Sliver adversary simulation framework.
As many as 120 code repositories were viewed, out of which 76 are estimated to have been exfiltrated by the attacker.
“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes,” Cloudflare said.” [2]
This hack demonstrates that one entity seeing everything makes them into a big target.
Past Issues
In fact Cloudflare is so successful, that their size makes them a bureaucracy that can be exploited. In a completely separate incident, Certitude’s researcher Stefan Proksch discovered that Cloudflare is vulnerable through abusing Cloudflare itself. [3a] This vulnerability stems from the fact that Cloudflare whitelists all traffic from Cloudflare domains. [3b] So if someone found out the IP address of your VPS, they can point their own domain to it, and then register that domain with Cloudflare as a paying customer.
Hacker’s Domain → Your VPS
Then all traffic sent is whitelisted, and they can DDoS the VPS. [3c]
In fact, when told about this by Certitude, it was dismissed by Cloudflare as informational only, because CDNs hide the original IP of the VPS servers. But this information can be gotten through phising or psychological warfare. The email address of the domain registrant is public, and probably used to communicate with Cloudflare’s automated system. So an attacker can just fake being Cloudflare asking them to fill out a survey for a free bonus. And on the survey is asking the IP address.
Conclusion
You have more power than you realize. Your economic choices matter more than political votes. Tell website owners you won’t continue to use their service, if they’re going to force you to submit to Cloudflare’s empire. All it takes is one site to crack. Two makes a trend.
Change is not impossible, it’s all in your state of mind. But people need to be made aware.
Spread this: for privacy, for security, for freedom.
The sources for this article can be found here.