Subj : Re: Advice on self-hosting a website?
To   : Arelor
From : dflorey
Date : Tue Apr 08 2025 09:00 pm

 Ar> I don't have qualms with CloudFlare as an administrator, other than being
 Ar> extremely anti-user.
 Ar> 
 Ar> First of all, since a lot of webmasters are placing their sites behind
 Ar> CloudFlare for no practical reason, CloudFlare gets to see a whole lot of
 Ar> Internet traffic. Having too powerful entities watching and controlling
 Ar> Internet traffic is problematic. For example, CloudFlare can (and does)
 Ar> unilaterally decide which search engines are allowed to scan CloudFlared
 Ar> websites and everybody who isn't Alphabet, Microsoft or a big money
 Ar> agency is just not going to reliably create a competing search engine
 Ar> because CloudFlare will axe so much of the Internet down for them.
 Ar> 
 Ar> Then there is the fact that their TLS acceleration plans are of dubious
 Ar> utility . The one in which they act as TLS terminators is specially bad:
 Ar> end users connect to CloudFlare using a TLS connection controlled by
 Ar> CloudFlare and the encryption is broken on the CloudFlare end. Then
 Ar> CloudFlare proxies the requests to the CloudFlared webserver. Mind you,
 Ar> I think it used to be the case that the CloudFlare-WebServer connection
 Ar> was not necessarily tunneled. This represented a huge breach of trust -
 Ar> when I visit a random site and get an https connection, the expectation
 Ar> is that your session is encrypted up to the web host. However, even if
 Ar> they are encrypting the backend connection now (which I doubt is the
 Ar> case for all plans) it is still a breach of trust because the TLS
 Ar> connection is being terminated way before it reaches its destination.
 Ar> 
 Ar> Also CloudFlare (and many cheapo web application firewalls) will reject
 Ar> legitimate mainstream web browsers when it fits them. Are you using
 Ar> Firefox? Don't dare customize your browser too much because you may end
 Ar> up getting captchaed to death. Don't dare visiting a CloudFlared site
 Ar> using Tor and Javascript disabled, even if the site itself is a static
 Ar> wallhanger.
 
Yep, all very valid points.
As for the backend TLS encryption on free plans - yes this is now supported,
but yes, 1) the admin has to configure that, and 2) yes, a break in trust
from a end user pov.

|14Dave!
|05(|13dflorey|05)
|13Retro16 BBS |05--> |14bbs.retro16.com  |05(|13WIP|05)
|07No one expects the Spanish inquisition!

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
 * Origin: Retro16 BBS (21:1/226)

.