Author did a surprisingly good job hanging on to all the receipts to support his claim "cloudflare bad." But his alternatives are all CDN providers - which is not even the side of the business that makes cloudflare unique and makes them money. The piece, thorough as it may be, does not offer alternatives to products that cover the exciting parts of their business and I was looking forward to seeing what those were - for example tailscale or Pangolin (Open source alternative to Cloudflare Tunnels) or equivalents for serverless/edge compute. This makes it feel as if the author does not _really_ understand cloudflare's role/position and that this article is just a collection of links that report of the company's (valid) imperfections. For example, their workers platform, DDoS protection, and software-defined network functions (WAN, firewall, Zero-trust, etc) have made my life as a developer in my last few roles very productive and successful. And migrating away from those services was just as easy as signing up.
It might sound like I am defending cloudflare, but I am not. I share the author's concern about them becoming a monopoly that MITM's a lot of the Internet. But the author provides no evidence of to this claim. My experience has been the opposite: cloudflare interoperated with legacy systems and other cloud providers without locking us in or using anti-competitive tactics. Their presence often improved integration even when other vendors didn’t reciprocate. When people flock to a service because it’s genuinely useful rather than "can't leave Hotel California", that’s not a monopoly — it’s market preference.
That said, there is a real risk if innovation stalls or leadership becomes greedy. Companies that stop innovating sometimes resort to aggressive or extractive practices to stay relevant. It seems to be the trend once companies get too big to die - innovation stalls and their flywheel slows and they become desperate (or greedy) to stay relevant. I would monitor for those signs before I sound any alarm.
Exactly this - CDN is the one thing I don’t use Cloudflare for.
As a web developer, I love how effortless it is to spin up a static site for free using their Pages or Workers features. Sure, I could rent a small server or even host projects on a home setup, but often I just want something simple, fast, and hassle-free - and Cloudflare delivers that at zero cost.
Has this convenience led me to spend money with them? Absolutely. These days I even rely on Cloudflare for DNS management, simply because their interface and overall experience are far better than what I was using before I found them.
That said, I’m not here to defend the company uncritically. I recognize the valid concerns and criticisms that exist. But no platform is without flaws, and in some situations I simply can’t — or don’t want to — prioritize the idealistic view. Sometimes I just want to experiment and build, and Cloudflare makes that easy.
The Internet runs at the will of the government(s). Every government (national, regional, local) has regulations that must be obeyed. Depending upon where you live, some of those regulations may be kept secret from those most affected. An entity like Cloudflare is a juicy target that can be used cooperatively, or abused uncooperatively by those enforcing the regulations.
So Cloudflare has solved one problem (DDoS), while creating several new ones, which most people feel is a fair trade, but it's not a prefect world and there is no perfect solution.
>Think about the consequences of that. Anyone who connects to your site from China is MITM by Alibaba.
Source? AFAIK their China product is entirely separate and you need to specifically sign up for it. AWS/Azure have similar arrangements in China but you wouldn't say the Cloudfront users are getting MITMed by the CCP.
I noticed this years ago while in China. I saw someone at a bar with a laptop out using my web site. I went and chatted him up, and I noticed a different TLS certificate, I don't recall if he moused over the lock icon or if his browser, or back then when browsers showed the issuer in the address bar. Freaked me out.
Apparently it's JD Cloud now. Or maybe it was the, and I don't recall correctly. It was a Chinese company, and it really freaked me out when I saw it.
Our company did not do any configuration to enable this behavior. This was in 2017.
AWS was a completely separate entity in China at the time. Fully backdoored of course. Opening an account there required a local company.
With Cloudflare, they were straight up MITM our site which had nothing to do with China at all.
Are you sure they weren't using a corporate machine with some sort of MITM proxy? That seems far more plausible than what you're suggesting. Moreover it's unclear why they'd even bother minting a new certificate for the China side, rather than copying the certificate like they do for all their other POPs.
Yes, I havent done CDN work in a few years, but AFAIK that applies to all of the cloud "partners" in PRC as well. The customer needs to sign up with the PRC entity, provide ICP & local contacts, etc.
I would say that any MIIT approved infrastructure provider _is_ co-opted by the CCP. Its the entire point of requiring ICPs, tying the ICPs to network addresses/endpoints, and infra providers to be local entities; the MIIT gets their MITM equipment and RTBH routes directly in to the providers local DC.
I think it's not just about proving a claim. The same argument that in a democracy, you should build checks and balances to avoid sleepwalking into a dictatorship, is valid for companies, especially internet companies. Look at Google, Apple, Microsoft, Facebook and friends. Cloudflare plays nice because it wants to frictionlessly slide into a position where it can extract rent. Today, they are powerful but are not there yet. They're easy to migrate out of because their offerings, amazing as they are, are not irreplaceable so people cannot yet be made hostages. Mostly what happens is your customers feel like CF is holding you for ransom without you knowing it.
When they start charging per packet and making you money, you will become as dependent on them as Apple developers are on Apple, and you'll find out how nice they are.
I have the same fear of tailscale. They are so amazing I just want to move every piece of my infra to them, business and personal, my family's devices, everything. But over time I've gained this instinctive distrust for low friction from startups, especially when the effect (intended or not) is you forgetting how to manage your own tech.
I am using Cloudflare as a back-end and only using workers (can disable all their security, performance, caching, and whatever stuff they offer; which is really just a worker). The product (workers) is differentiated and I don't think there is any company/service out there that is offering an equivalent.
I do not think that's the author complaint, though. I frequently get these cloudflare captachas and it is why I disabled their firewall (it's pure garbage) for my own sites. Cloudflare does not have any monopoly over the services you mentioned (workers, tunnels, images, etc.) but they do have a kind-of-monopoly over DNS/CDN.
Load of bull.
Every article linked in this is either wrong or mischaracterized.
Cloudflare does not facilitate phising - it just made proxying and tunneling easier.
The breaches and bypasses mentioned are anything but - they are linking to a successful mitigation of an attack as if the attacker got away with something of value.
This entire article reeks of trying to fit the evidence to an agenda.
Considering they couldn't find actual evidence of problems and had to resort to mischaracterization this is actually a great reason to use Cloudflare.
I've reported blatant phishing attacks targeting seniors dozens of times to cloudflare (and so far it's always been cloudflare) and never once have they replied with anything except "we could not determine this was phishi g". They absolutely facilitate phishing through inaction.
Not my experience at all. We've reported hundreds if not thousands of sites and with few exceptions they have taken them down swiftly. Definitely one of the best cloud operators when it comes to this.
As recently as August 8th, I reported a phishing site targeting seniors into installing a pre-configured Atera client (who _also_ failed to respond in a reasonable time) by pretending to be an event invite. It was blatant and obvious phishing. This was the response:
---
Hello,
Cloudflare received your Phishing report regarding: ----
We are unable to process your report for the following reason(s):
We were unable to confirm phishing at the URL(s) provided.
Please be aware Cloudflare offers network service solutions including pass-through security services, a content distribution network (CDN) and registrar services. Due to the pass-through nature of our services, our IP addresses appear in WHOIS and DNS records for websites using Cloudflare. Cloudflare cannot remove material from the Internet that is hosted by others.
Please reply to this message, keeping the report identification number in the subject line intact, with the required information.
To respond to this issue, please reply to abusereply@cloudflare.com.
Thanks,
The Cloudflare Team.
---
This is the typical response for me from Cloudflare - it took 2 more weeks before it was finally taken down. If I had to hazard a guess, your high volume of reports gets you into a very different support bucket than the occasional reporter.
My most recent experience was terrible for two reasons:
1. They didn't take down an obvious banking scam site that was hiding behind their service
2. They forwarded my "report phishing content" submission, including contact information, to the scammer, resulting in a roughly 100x increase in the amount of spam I receive and ensuring that I won't ever use their reporting function again
> Cloudflare has become a highly attractive target for state-sponsored attacks, suffering from recurring breaches. Their sheer scale, considering that they are serving a substantial portion of the internet, means that an outage or compromise could have widespread, costly consequences.
I'm unsure how much of these can actually be called "attacks" rather than "complying with local laws" that lets them operate in a lot of countries. Including hostile ones.
They really don't segment customer data sufficiently to mittigate this either. CloudFlare even officially says that they don't actually enforce even Regional Services and you have to do that yourself as a customer. Rest of customers get even fewer guarantees than that.
> Regional Services operates on your hostname's IPs. We recommend using DNSSEC and/or DNS over HTTPS to ensure that DNS responses are secure and correct.
This of course is funny considering how CloudFlare has used the same DNSSEC key signing key for ⪆10 years. It also doesn't mention BGP hijacks or similar MITM attacks, because there's also not much anyone besides CloudFlare can do against that.
“complying with local laws” isn’t always a good thing. Here’s some behaviours that you need to report in some countries in order to comply with local laws:
* someone is a homosexual
* someone had sex out of wedlock
* someone is a communist
* someone is right-wing
* someone is a Muslim
* someone is _not_ a Muslim
* someone spoke ill of the current ruler
* someone hosted a messaging service, and didn’t ask users for a copy of their id
Here in the real world companies have 3 choices: (1) comply with local laws, (2) don't operate at all in the country, or (3) operate in the country but ensure they have no staff there and never visit. Anything else is going to involve fines and/or prison for your executives and employees.
I once interviewed at a UK gambling company that was doing option #3, and during the interview it was made clear that I'd never be able to visit the US because they were operating there illegally. (I declined the offer.) Some time later, it was in the news that one of their executives had been arrested and imprisoned in the US when he visited on holiday. (https://www.pinsentmasons.com/out-law/news/another-uk-bettin...)
In which countries do you have to report someone for any of that? Genuinely curious. Can't think of a single country where any of these criteria would be a reportable offense.
I actually looked at all the alternatives listed by the author. Here is the problem: none of them are competitive with Cloudflare. With Cloudflare you don't even need to provide a credit card, just setup with your website and it is "free" for lifetime.
They might pressure you to switch to paid plans if you start getting PBs of traffic, but until that point they will deliver your content for free. It is a huge advantage. Specially when you consider the egress pricing of major cloud providers.
That's like saying your cloud providers are stealing and looking at all your code. Technically you might be right but it is still somewhat disingenuous.
Not to mention all the alternatives are doing MITM anyway. So why single out Cloudflare?
Depends on your perspective IMO... if I either think there is reason to believe they are spying on people for nefarious purposes, or if I do not want them to allow the government to spy on me without a warrant, I'd prefer they not have that ability to begin with, regardless of whether it's code sitting on the device or the web traffic that transits through them.
> So why single out Cloudflare?
Because I believe they have a much larger influence and percentage of traffic than all the alternatives combined, but you're right, they all have the same weakness and I would like a solution to it.
It's pretty disappointing that the author (writing in 2025) says "perhaps to maintain its status as the world’s largest botnet operator," and links to a Spamhaus report from Q1 of 2020.[0]
If you check the most recent version of the report from Spamhaus (Jan to June 2025)[1], Cloudflare is nowhere to be seen, and Digital Ocean, who they recommend as a Cloudflare alternative is listed as third largest botnet host in the world.
Looking back through the historical reports this isn't a new phenomenon, in Q4 of 2022 Digital Ocean was ranked #2 and Cloudflare was down at #17.
Yes, I agree. The anti-monopolistic spirit of the post is good but when you read sentences like that or recommending "major cloud services" as an alternative, well, it starts to smell like a hit piece.
It is sad. The post could be a paragraph of basically ending with negative attributes of oligo and mono polies. Which are what should be evaded.
Other than that, alternatives do not go far as cloudflare does. If you experience a heavy DDOS, either you bankrupt with a large invoice or you suffer heavy outage.
I do not understand why this primary service misses to be listed. Nobody in the planet offers DDOS free, especially to news agencies at their difficult times.
Very good post. Cloudflare is continuously adding services to their cloud offerings (the latest being Email delivery) in a familiar pattern of "let's make it impossible to switch".
- I want to deploy a tiny service for personal use
- That has occasional requests (think ~10 a day)
- Needs to respond to a few daily events: a CRON job here and there, read an email, webhooks... Think a simpler Zapier
In principle this would be perfect for any of the many cloud function providers.
But AFAIK all of them have this vendor lock-in built into their business model and I just refuse to cave in.
Is there anything that I can do to not lock myself into an edge-computing ecosystem (or whatever this is called in the provider of choice) and still get the benefits? Is there any provider that supports any standard that is not tied specifically to their offering?
BunnyCDN's edge functions are more-or-less standard Deno handlers [0], if that can count as "standard". But generally edge functions means the runtime is given by the provider and so we don't really have a standard for that.
You could try to implement your logic in a WASI-compatible web assembly script - then things like I/O etc are abstracted and "standardised" (and then you can write it in whatever language makes you happy, though Rust will be the happy path in terms of ecosystem).
If you're into self-hosting, you can try Coolify - they take care of the Docker stuff and support all kinds services https://coolify.io/docs/services/overview (including plain Docker/compose deployments). So with this you could probably find a way to own it completely.
Some Cloud functions like lambda support OCI container as a runtime target for example.
I understand that feeling but can be hard a provider that fill all that requirements without a expensive cost.
Integrate with the edge computing is part of the price you pay for all the conveniences like automatic builds, Cron and public reachable endpoints (and some of them almost free).
A minimal VPS with linux is always an alternative.
Non-sequitur. Op comment is not criticizing that they offer another product, but that they offer another proprietary product that furthers locks you into their ecosystem.
If it wasn't on HN, being upvoted by some, I wouldn't have clicked on the link judging from the domain name. Turns out it is unicode issues. I wonder if HN will ever fix it.
This is a punny code, and I'm fine - if not happy - that HN doesn't choose to render their underlying unicode symbols. It's very easy to spoof URLs this way, e.g. using a symbol from another language to craft a look-alike URL that can match a reputable site.
Browsers like now Chrome try and alert you if the URL visually looks spoofed (because they do support unicode symbols in the omnibox), but I'm yet to see how well this holds up in production.
And I hope in even 20 years we still can't use emojis here, our language isn't so pitiful that we must regress to brightly coloured symbols.
Basically what you’re saying is that other people (including all major browsers) have solved the problem rather than spitting out the underlying punycode which is human-unreadable and is at the expense of domains in languages that don’t use the Latin alphabet.
I imagine this issue is easily solved by everyone else but it’s just kind of accepted on one of the most popular tech industry message boards run by one of the most successful incubators/investment firms of all time who certainly has the money to make the experience less ancient.
I actually don’t want emojis on here. I prefer the current “early 2000s” look. I don’t see it being a good thing for discussions if they are littered with emojis.
So when we all die and everyone on HN in the future grew up in a different era where all the symbols available on your keyboard are expected to be supported, will they want that early 2000s look where shit doesn’t work or is that just an arbitrary decision based on nothing?
Is YC a nostalgia-fueled organization or are they supposed to be investing in new technology?
I once had to migrate a good number of web properties off of Cloudflare for a client. They were an agency that had used it as a go-to for many years and many clients, until the CEO of the company stated publicly that they would no longer use cloudflare as a political thing (there had been a news story that Cloudflare was providing ddos protection for some Nazi websites and refused to take them down, or something similar enough).
My takeaway was basically that people use Cloudflare a lot because it is a strong service with a ton to offer at a very low price point. It's a bit like gmail - just very convenient and offers a lot for free or very cheap. Switching at that scale made a significant increase in their monthly bill.
I do applaud people who go out of their way to create alternatives to major services like cloudflare, gmail, chrome, etc. As an individual it can be hard to do though, or at least not always the path of least resistance.
What we really need is more IPV6 deployment so normal people can have plenty of routable addresses and we can go back to hosting more things on the edges like we used to, on computers we physically control.
There are plenty of applications where the bandwidth of PON fiber commonly deployed to homes is more than sufficient, and the extra latency is irrelevant.
Sure, it may be susceptible to DDoS attack, but if tens of millions of people were running personal and business systems from home it's debatable this would be less resistant than having a few centralized companies own us all.
Yeah, I agree with your characterization of what I'm suggesting.
Right now, we are like a school of fish who are already living inside the nets of a handful of hyperscalers who don't have much reason to treat us well.
We might as well take our chances in the open ocean.
With the exception of DDoS attacks we can protect ourselves through continuous improvement of our software and protocols. The sooner we take responsibility for doing that the better off we will be.
And even the DDoS attacks we can mitigate with replication and secret backend links via second ISP/mobile.
Running a server from "home" (or an office) I think is too expensive for most businesses. Paying for battery backups, duplicate internet providers, diy NOC, is just too much, especially for small side projects where the goal is publish blogs or write code, not side-hustle SRE
What if I told you, that you don't need battery backups, that one ISP is enough, that you don't need 24/7 network team to plug a cable from your tower server to a router, in order to host a mid-size SAAS from the office tower server?
I'm imagining a future where the software is local first and does a lot of operations peer to peer rather than trying to host large scale centralized web apps that dominate today.
We really don't need huge data centers hosting our notes and discussion forms and spreadsheets in order to make these things collaborative.
It would be A LOT easier to make that work if the internet was end to end by default again.
I dislike how Cloudflare wants to do everything the Cloudflare way. A lot of their services are legit good and insanely cheap though, and containers have the potential to be a game changer that takes them from occasionally useful to the backbone of your cloud.
Help me understand your point better. How do you want the services to work? Is there some standard you are advocating for, or for them to mimic existing services, or what?
By not harshly penalizing those who legitimately use VPN's, proxies?
I'm using FreeBSD - This is on the hit list
I'm using Waterfox - This is on the hit list
I'm using my colocated server for a VPN from a reputable provider - This is on the hit list
I eliminate the last two and suffer with my ADSL. My ADSL isn't a standard domestic provider so I'm hit with that too for using an alternative provider. I am still being penalized for using FreeBSD.
Every page I encounter that uses Cloudflare ends up with a captcha. Why isn't there a way to verify myself that I am an actual legit person? I've clicked the captcha enough times, why does it have to be every single time?
Why can't I whitelist my IP?
If this is truly the only way to restrict bad actors, then it's pathetic. Am I'm going to be hit for using Xorg and not Wayland in the future? Their "bot" protection technology is years out of date.
I don't like that Cloudflare has total control on how I can see the internet. I don't need any of their services, I don't want any of their services and others may praise them but to me not required.
This may of worked five years ago, but like cookie banners, it doesn't work now. Yet they wish to spin up new modern services and neglect the old that actually made Cloudflare and not some power-hungry MiTM service. That's what it feels like but not that they will listen. I hate the fact that any point they can just go full anal and force you to X.
The internet is suppose to have some sort of freedom, it's less than freedom. Using the internet now is like an animal in a cage. Heck, I would even register an account with Cloudflare if it allowed me to verify legitimacy.
This is exactly my experience as well... I guess we are still technically such a tiny minority that it doesn't make business sense to try to support us.
Any infrastructure can be abused, but that doesn't negate its legitimate uses.In fact, it is precisely because of the popularity of free services such as CloudFlare that the threshold for network security has been significantly lowered.
Tangential nitpick: I wish HN would display the punycode IDN in the submission URL as the intended マリウス.com
I mean, I understand the opportunity for abuse, but if it displays fine as UTF8 in comments in the previous sentence it might make sense to display it correctly over there in the submission.
It’s the only bit of the Cloudflare stack (afaik) that did not have an open-source alternative for the JS ecosystem. I built heavily with DO on another OSS project, but realized it was incredibly problematic that our customers couldn’t truly self-host.
Cloudflare isn’t perfect but people do have other options, and yet they come back to Cloudflare. Without Cloudflare it is more likely the internet would be a shittier less secure place. I think there are worse companies to worry about out there.
Author did a surprisingly good job hanging on to all the receipts to support his claim "cloudflare bad." But his alternatives are all CDN providers - which is not even the side of the business that makes cloudflare unique and makes them money. The piece, thorough as it may be, does not offer alternatives to products that cover the exciting parts of their business and I was looking forward to seeing what those were - for example tailscale or Pangolin (Open source alternative to Cloudflare Tunnels) or equivalents for serverless/edge compute. This makes it feel as if the author does not _really_ understand cloudflare's role/position and that this article is just a collection of links that report of the company's (valid) imperfections. For example, their workers platform, DDoS protection, and software-defined network functions (WAN, firewall, Zero-trust, etc) have made my life as a developer in my last few roles very productive and successful. And migrating away from those services was just as easy as signing up.
It might sound like I am defending cloudflare, but I am not. I share the author's concern about them becoming a monopoly that MITM's a lot of the Internet. But the author provides no evidence of to this claim. My experience has been the opposite: cloudflare interoperated with legacy systems and other cloud providers without locking us in or using anti-competitive tactics. Their presence often improved integration even when other vendors didn’t reciprocate. When people flock to a service because it’s genuinely useful rather than "can't leave Hotel California", that’s not a monopoly — it’s market preference.
That said, there is a real risk if innovation stalls or leadership becomes greedy. Companies that stop innovating sometimes resort to aggressive or extractive practices to stay relevant. It seems to be the trend once companies get too big to die - innovation stalls and their flywheel slows and they become desperate (or greedy) to stay relevant. I would monitor for those signs before I sound any alarm.
Exactly this - CDN is the one thing I don’t use Cloudflare for.
As a web developer, I love how effortless it is to spin up a static site for free using their Pages or Workers features. Sure, I could rent a small server or even host projects on a home setup, but often I just want something simple, fast, and hassle-free - and Cloudflare delivers that at zero cost.
Has this convenience led me to spend money with them? Absolutely. These days I even rely on Cloudflare for DNS management, simply because their interface and overall experience are far better than what I was using before I found them.
That said, I’m not here to defend the company uncritically. I recognize the valid concerns and criticisms that exist. But no platform is without flaws, and in some situations I simply can’t — or don’t want to — prioritize the idealistic view. Sometimes I just want to experiment and build, and Cloudflare makes that easy.
The Internet runs at the will of the government(s). Every government (national, regional, local) has regulations that must be obeyed. Depending upon where you live, some of those regulations may be kept secret from those most affected. An entity like Cloudflare is a juicy target that can be used cooperatively, or abused uncooperatively by those enforcing the regulations.
So Cloudflare has solved one problem (DDoS), while creating several new ones, which most people feel is a fair trade, but it's not a prefect world and there is no perfect solution.
They already do this for Chinese traffic. They send traffic from China to Alibaba controlled infrastructure.
Think about the consequences of that. Anyone who connects to your site from China is MITM by Alibaba.
And I would not be surprised if they were abusing their middlebox position to do all kinds of surveillance based on secret "warrants" in other places.
>Think about the consequences of that. Anyone who connects to your site from China is MITM by Alibaba.
Source? AFAIK their China product is entirely separate and you need to specifically sign up for it. AWS/Azure have similar arrangements in China but you wouldn't say the Cloudfront users are getting MITMed by the CCP.
I noticed this years ago while in China. I saw someone at a bar with a laptop out using my web site. I went and chatted him up, and I noticed a different TLS certificate, I don't recall if he moused over the lock icon or if his browser, or back then when browsers showed the issuer in the address bar. Freaked me out.
Apparently it's JD Cloud now. Or maybe it was the, and I don't recall correctly. It was a Chinese company, and it really freaked me out when I saw it.
Our company did not do any configuration to enable this behavior. This was in 2017.
AWS was a completely separate entity in China at the time. Fully backdoored of course. Opening an account there required a local company.
With Cloudflare, they were straight up MITM our site which had nothing to do with China at all.
Are you sure they weren't using a corporate machine with some sort of MITM proxy? That seems far more plausible than what you're suggesting. Moreover it's unclear why they'd even bother minting a new certificate for the China side, rather than copying the certificate like they do for all their other POPs.
Yeah, I'm sure it wasn't a corporate MITM. I turned off my VPN and saw the same on my own machine.
I guess Cloudflare isn't doing this any more by default.
They probably didn't share the other cert because they'd have to give the private keys to these Chinese partner.
Yes, I havent done CDN work in a few years, but AFAIK that applies to all of the cloud "partners" in PRC as well. The customer needs to sign up with the PRC entity, provide ICP & local contacts, etc.
I would say that any MIIT approved infrastructure provider _is_ co-opted by the CCP. Its the entire point of requiring ICPs, tying the ICPs to network addresses/endpoints, and infra providers to be local entities; the MIIT gets their MITM equipment and RTBH routes directly in to the providers local DC.
Isn't anyone who connects from China getting MITM'd by the great firewall anyway?
No, it just blocks you.
I think it's not just about proving a claim. The same argument that in a democracy, you should build checks and balances to avoid sleepwalking into a dictatorship, is valid for companies, especially internet companies. Look at Google, Apple, Microsoft, Facebook and friends. Cloudflare plays nice because it wants to frictionlessly slide into a position where it can extract rent. Today, they are powerful but are not there yet. They're easy to migrate out of because their offerings, amazing as they are, are not irreplaceable so people cannot yet be made hostages. Mostly what happens is your customers feel like CF is holding you for ransom without you knowing it.
When they start charging per packet and making you money, you will become as dependent on them as Apple developers are on Apple, and you'll find out how nice they are.
I have the same fear of tailscale. They are so amazing I just want to move every piece of my infra to them, business and personal, my family's devices, everything. But over time I've gained this instinctive distrust for low friction from startups, especially when the effect (intended or not) is you forgetting how to manage your own tech.
I am using Cloudflare as a back-end and only using workers (can disable all their security, performance, caching, and whatever stuff they offer; which is really just a worker). The product (workers) is differentiated and I don't think there is any company/service out there that is offering an equivalent.
I do not think that's the author complaint, though. I frequently get these cloudflare captachas and it is why I disabled their firewall (it's pure garbage) for my own sites. Cloudflare does not have any monopoly over the services you mentioned (workers, tunnels, images, etc.) but they do have a kind-of-monopoly over DNS/CDN.
Load of bull. Every article linked in this is either wrong or mischaracterized.
Cloudflare does not facilitate phising - it just made proxying and tunneling easier.
The breaches and bypasses mentioned are anything but - they are linking to a successful mitigation of an attack as if the attacker got away with something of value.
This entire article reeks of trying to fit the evidence to an agenda.
Considering they couldn't find actual evidence of problems and had to resort to mischaracterization this is actually a great reason to use Cloudflare.
I've reported blatant phishing attacks targeting seniors dozens of times to cloudflare (and so far it's always been cloudflare) and never once have they replied with anything except "we could not determine this was phishi g". They absolutely facilitate phishing through inaction.
Not my experience at all. We've reported hundreds if not thousands of sites and with few exceptions they have taken them down swiftly. Definitely one of the best cloud operators when it comes to this.
As recently as August 8th, I reported a phishing site targeting seniors into installing a pre-configured Atera client (who _also_ failed to respond in a reasonable time) by pretending to be an event invite. It was blatant and obvious phishing. This was the response:
---
Hello,
Cloudflare received your Phishing report regarding: ----
We are unable to process your report for the following reason(s):
We were unable to confirm phishing at the URL(s) provided.
Please be aware Cloudflare offers network service solutions including pass-through security services, a content distribution network (CDN) and registrar services. Due to the pass-through nature of our services, our IP addresses appear in WHOIS and DNS records for websites using Cloudflare. Cloudflare cannot remove material from the Internet that is hosted by others.
Please reply to this message, keeping the report identification number in the subject line intact, with the required information.
To respond to this issue, please reply to abusereply@cloudflare.com.
Thanks, The Cloudflare Team.
---
This is the typical response for me from Cloudflare - it took 2 more weeks before it was finally taken down. If I had to hazard a guess, your high volume of reports gets you into a very different support bucket than the occasional reporter.
My most recent experience was terrible for two reasons:
1. They didn't take down an obvious banking scam site that was hiding behind their service
2. They forwarded my "report phishing content" submission, including contact information, to the scammer, resulting in a roughly 100x increase in the amount of spam I receive and ensuring that I won't ever use their reporting function again
I reported a phishing site to them in 2013. They responded "Access to the submitted phishing URL(s) has been restricted."
> Cloudflare has become a highly attractive target for state-sponsored attacks, suffering from recurring breaches. Their sheer scale, considering that they are serving a substantial portion of the internet, means that an outage or compromise could have widespread, costly consequences.
I'm unsure how much of these can actually be called "attacks" rather than "complying with local laws" that lets them operate in a lot of countries. Including hostile ones.
They really don't segment customer data sufficiently to mittigate this either. CloudFlare even officially says that they don't actually enforce even Regional Services and you have to do that yourself as a customer. Rest of customers get even fewer guarantees than that.
Have fun, three-letter agencies.
https://developers.cloudflare.com/data-localization/limitati...
> Regional Services operates on your hostname's IPs. We recommend using DNSSEC and/or DNS over HTTPS to ensure that DNS responses are secure and correct.
This of course is funny considering how CloudFlare has used the same DNSSEC key signing key for ⪆10 years. It also doesn't mention BGP hijacks or similar MITM attacks, because there's also not much anyone besides CloudFlare can do against that.
“complying with local laws” isn’t always a good thing. Here’s some behaviours that you need to report in some countries in order to comply with local laws:
* someone is a homosexual * someone had sex out of wedlock * someone is a communist * someone is right-wing * someone is a Muslim * someone is _not_ a Muslim * someone spoke ill of the current ruler * someone hosted a messaging service, and didn’t ask users for a copy of their id
Here in the real world companies have 3 choices: (1) comply with local laws, (2) don't operate at all in the country, or (3) operate in the country but ensure they have no staff there and never visit. Anything else is going to involve fines and/or prison for your executives and employees.
I once interviewed at a UK gambling company that was doing option #3, and during the interview it was made clear that I'd never be able to visit the US because they were operating there illegally. (I declined the offer.) Some time later, it was in the news that one of their executives had been arrested and imprisoned in the US when he visited on holiday. (https://www.pinsentmasons.com/out-law/news/another-uk-bettin...)
In which countries do you have to report someone for any of that? Genuinely curious. Can't think of a single country where any of these criteria would be a reportable offense.
I can certainly think of a few where some of these things are illegal or forbidden enough to result in death if someone found out.
So, what are some of them?
https://en.wikipedia.org/wiki/Criminalization_of_homosexuali...
I actually looked at all the alternatives listed by the author. Here is the problem: none of them are competitive with Cloudflare. With Cloudflare you don't even need to provide a credit card, just setup with your website and it is "free" for lifetime.
They might pressure you to switch to paid plans if you start getting PBs of traffic, but until that point they will deliver your content for free. It is a huge advantage. Specially when you consider the egress pricing of major cloud providers.
It's a win for both sides... you get free protection/proxy service, and they get to MITM all your traffic.
That's like saying your cloud providers are stealing and looking at all your code. Technically you might be right but it is still somewhat disingenuous.
Not to mention all the alternatives are doing MITM anyway. So why single out Cloudflare?
> it is still somewhat disingenuous.
Depends on your perspective IMO... if I either think there is reason to believe they are spying on people for nefarious purposes, or if I do not want them to allow the government to spy on me without a warrant, I'd prefer they not have that ability to begin with, regardless of whether it's code sitting on the device or the web traffic that transits through them.
> So why single out Cloudflare?
Because I believe they have a much larger influence and percentage of traffic than all the alternatives combined, but you're right, they all have the same weakness and I would like a solution to it.
It's pretty disappointing that the author (writing in 2025) says "perhaps to maintain its status as the world’s largest botnet operator," and links to a Spamhaus report from Q1 of 2020.[0]
If you check the most recent version of the report from Spamhaus (Jan to June 2025)[1], Cloudflare is nowhere to be seen, and Digital Ocean, who they recommend as a Cloudflare alternative is listed as third largest botnet host in the world.
Looking back through the historical reports this isn't a new phenomenon, in Q4 of 2022 Digital Ocean was ranked #2 and Cloudflare was down at #17.
[0]https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-thre...
[1]https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-thre...
Yes, I agree. The anti-monopolistic spirit of the post is good but when you read sentences like that or recommending "major cloud services" as an alternative, well, it starts to smell like a hit piece.
It is sad. The post could be a paragraph of basically ending with negative attributes of oligo and mono polies. Which are what should be evaded.
Other than that, alternatives do not go far as cloudflare does. If you experience a heavy DDOS, either you bankrupt with a large invoice or you suffer heavy outage.
I do not understand why this primary service misses to be listed. Nobody in the planet offers DDOS free, especially to news agencies at their difficult times.
I use cloudflare on my sites because my servers does not have IPv4.
If the all the ISPs can get the their networking knowledge up-to-date I can remove it.
I have set the protection level to the lowest setting to not trigger unnecessary capatchs.
We're slowly making progress. We're almost at 50% IPv6 worldwide traffic to Google: https://www.google.com/intl/en/ipv6/statistics.html
Depending on what country you're in and what your traffic patterns look like, it might be higher. Some countries are >70% IPv6 traffic to Google.
Do you ever check your access logs to see when you're ready to go IPv6 only?
Very good post. Cloudflare is continuously adding services to their cloud offerings (the latest being Email delivery) in a familiar pattern of "let's make it impossible to switch".
I'm currently on my Nth run of:
- I want to deploy a tiny service for personal use
- That has occasional requests (think ~10 a day)
- Needs to respond to a few daily events: a CRON job here and there, read an email, webhooks... Think a simpler Zapier
In principle this would be perfect for any of the many cloud function providers.
But AFAIK all of them have this vendor lock-in built into their business model and I just refuse to cave in.
Is there anything that I can do to not lock myself into an edge-computing ecosystem (or whatever this is called in the provider of choice) and still get the benefits? Is there any provider that supports any standard that is not tied specifically to their offering?
BunnyCDN's edge functions are more-or-less standard Deno handlers [0], if that can count as "standard". But generally edge functions means the runtime is given by the provider and so we don't really have a standard for that.
You could try to implement your logic in a WASI-compatible web assembly script - then things like I/O etc are abstracted and "standardised" (and then you can write it in whatever language makes you happy, though Rust will be the happy path in terms of ecosystem).
If you're into self-hosting, you can try Coolify - they take care of the Docker stuff and support all kinds services https://coolify.io/docs/services/overview (including plain Docker/compose deployments). So with this you could probably find a way to own it completely.
[0] https://bunny.net/edge-scripting/
Some Cloud functions like lambda support OCI container as a runtime target for example.
I understand that feeling but can be hard a provider that fill all that requirements without a expensive cost.
Integrate with the edge computing is part of the price you pay for all the conveniences like automatic builds, Cron and public reachable endpoints (and some of them almost free).
A minimal VPS with linux is always an alternative.
Write a dockerfile and pay for a PaaS service.
I don’t see a problem with a company continuing to make useful products. Email delivery was a pretty logical next step for Cloudflare.
The problem is that globally the concepts of monopolies being bad and antitrust regulations being good have in practice left the current zeitgeist
Non-sequitur. Op comment is not criticizing that they offer another product, but that they offer another proprietary product that furthers locks you into their ecosystem.
relevant username
If it wasn't on HN, being upvoted by some, I wouldn't have clicked on the link judging from the domain name. Turns out it is unicode issues. I wonder if HN will ever fix it.
The author has a post about this; https://xn--gckvb8fzb.com/never-click-on-a-link-that-looks-l...
not (exactly) a unicode encoding issue, it's IDNA encoding. it's unicode encoded as ascii.
So it’s an issue with HN being a trash website.
A trash website that I like a lot, but still a trash website.
Maybe in 20 years we’ll be able to use emojis on here.
This is a punny code, and I'm fine - if not happy - that HN doesn't choose to render their underlying unicode symbols. It's very easy to spoof URLs this way, e.g. using a symbol from another language to craft a look-alike URL that can match a reputable site.
Browsers like now Chrome try and alert you if the URL visually looks spoofed (because they do support unicode symbols in the omnibox), but I'm yet to see how well this holds up in production.
And I hope in even 20 years we still can't use emojis here, our language isn't so pitiful that we must regress to brightly coloured symbols.
Basically what you’re saying is that other people (including all major browsers) have solved the problem rather than spitting out the underlying punycode which is human-unreadable and is at the expense of domains in languages that don’t use the Latin alphabet.
I imagine this issue is easily solved by everyone else but it’s just kind of accepted on one of the most popular tech industry message boards run by one of the most successful incubators/investment firms of all time who certainly has the money to make the experience less ancient.
I actually don’t want emojis on here. I prefer the current “early 2000s” look. I don’t see it being a good thing for discussions if they are littered with emojis.
And we still have good old ASCII :-)
So when we all die and everyone on HN in the future grew up in a different era where all the symbols available on your keyboard are expected to be supported, will they want that early 2000s look where shit doesn’t work or is that just an arbitrary decision based on nothing?
Is YC a nostalgia-fueled organization or are they supposed to be investing in new technology?
We can use emojis, just higher class ones.
𓂺
Test ﷽
Not really, it's just yet another inconclusive indication that absolutely nobody wants unicode for machine evaluated strings.
One shouldn't judge a domain by its codepage ;-)
I once had to migrate a good number of web properties off of Cloudflare for a client. They were an agency that had used it as a go-to for many years and many clients, until the CEO of the company stated publicly that they would no longer use cloudflare as a political thing (there had been a news story that Cloudflare was providing ddos protection for some Nazi websites and refused to take them down, or something similar enough).
My takeaway was basically that people use Cloudflare a lot because it is a strong service with a ton to offer at a very low price point. It's a bit like gmail - just very convenient and offers a lot for free or very cheap. Switching at that scale made a significant increase in their monthly bill.
I do applaud people who go out of their way to create alternatives to major services like cloudflare, gmail, chrome, etc. As an individual it can be hard to do though, or at least not always the path of least resistance.
What we really need is more IPV6 deployment so normal people can have plenty of routable addresses and we can go back to hosting more things on the edges like we used to, on computers we physically control.
There are plenty of applications where the bandwidth of PON fiber commonly deployed to homes is more than sufficient, and the extra latency is irrelevant.
Sure, it may be susceptible to DDoS attack, but if tens of millions of people were running personal and business systems from home it's debatable this would be less resistant than having a few centralized companies own us all.
You’re basically asking people to go defenseless under the theory that “they can’t catch all of us,” like a school of fish.
I don’t think that works. Internet attacks can be automated. Businesses need real defenses.
Yeah, I agree with your characterization of what I'm suggesting.
Right now, we are like a school of fish who are already living inside the nets of a handful of hyperscalers who don't have much reason to treat us well.
We might as well take our chances in the open ocean.
With the exception of DDoS attacks we can protect ourselves through continuous improvement of our software and protocols. The sooner we take responsibility for doing that the better off we will be.
And even the DDoS attacks we can mitigate with replication and secret backend links via second ISP/mobile.
> We might as well take our chances in the open ocean.
Seems like it depends on what vendor you use and what services you're buying from them? It's an assumption that's hard to prove.
Running a server from "home" (or an office) I think is too expensive for most businesses. Paying for battery backups, duplicate internet providers, diy NOC, is just too much, especially for small side projects where the goal is publish blogs or write code, not side-hustle SRE
What if I told you, that you don't need battery backups, that one ISP is enough, that you don't need 24/7 network team to plug a cable from your tower server to a router, in order to host a mid-size SAAS from the office tower server?
Get real guys.
Get real guys.
I had a PHB who didn't like that our web site went offline for 30 seconds each week.
I explained to her that the alternative would require $200,000 and six new employees.
She hasn't brought it up since.
Very few web sites are "mission critical." Even Facebook could go offline for a few seconds a week and nobody would care or notice.
It’s not for me, but my paying customers. I guess I could ask them if they are ok if the service goes down when Florida has a hurricane
I'm imagining a future where the software is local first and does a lot of operations peer to peer rather than trying to host large scale centralized web apps that dominate today.
We really don't need huge data centers hosting our notes and discussion forms and spreadsheets in order to make these things collaborative.
It would be A LOT easier to make that work if the internet was end to end by default again.
I dislike how Cloudflare wants to do everything the Cloudflare way. A lot of their services are legit good and insanely cheap though, and containers have the potential to be a game changer that takes them from occasionally useful to the backbone of your cloud.
Help me understand your point better. How do you want the services to work? Is there some standard you are advocating for, or for them to mimic existing services, or what?
By not harshly penalizing those who legitimately use VPN's, proxies?
I'm using FreeBSD - This is on the hit list
I'm using Waterfox - This is on the hit list
I'm using my colocated server for a VPN from a reputable provider - This is on the hit list
I eliminate the last two and suffer with my ADSL. My ADSL isn't a standard domestic provider so I'm hit with that too for using an alternative provider. I am still being penalized for using FreeBSD.
Every page I encounter that uses Cloudflare ends up with a captcha. Why isn't there a way to verify myself that I am an actual legit person? I've clicked the captcha enough times, why does it have to be every single time?
Why can't I whitelist my IP?
If this is truly the only way to restrict bad actors, then it's pathetic. Am I'm going to be hit for using Xorg and not Wayland in the future? Their "bot" protection technology is years out of date.
I don't like that Cloudflare has total control on how I can see the internet. I don't need any of their services, I don't want any of their services and others may praise them but to me not required.
This may of worked five years ago, but like cookie banners, it doesn't work now. Yet they wish to spin up new modern services and neglect the old that actually made Cloudflare and not some power-hungry MiTM service. That's what it feels like but not that they will listen. I hate the fact that any point they can just go full anal and force you to X.
The internet is suppose to have some sort of freedom, it's less than freedom. Using the internet now is like an animal in a cage. Heck, I would even register an account with Cloudflare if it allowed me to verify legitimacy.
This is exactly my experience as well... I guess we are still technically such a tiny minority that it doesn't make business sense to try to support us.
Any infrastructure can be abused, but that doesn't negate its legitimate uses.In fact, it is precisely because of the popularity of free services such as CloudFlare that the threshold for network security has been significantly lowered.
Tangential nitpick: I wish HN would display the punycode IDN in the submission URL as the intended マリウス.com
I mean, I understand the opportunity for abuse, but if it displays fine as UTF8 in comments in the previous sentence it might make sense to display it correctly over there in the submission.
I really like using Cloudflare. I think durable objects are a great innovation for example.
I’ve been building an open-source alternative at https://github.com/rivet-dev-engine
It’s the only bit of the Cloudflare stack (afaik) that did not have an open-source alternative for the JS ecosystem. I built heavily with DO on another OSS project, but realized it was incredibly problematic that our customers couldn’t truly self-host.
GitHub link says 404
Cloudflare isn’t perfect but people do have other options, and yet they come back to Cloudflare. Without Cloudflare it is more likely the internet would be a shittier less secure place. I think there are worse companies to worry about out there.
Will their power only grow? Yup.
xn--gckvb8fzb.com whats this ?
It's the ASCII encoding of a Unicode domain name: https://en.m.wikipedia.org/wiki/Internationalized_domain_nam...
マリウス.com
[dead]
I truly think all the post they do on stopping an even larger DDOS, is them just paying a DDOS service or making the DDOS themselves
Maybe it is me, but I wouldn't take whatever advice provided by someone who is only known by pseudonym.
What's your name?
What a silly thing to say in an era where anonymity is under constant attack by forces that want to harm us all.