this post was submitted on 04 Jul 2026
38 points (93.2% liked)

Out of the loop

15244 readers
60 users here now

A community that helps people stay up to date with things going on.

founded 3 years ago
MODERATORS
all 49 comments
sorted by: hot top controversial new old
[–] boaratio@lemmy.world 3 points 11 hours ago

Because Matthew Prince is a psychopath.

[–] Dave8008@feddit.uk 5 points 23 hours ago (1 children)

Feels very much like a protection racket

[–] iocase@lemmy.zip 2 points 11 hours ago

"that's a real nice web service you have there... It would be a real shame if someone DDOSed it..."

[–] forestbeasts@pawb.social 47 points 1 day ago (3 children)

Because they're literally MITM-as-a-service. I wish I was exaggerating.

Seriously. If a website uses Cloudflare, Cloudflare can see everything you do on that website. Stuff you say. What pages you go to and what you're looking at. Any passwords you type in. Everything.

(And your browser doesn't warn you about that because Cloudflare has a legit cert for the site; as far as your browser is concerned they ARE the site.)

-- Frost

[–] IphtashuFitz@lemmy.world -2 points 18 hours ago* (last edited 8 hours ago) (1 children)

Every single CDN provider works this way, and the internet as we know it wouldn’t work without them. If you don’t like that Cloudflare works this way then you should be upset at Amazon, Akamai, Google, Fastly, and many others as well.

Edit: For all of you downvoting me, if I am wrong then please enlighten me as to how CDNs operate without being able to decrypt your browsers traffic.

[–] forestbeasts@pawb.social 1 points 14 hours ago (1 children)

Um, no they don't. They typically provide a third party domain the website includes stuff from.

Cloudflare also does that, but it's not the issue here.

-- Frost

[–] IphtashuFitz@lemmy.world 2 points 13 hours ago* (last edited 13 hours ago) (1 children)

Bullshit. I work on a daily basis with Akamai, providing CDN, WAF, image optimization, and other services across roughly a dozen domains. Those services are all fully in-line with the domains in question. No need for a third party domain. We’ve also evaluated Cloudflare to see if the cost savings would justify migrating from Akamai.

[–] forestbeasts@pawb.social 0 points 9 hours ago

I guess Akamai is a creep too then.

-- Frost

[–] c10l@lemmy.world 8 points 1 day ago

This very much. They are probably the largest private worldwide vigilance operation ever to exist.

Unfortunately they provide services that are very valuable to some organisations, so they get away with it.

[–] MeowerMisfit817@lemmy.world 5 points 1 day ago (2 children)

Wow, thanks. I didn't know. Get my upvote! Honestly, this is the best reply on this post.

[–] IphtashuFitz@lemmy.world 1 points 18 hours ago* (last edited 18 hours ago) (1 children)

The thing is, every CDN provider does the exact same thing, and the modern internet wouldn’t work without them. Cloudflare gets a bad rap largely because they offer free and low cost services that are very attractive to individuals, hobbiests, etc.

Companies like Akamai, Fastly, AWS, etc. offer virtually identical services but you may never have heard of them because they mostly only offer services to corporate customers. But their CDNs operate the same way - by decoding the traffic so they can analyze it for purposes of caching it to speed up delivery.

Edit: Love how my comments are being downvoted. What I’ve said here is 100% accurate and true. I used to work at Akamai, and still work with it on a daily basis at my current employer so I have a lot of knowledge of the platform. If you think what I’m saying isn’t accurate then just say so.

[–] forestbeasts@pawb.social 1 points 14 hours ago

Um, no they don’t, at least not the way "CDN" is typically meant. They typically provide a third party domain the website includes stuff from.

Cloudflare also does that, but it’s not the issue here. The issue here is all the MITMing.

Unless Akamai and suchlike silently MITMs your visitors by pretending to be the original site too? in which case yes, fuck Akamai as well.

The modern internet WOULD, in fact, work without them, it just might be a little slower, and you know what? That'd be okay. We'd live.

-- Frost

[–] forestbeasts@pawb.social 2 points 1 day ago

Yeah it's... DEFINITELY a thing you should know, and definitely a thing they don't want you to know, because they want you to not even know they're there!

At least with normal trackers that embed JS on the page, like Google, which can also snoop on basically everything you do by the way, if you block the tracker you're relatively safe (until they change the tracker, until you get an updated filter list... it's a constant back and forth).

You can't block Cloudflare MITMing you. ("man-in-the-middle", they pretend to be the server and pass on everything you say to the server and the server's response to you, while probably writing down everything for their own purposes. this is a large part of what HTTPS was explicitly intended to protect against...)

[–] edgemaster72@lemmy.world 21 points 1 day ago* (last edited 1 day ago) (1 children)

Another thing is centralization. Cloudflare has a fuck-up? A huge swath of the internet might go offline for hours.

[–] IphtashuFitz@lemmy.world 1 points 18 hours ago

That goes for any CDN provider, cloud hosting provider, etc. Amazon, Akamai, and others have all suffered significant outages that knocked large swaths of the internet offline. It’s certainly nothing unique to Cloudflare.

[–] Yliaster@lemmy.world 58 points 1 day ago (4 children)

It's fucking irritating to have to visit the same websites you used to just fine a year or so ago now becomes slow and require you to spend a good 5-10 seconds on a fucking "confirm you are human" check (as if google and co doesn't give us enough of that shit already). Worse, it doesn't even work sometimes, often loops, and if you're on a different/niche browser? Good luck.

[–] forestbeasts@pawb.social 6 points 1 day ago (1 children)

Oh, yeah, and if you block cloudflare.com third party JS and whatnot, guess what? that doesn't work! it just displays a vaguely patronizing error message.

(It used to just say "unblock challenges.cloudflare.com to proceed" which was significantly less offensive, IMO. Treated you like a person who knows what you're doing, which you are if you've decided to manually block cloudflare.com, and tells you what the exact domain at issue is if you feel like giving in.)

-- Frost

[–] Alfredolin@sopuli.xyz 2 points 44 minutes ago (1 children)
[–] forestbeasts@pawb.social 1 points 26 minutes ago* (last edited 24 minutes ago) (1 children)

Could be, could be not. I honestly don't remember what that style comes from. Got a screenshot of the entire error page? Maybe there's additional info on it somewhere.

(If this is the entire page... try zooming out? Looks like they might have borked their page design slightly.)

-- Frost

[–] Alfredolin@sopuli.xyz 2 points 21 minutes ago (1 children)

That's it. Btw it's from archive.is. I tried following a link from an article given by a lemmy.ml comrade.

[–] forestbeasts@pawb.social 1 points 3 minutes ago

Okay, that looks like not-Cloudflare. In large part because of the captcha; Cloudflare doesn't use Google's, they have their own.

I wonder if this is somehow from Google. Which... would they then be triggering this from third party JS or something? I don't know.

-- Frost

[–] Cethin@lemmy.zip 1 points 1 day ago (1 children)

This doesn't address the issue with Cloudflare. Yes, they provide an anti-crawler service for web hosts. However, essentially every website needs this, and it's done regardless of Cloudflare. It's just a fact of the modern internet.

[–] Yliaster@lemmy.world 1 points 16 hours ago (1 children)

I practically never come across these checks outside of google and cloudflare.

[–] Cethin@lemmy.zip 1 points 16 hours ago (1 children)

Have you seen the anime Canadian girl for Anubis? That's the big non-cloudflare alternative.

[–] Yliaster@lemmy.world 1 points 1 hour ago

That thing is so much better. Usually a split second and I don't have to shift browsers for it.

[–] kokesh@lemmy.world 13 points 1 day ago (1 children)

Owners of the said websites don't have to use this check.

[–] kbobabob@lemmy.dbzer0.com 3 points 1 day ago (1 children)

What do you propose instead to combat AI companies stealing from your site?

[–] kokesh@lemmy.world 0 points 1 day ago

I am trying htaccess at the moment, so far I am not getting bots in my logs. But I don't see anything bad on using Cloudflare. But I don't understand people hating Cloudflare for the tool they offer. I also find it annoying, hence I don't run it on my stuff.

[–] Scipitie@lemmy.dbzer0.com 39 points 1 day ago (2 children)

TLDR: Because they are the best at gaming the system.

Long version

They provide a really valuable thing to hosters: protection and reliability. The promise: "we take care that your website stays online".

Plus they have a very good caching infrastructure meaning my server isn't under as much pressure when I usee cloudflare.

For a user this is visible in two ways: bot testing stuff and slower load time, in individual perception.

And now the downside: they've created a spiderweb, sitting in the middle and most things online are entangled. "But I don't user cloudflare for my website!"? Tough luck. Some routing instance in between your users and your server might. The bit protection? Used to train various machine learning algorithms. Providing any kind of automation service online? If cloudflare marks you as something negative you're dead, no appeal.

They are from my assessment the single most powerful Internet company existing and they are staying nearly invisible on the public radar.

They pushed themselves into every problem people had with the more complicated layer in the whole Internet thing and made it easier for users - and leverage every information byte they collect on the way.

That said: I don't hate them; I'm just really miss trusting with this amount of power and influence centralized. They utilize the whole infrastructure to become a more engrained entity.

[–] ignotum@lemmy.world 6 points 1 day ago (2 children)

I'm just really miss trusting

Is there a mr trusting in the picture?

I'll see myself out

[–] Scipitie@lemmy.dbzer0.com 2 points 1 day ago (1 children)

Is this an application? ;)

[–] ignotum@lemmy.world 2 points 1 day ago

Yes, an application of wordplay :D

[–] nekusoul@lemmy.nekusoul.de 6 points 1 day ago (2 children)

Some routing instance in between your users and your server might.

Although that should only be possible if the user has a hijacked client or you're not using HTTPS. Or am I forgetting something?

[–] hitmyspot@aussie.zone 7 points 1 day ago

Cloud flare issue certificates on your behalf when they cache. They also have nameservers. However, I assume that is only for their customers.

[–] Scipitie@lemmy.dbzer0.com 1 points 1 day ago

I miss framed this: the concern here for me is not a malicious attack but that you're still affected in terms of routing: your service becoming unavailable because your hoster or their ISP relied on cloudflare.

[–] evadersnack@sopuli.xyz 1 points 1 day ago (1 children)

They’re slowly becoming the necessary evil in this day and age. At least they’re not Meta, Google, Anthropic, OpenAI / Microsoft, or Amazon.

[–] Squizzy@lemmy.world 2 points 10 hours ago

Just another US tech giant taking control of shit.

[–] hendrik@palaver.p3x.de 9 points 1 day ago

Because it's annoying to have that pop up everywhere and sometimes it decides you can't visit a website or need to wait 10s or so. And then again right after you click the next link.

And one day it might cut you off from half the internet for good? Hasn't happened yet. But ultimately it's a singular, big, ugly American company, now in charge of most of the internet. Including access to people's data/traffic when all they want is evade big tech.

[–] rozodru@piefed.world 6 points 1 day ago

I'll throw myself into the fire here. I use Cloudflare. I host a couple small websites with them that I don't pay for. why? it's easy, it's free, it works very well with my stack and dev environment and for me it's faster than what I was previously using/hosting with.

I made the decision recently to allow the "product to speak for itself" as opposed to making my tech decisions based on a POS Dev or CEO that works for whatever company. I needed a VPN and email hosting along with PW management that I just didn't want to deal with myself anymore so I said fuck it and went with proton regardless of what others may feel about them. On one of my machines I needed a decent and fast to set up tiling window manager so I said fuck it and installed hyprland regardless of the opinions of the lead dev. a few other examples like that. I figured if I held every company to the same moral standards as myself then I'd never get anything done.

Call me a hypocrite and what have you, fine. but honestly at this point everyone has their hands dirty and if we looked into the people who built EVERYTHING we use we'd probably end up using nothing. So do a lot of people not like Cloudflare? yes. Are their opinions on the matter valid? also yes. But if it and other things currently work for me and provide what I need I'll keep using them until they stop working for me.

[–] DataCrime@lemmy.dbzer0.com 8 points 1 day ago

Why not add 5 more seconds to the loading time of every website you visit?

Note: that’s just why I hate cloudflare, I have no idea why everybody else does 😝

[–] ada@lemmy.blahaj.zone 7 points 1 day ago

Me personally? Because they proudly host and protect hate sites

[–] makeshift0546@lemmy.today -4 points 1 day ago (1 children)

Because they are successful and pretty much own the market.

[–] 4am@lemmy.zip 4 points 1 day ago

If you think we’re all just jealous of their profits then you’re a literal Ferengi