Is Cloudflare Completely Trustworthy?
Categories:
Cloudflare, Aliyun ESA, Tencent EdgeOne, etc., all hold domain certificates, which means they can fully inspect all traffic under the domain. They themselves are large middlemen. Their primary function is security; there are too many attackers on the internet, and choosing a large middleman has more benefits than drawbacks. Secondary functions include providing DNS, CDN, WAF, and other edge services simultaneously.
Services like Cloudflare can effectively defend against DDoS, trading a slight increase in latency for protection capability, which is very cost-effective. Every site owner should directly use such services; network attacks are everywhere, no need to be optimistic, you’ll be attacked sooner or later. Some attacks exploit vulnerabilities, related to the site operator’s skill level. Other attacks aim to consume resources, like DDoS, exploiting the cost asymmetry between commercial and home networks—a kind of open conspiracy. Often, you can only fight back with money or shut down the service directly, abandoning all users, also known as black hole defense.
Most attackers, seeing a site protected by Cloudflare, will give up directly. Actually, attackers could consider attacking Cloudflare instead of the original server to obtain the data, just with potentially higher difficulty. But we can also believe the world is a makeshift stage, nothing is impossible. In reality, most attack behaviors on the internet go undetected, most attackers are undiscovered, and most attack behaviors go unprosecuted. Cloudflare can counter DDoS with cost advantages, but that doesn’t mean its code is impregnable; the possibility of obtaining origin server data by attacking Cloudflare-like service providers is not zero.