The Wikipedia article says Cloudflare has been used to host hate speech, websites with illegal content and forums connected to all sorts of illegal activities. And I see them being used by a lot of decent webservices but shady ones as well.

So my question, can Cloudflare be used for something alike “bulletproof hosting”? Does anyone know if they collaborate with law enforcement or care once someone sends a mail to the abuse contact? Or if there’s a way to find information about a Cloudflare protected server for the public?

Hypothetical question, I’m just curious and I thought maybe someone here has first-hand experience with getting their account terminated or reporting content or doing piracy via them or whatever…

  • Typewar@infosec.pubEnglish
    1·
    3 hours ago

    Cloudflare takes a neutral response in general but are not resistant to law enforcement demands.

    What you can do is to create a cloudflare account on Tor, buy a privacy-focused VPN that supports port forwarding, connect your server to the VPN and point the DNS record to the VPN ip address. And then create a port rewrite rule in cloudflare settings (because port forwarding supported VPNs rarely support lower than 1024 ports). Atleast in this case, law enforcement notices won’t be forwarded to your ISP… still not bulletproof, but good enough for most stuff if you have concerns.

  • darvocet@infosec.pubEnglish
    33·
    13 hours ago

    I have experience working in large data centers that provide hosting. What I can tell you is that various government agencies do and will randomly come by the data center with warrants and court orders for things. I’ve literally had NASA show up (wtf?) and have to pull a server offline while they mirror the hard disk. All very hush hush make excuses to the customer when they open a ticket. Another thing that happens is that the FBI has placed their servers within internal spaces of the network. When they get a court order they can open a ticket with our abuse department and whatever switch port the feds are interested in can be mirrored and sent to their packet capture servers.

    • darvocet@infosec.pubEnglish
      10·
      12 hours ago

      I’ll add to this that I’m old - these days in a cloud environment they don’t even have to come to the data center to image the hard drive.

      • hendrik@palaver.p3x.deOPEnglish
        3·
        8 hours ago

        Thanks for your insight. Reading these stories always makes me feel data should stay on own premises with extra security measures. And yes, on my VPS, imaging the storage is one click and I believe it’s done online without any interruption of service. Not that I do a lot of illegal stuff on the internet. But with the current situation in the US and the general overboarding surveillance, I think i’d like to keep their government and agencies out of my emails and personal stuff… (And maybe even what I do publicly and within legal limits.)

        Though I didn’t ask about privacy here, but anonymity. And I guess selfhosting stuff at home isn’t an option either. Everyone can tell my ISP and location to like 30km with that. And link the IP to other activities.

      • madasi@lemmy.dbzer0.comEnglish
        6·
        11 hours ago

        Exactly. Most cloud virtualization providers you just take a snapshot of the virtual disk and provide that when requested and the customer never has a clue that is happened. I’d get contacted by our legal department, told that my boss was only to be told that I was working for them for now and no other details, and then directed on what they needed a copy of and how to send it to them.

  • _cryptagion [he/him]@anarchist.nexusEnglish
    15·
    12 hours ago

    Does anyone know if they collaborate with law enforcement

    yes, they do. they aren’t there to provide bulletpoof hosting, they are there to make your site resistant to DDoS attacks. as an added bonus, if you are selfhosting they also provide you with a bit of anonymity, in the sense that someone can’t just figure out your general location from your ISP.

    that doesn’t mean people can’t figure out who you are from the content you host. and if you are hosting content that is illegal, even if it’s illegal in another country, then you are likely to be exposed when their courts subpoena cloudflare. cloudflare isn’t going to fight too hard to protect your identity against a government, and honestly I don’t blame them for that because they never said that was their mission or purpose. they are DDoS protection, with a few other features that might be useful to you.

  • Irdial@lemmy.sdf.orgEnglish
    10·
    13 hours ago

    According to W3Techs, Cloudflare is used for 80.9% of all known reverse proxy endpoints which account for 19.8% of the entire Internet. It’s safe to say it’s used to host both legal and illegal content with that broad of a scope.

    They are an American company and must cooperate with law enforcement when abuse is reported. If you’re planning on hosting pirated content, that most definitely violates their terms of service and will get you in trouble.