Jump to content

Cloudflare

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Dyork (talk | contribs) at 23:47, 29 July 2021 (Undid revision 1036089092 by 2.43.241.78 (talk)Undoing edits from an IP editor where I don't see the changes justifying the change in the heading). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Cloudflare, Inc.
Company typePublic
Industry
FoundedJuly 2009; 15 years ago (2009-07)
FounderLee Holloway
Matthew Prince
Michelle Zatlyn Edit this on Wikidata
HeadquartersSan Francisco, California, U.S.
Key people
Services
RevenueIncrease US$431 million[1] (2020)
Decrease US$−106.8 million[1] (2020)
Decrease US$−119.4 million[1] (2020)
Total assets2,372,071,000 United States dollar (2021) Edit this on Wikidata
Number of employees
1,800
Websitecloudflare.com

Cloudflare, Inc. is an American web infrastructure and website security company that provides content delivery network and DDoS mitigation services.[2] Cloudflare's services sit between a website's visitor and the Cloudflare customer's hosting provider, acting as a reverse proxy for websites.[3][4] Cloudflare's headquarters are in San Francisco.[2]

History

Cloudflare was created in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn, all three of whom previously worked on Project Honey Pot, an open-source project that monitored internet fraud and abuse.[5] Cloudflare was launched at the TechCrunch Disrupt conference in September 2010.[6] It received media attention in June 2011 for providing security services to the website of LulzSec, a black hat hacking group.[7] From 2009, the company was venture-capital funded.[8] On August 15, 2019, Cloudflare submitted its S-1 filing for IPO on the New York Stock Exchange under the stock ticker NET.[9] It opened for public trading on September 13, 2019, priced at $15 per share.[10]

In February 2014, Cloudflare mitigated what was at the time the largest ever recorded DDoS attack, which peaked at 400 Gigabits per second against an undisclosed customer.[11] In November 2014, Cloudflare reported another massive DDoS attack with independent media sites being targeted at 500 Gbit/s.[12] In March 2013, the company defended The Spamhaus Project from a DDoS attack that exceeded 300 Gbit/s. Akamai's chief architect stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet".[13][14] Cloudflare has also reportedly absorbed attacks that have peaked over 400Gbit/s from an NTP Reflection attack.[15] In June 2020, Cloudflare mitigated a DDoS attack that peaked at 754 million packets per second.[16] As of 2020, Cloudflare provides DNS services to over 100,000 customers, covering more than 25 million internet properties.[17][18]

In 2014, Cloudflare launched Project Galileo, an initiative providing free services to protect artists, activists, journalists, and human rights groups from cyber attacks.[19] More than 1,000 users and organizations were participating in Project Galileo as of 2020.[20]

In 2017, Cloudflare created the Athenian Project to ensure free protection of online election infrastructures to local and state governments, as well as domestic and foreign political campaigns.[21][22][23]

On April 1, 2019, Cloudflare announced a new freemium VPN service named WARP. The service would initially be available through the 1.1.1.1 mobile apps with a desktop app available later.[24] On September 25, 2019, Cloudflare released WARP to the public.[25][26] The beta for macOS and Windows was announced on April 1, 2020.[27]

On September 6, 2019, Wikipedia became the victim of a DDoS attack. European users were unable to access Wikipedia for several hours.[28] The attack was mitigated after Wikimedia network engineers used Cloudflare's network and DDoS protection services to re-route and filter internet traffic.[29] The specific Cloudflare product used was Magic Transit.[30]

In 2020, co-founder and COO Michelle Zatlyn was named president, making her one of few women serving as president of a publicly traded technology company in the United States.[31]

In January 2021, the company established the Project Fair Shot initiative, a free tool that enables global health organizations to maintain a digital queue for COVID-19 vaccinations.[32]

Acquisitions

The following is a list of acquisitions by Cloudflare:

  • StopTheHacker (Feb 2014)[33]
  • CryptoSeal (June 2014)[34]
  • Eager Platform Co. (December 2016)[35]
  • Neumob (November 2017)[36]
  • S2 Systems (January 2020)[37]
  • Linc (December 2020)[38]

Products

An example of public key certificate issued by Cloudflare
A Network Time Protocol client synchronized with time server hosted by Cloudflare

Cloudflare acts as a reverse proxy for web traffic. Cloudflare supports web protocols, including SPDY and HTTP/2. In addition to this, Cloudflare offers support for HTTP/2 Server Push.[39]

DDoS Protection

Cloudflare provides DDoS mitigation services which protect customers from distributed denial of service (DDoS) attacks. As of September 2020, the company claims to block "an average of 72 billion threats per day, including some of the largest DDoS attacks in history."[40]

Content Distribution Network

Cloudflare offers a popular Content Distribution Network (CDN) service. The company launched in 2010 and TechCrunch wrote that its goal was to be "a CDN for the masses".[41] Ten years later, the company claimed to support over 25 million internet websites.[42]

Teams

Cloudflare for Teams is a suite of authentication and security products aimed at business clients. Teams consists of two parts: Gateway, a highly-customizable DNS resolver, and Access, a zero-trust authentication service.[43]

Workers

In 2017 Cloudflare launched Cloudflare Workers, a serverless computing platform that allows one to create entirely new applications or augment existing ones without configuring or maintaining infrastructure. Since then, the product has expanded to include Workers KV, a low-latency key-value data store, Cron Triggers for scheduling cron jobs, and additional tooling for developers to deploy and scale their code across the globe.[44]

Pages

After being leaked to the press,[45] Cloudflare Pages was launched as a beta in December 2020. The product is a Jamstack platform for front end developers to collaborate and deploy websites on Cloudflare's infrastructure of 200+ data centers worldwide.[46]

Security and privacy issues

Intrusions

The hacker group UGNazi attacked Cloudflare in June 2012 by gaining control over Cloudflare CEO Matthew Prince's voicemail and email accounts, which were hosted on Google. From there, they gained administrative control over Cloudflare's customers and used that to deface 4chan. Prince later acknowledged, "The attack was the result of a compromise that allowed the hacker to eventually access to my Cloudflare.com email addresses" and as the media pointed out at the time, "the keys to his business were available to anyone with access to his voicemail."[47][48]

In March 2021, Tillie Kottmann from the hacking collective "Advanced Persistent Threat 69420" demonstrated that the group had gained root shell access to security cameras in Cloudflare offices managed by cloud-based physical security company Verkada after obtaining the credentials of a Verkada superuser account that had been leaked on the internet.[49][50][51][52][53] Cloudflare stated that the compromised cameras were in offices that had been officially closed for several months,[49][54] though the hacking collective had also obtained access to Verkada-operated cameras physically located within Cloudflare's offices in New York City, London, Austin, and San Francisco.[49][53] The hacking group told Bloomberg News that it had video archives from all Verkada customers;[49] the group accessed footage from Cloudflare's cameras and posted a screenshot of security footage which they said was taken by a Verkada camera within a Cloudflare office.[52][55]

Data leaks

From September 2016 until February 2017, a major Cloudflare bug (nicknamed Cloudbleed) leaked sensitive data, including passwords and authentication tokens, from customer websites by sending extra data in response to web requests.[56] The leaks resulted from a buffer overflow which occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected.[57][58][59][60]

In May 2017, ProPublica reported that Cloudflare routinely discloses the names and email addresses of persons complaining about hate sites to the operators of those sites, which has led to the complainants being harassed. Cloudflare's general counsel defended the company's policies by saying it is "base constitutional law that people can face their accusers", and noted that there had been a disclaimer on Cloudflare’s complaint form since 2015 stating that they "would notify the site owner."[61] Cloudflare's CEO later suggested that, had people not wanted their names shared, they should have provided a false name on the reporting form.[62] In reaction to ProPublica's report, Cloudflare updated their abuse reporting process to provide greater control over disclosure of the complaining party's personally identifying information.[63]

Service outages

Cloudflare suffered a major outage on July 2, 2019,[64] which rendered more than 12 million websites (80% of all Cloudflare's customers) unreachable for 27 minutes.[65] A similar outage occurred on July 17, 2020, with similar effect and impacting approximately the same number of sites.[66][67] Other notable outages occurred on June 24, 2019 (two hours and twenty-seven minutes),[68] April 1, 2020 (five hours and five minutes),[69] August 30, 2020 (four hours and fifty-five minutes),[70] May 3, 2021 (two hours)[71] and June 11, 2021 (one hour and five minutes).[72]

Controversies

Cloudflare has faced continuous controversy over its facilitation of terrorism, crime, and hate speech, including sanctioned extremist groups like ISIS, the Taliban, Myanmar's military junta, neo-Nazi organizations, and mass murderers[73][74][75][76][77][78]—a stance it has defended based on the principle of free speech.[79][80] These controversies have involved Cloudflare's policy of content neutrality and the usage of its services by numerous contentious websites,[81] including The Daily Stormer and 8chan,[82] an imageboard which has been linked to multiple mass shootings in the United States and the Christchurch mosque shootings in New Zealand.[83][84] Under intense public pressure and legal threat, Cloudflare terminated services to The Daily Stormer in 2017 and to 8chan following the 2019 El Paso shooting.

Terrorism

The Huffington Post has documented Cloudflare's services to "at least 7 terrorist groups", as designated by the United States Department of State[75][77] including the Taliban, Al-Shabaab, the al-Aqsa Martyrs' Brigades, Hamas, and the al-Quds Brigades. Cloudflare has been aware since at least 2012, and has taken no action. However, according to Cloudflare's CEO, no law enforcement agency has asked the company to discontinue these services.[85] Two of the top three online chat forums and nearly forty other web sites belonging to the Islamic State of Iraq and the Levant (ISIL) are guarded by Cloudflare.[85]According to Prince, U.S. law enforcement has not asked Cloudflare to discontinue the service, and it has not chosen to do so itself.[85] In November 2015, hacktivist group Anonymous discouraged the use of Cloudflare's services following the ISIL attacks in Paris and additional revelations that Cloudflare aids terrorists.[86] Cloudflare responded by calling the group "15-year-old kids in Guy Fawkes masks", and saying that whenever such concerns are raised it consults anti-terrorism experts and abides by the law.[87]

Mass Shootings

In 2019, Cloudflare was criticized for providing services to the discussion and imageboard 8chan, which allows users to post and discuss any content with minimal interference from site administrators. The message board has been linked to mass shootings in the United States and the Christchurch mosque shootings in New Zealand.[83][84][88] In addition, a number of news organizations including The Washington Post and The Daily Dot have reported the existence of child pornography and child sexual abuse discussion boards.[89][90][91] A Cloudflare representative has been quoted by the BBC claiming that the platform "does not host the referenced websites, cannot block websites, and is not in the business of hiding companies that host illegal content".[92] In an August 3 interview with The Guardian, immediately following the 2019 El Paso shooting, CEO Matthew Prince defended Cloudflare's support of 8chan, stating that he had a "moral obligation" to keep the site online.[93] Cloudflare did not terminate service to 8chan until public and legal pressure in the wake of a copycat shooting in the United States, which similarly used Cloudflare and 8chan to publish the associated manifesto.[94][95]

Crime

Cloudflare services have been used by Rescator, a carding website that sells stolen payment card data[96][97][98] and enables more than two thousand hack-for-hire and criminal cyber-attack services known as "booters."

Cloudflare has been identified by the European Union's Counterfeit and Piracy Watch List as a "notorious market" which engages in, facilitates or benefits from counterfeiting and piracy. The report notes that Cloudflare hides and anonymizes the operators of 40% of the world’s pirate sites, and 62% of the 500 largest such sites, and "does not follow due diligence when opening accounts for websites to prevent illegal sites from using its services."[99][100] Italian courts have enjoined Cloudflare to cease hosting pirate television service "IPTV THE BEST" after it was found to be infringing the intellectual property of Sky Italy and the Italian football league,[101] and German courts have similarly found that "Cloudflare and its anonymization services attract structurally copyright infringing websites."[102]

Cloudflare is cited in reports by The Spamhaus Project, an international spam tracking organization, for the high numbers of cybercriminal botnet operations hosted by Cloudflare.[103][104][105] An October 2015 report found that Cloudflare provisioned 40% of the SSL certificates used by typosquatting phishing sites, which use deceptive domain names resembling those of banks and payment processors to compromise Internet users' banking and other transactions.[106]

Hate speech

Cloudflare has come under pressure on multiple occasions due to its facilitation (such as DNS routing and DDoS mitigation) of websites such as LulzSec, The Daily Stormer, and 8chan.[74][75][76][79] Some have argued Cloudflare's services allow access to content which spreads hate and has led to harm and deaths.[83][84][88][89][90] However Cloudflare's US legal domicile gives it broad legal immunity from the content produced by its users.[107]

Cloudflare provided DNS routing and DoS protection for the white supremacist and neo-Nazi website, The Daily Stormer. In 2017 Cloudflare stopped providing its services to The Daily Stormer after an announcement on the controversial website asserted that the "upper echelons" of Cloudflare were "secretly supporters of their ideology".[108] Previously Cloudflare had refused to take any action regarding The Daily Stormer.[107] As a self-described "free speech absolutist", Cloudflare's CEO Matthew Prince, in a blog post, vowed never to succumb to external pressure again and sought to create a "political umbrella" for the future.[107] Prince further addressed the dangers of large companies deciding what is allowed to stay online, a concern that is shared by a number of civil liberties groups and privacy experts.[109][110][111] The Electronic Frontier Foundation, a US digital rights group, said that services such as Cloudflare "should not be adjudicating what speech is acceptable", adding that "when illegal activity, like inciting violence or defamation, occurs, the proper channel to deal with it is the legal system."[108]

In late 2019, Cloudflare was criticized for providing services to the anti-black website Chimpmania. Hundreds of thousands signed a petition on Change.org urging Prince to terminate services to Chimpmania. The petition was created by the parents of a biracial baby who was born with gastroschisis and who was mocked as a "mulatto monkey baby" by site users, and whose pictures were posted on the site. Over the ten years the site has been active, numerous other petitions have also been leveled against it, none of which were successful.[112]

In June of 2021, There were calls for Cloudflare to cut off service for the website Kiwi Farms after a well known programmer known by the pseudonym Near allegedly killed themselves as a result of harassment from the forum.[113] Kiwi Farms' proprietor Joshua Moon claims that Near faked their suicide.

This is at least the third suicide that Kiwi Farms has been tied to while hosted by Cloudflare.[114][115][116][117] This is also at least the second time that Kiwi Farms has been knocked completely offline while under Cloudflare's DDoS protection, reportedly by attacks as small as one gigabit per second.[118] Cloudflare has not released a statement in response to this criticism.

References

  1. ^ a b c "Cloudflare Announces Fourth Quarter and Fiscal Year 2020 Financial Results". cloudflare.net. February 11, 2021. Retrieved February 11, 2021.
  2. ^ a b Clifford, Tyler (October 6, 2020). "Cloudflare CEO: Dozens of U.S. states are using Athenian Project for election security". CNBC. Retrieved January 25, 2021.
  3. ^ Perlroth, Nicole (February 17, 2012). "Search Bits SEARCH Preparing for DDoS Attacks or Just Groundhog Day". The New York Times. Retrieved January 25, 2021.
  4. ^ Durant, Richard (May 19, 2020). "Cloudflare: Thinking Big". Seeking Alpha. Retrieved January 25, 2021.
  5. ^ "Cloudflare, in its IPO filing, thanks a third co-founder: Lee Holloway". TechCrunch. Retrieved May 6, 2021.
  6. ^ "Cloudflare CEO Matthew Prince is coming to Disrupt Berlin". TechCrunch. Retrieved May 6, 2021.
  7. ^ Hesseldahl, Arik (June 10, 2011). "Web Security Start-Up Cloudflare Gets Buzz, Courtesy of LulzSec Hackers". All Things Digital. Retrieved August 15, 2011.
  8. ^ Kawamoto, Dawn (March 12, 2019). "Cloudflare's $150 million funding round puts its IPO plans in question". San Francisco Business Times. Retrieved March 12, 2019. (Subscription required.)
  9. ^ Shieber, Jonathan (August 15, 2019). "Cloudflare files for initial public offering". TechCrunch. Retrieved August 22, 2019.
  10. ^ Loizos, Connie (September 13, 2019). "Cloudflare co-founder Michelle Zatlyn on the company's IPO today, its unique dual class structure, and what's next". TechCrunch. Retrieved September 16, 2019.
  11. ^ Schwartz, Mathew J. (February 11, 2014). "DDoS Attack Hits 400 Gbit/s, Breaks Record". Dark Reading. Retrieved August 22, 2019.
  12. ^ Olson, Parmy (November 20, 2014). "The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites". Forbes. Retrieved August 22, 2019.
  13. ^ Storm, Darlene (March 27, 2013). "Biggest DDoS attack in history slows Internet, breaks record at 300 Gbps". Computerworld. Retrieved August 22, 2019.
  14. ^ Markoff, John; Perlroth, Nicole (March 26, 2013). "Online Dispute Becomes Internet-Snarling Attack". The New York Times. Retrieved August 22, 2019.
  15. ^ Gallagher, Sean (February 11, 2014). "Biggest DDoS ever aimed at Cloudflare's content delivery network". Ars Technica. Retrieved May 17, 2016.
  16. ^ "'DDoS-For-Hire' Is Fueling a New Wave of Attacks". Wired. ISSN 1059-1028. Retrieved May 6, 2021.
  17. ^ Witkowski, Wallace. "Cloudflare stock rallies on better-than-expected results, outlook". MarketWatch. Retrieved May 6, 2021.
  18. ^ Lagorio-Chafkin, Christine (November 6, 2020). "Why the CEO of a $350 Million Internet Security Company Practices Radical Transparency". Inc.com. Retrieved May 6, 2021.
  19. ^ Newman, Lily Hay (June 12, 2019). "Cloudflare's Five-Year Project to Protect Nonprofits Online". Wired. ISSN 1059-1028. Retrieved August 5, 2019.
  20. ^ Melendez, Steven (June 11, 2020). "Amid pandemic and protests, Cloudflare is defending vulnerable websites". Fast Company. Retrieved May 12, 2021.
  21. ^ Clifford, Tyler (October 6, 2020). "Cloudflare CEO: Dozens of U.S. states are using Athenian Project for election security". CNBC. Retrieved January 28, 2021.
  22. ^ Melendez, Steven (June 11, 2020). "Amid pandemic and protests, Cloudflare is defending vulnerable websites". Fast Company. Retrieved February 3, 2021.
  23. ^ Hatmaker, Taylor (July 19, 2018). "Cloudflare Recruits State and Local Governments for Free Election Site Security Programs". TechCrunch. Retrieved January 28, 2021.
  24. ^ Rambo, Guilherme (April 1, 2019). "Cloudflare announces WARP: a new free VPN service for iOS". 9to5Mac. Archived from the original on April 2, 2019. Retrieved April 2, 2019.
  25. ^ Humphries, Matthew (September 26, 2019). "Cloudflare Finally Launches WARP, But It's Not a Mobile VPN". PCMAG. Retrieved September 27, 2019.
  26. ^ Security, Paul Wagenseil 2019-09-26T20:13:55Z. "WARP Promises Faster Speeds on Your Phone Without 5G, but Doesn't Quite Deliver Yet". Tom's Guide. Retrieved September 27, 2019.{{cite web}}: CS1 maint: numeric names: authors list (link)
  27. ^ Bijan Stephen (April 1, 2020). "Cloudflare's WARP VPN is launching in beta for macOS and Windows". The Verge. Retrieved September 17, 2020.
  28. ^ Rahim, Zamira (September 7, 2019). "'Malicious attack' on Wikipedia causes outage in several countries". The Independent. London. Retrieved September 26, 2020.
  29. ^ "Analyzing the Wikipedia DDoS Attack". Internet and Cloud Intelligence Blog. ThousandEyes. Retrieved September 26, 2020.
  30. ^ "Wikimedia Foundation". Cloudflare. Retrieved September 26, 2020.
  31. ^ Mehta, Stephanie (December 17, 2020). "Exclusive: Cloudflare promotes Michelle Zatlyn to president, a gain for women in tech". Fast Company. Retrieved December 20, 2020.
  32. ^ "Cloudflare introduces free digital waiting rooms for any organizations distributing COVID-19 vaccines". TechCrunch. Retrieved May 12, 2021.
  33. ^ "Fresh off IPO, this high-profile Bay Area cloud company just snapped up a browser isolation company". bizjournals.com. January 7, 2020. Retrieved May 12, 2021.{{cite web}}: CS1 maint: url-status (link)
  34. ^ Prince, Matthew (June 18, 2014). "Cloudflare Acquires CryptoSeal". blog.cloudflare.com. Archived from the original on March 21, 2021. Retrieved March 9, 2021.
  35. ^ "Cloudflare acquires app platform Eager, will sunset service in Q1 2017". VentureBeat. December 13, 2016. Retrieved May 12, 2021.
  36. ^ Ron Miller (November 14, 2017). "Neumob acquisition gives Cloudflare missing mobile component – TechCrunch". TechCrunch. Retrieved September 18, 2020.
  37. ^ Ron Miller (January 7, 2020). "Cloudflare acquires stealthy startup S2 Systems, announces Cloudflare for Teams – TechCrunch". TechCrunch. Retrieved September 17, 2020.
  38. ^ Kyle Wiggers (December 22, 2020). "Cloudflare acquires Linc to automate web app deployment". VentureBeat. Retrieved December 22, 2020.
  39. ^ Osborne, Charlie (April 28, 2016). "Cloudflare figured out how to make the Web one second faster". ZDNet. Retrieved May 17, 2016.
  40. ^ "Cloudflare DDoS Protection". Cloudflare Home Page. Retrieved September 26, 2020.
  41. ^ Kincaid, Jason (September 27, 2010). "Cloudflare Wants To Be A CDN For The Masses (And Takes Five Minutes To Set Up)". TechCrunch. Retrieved September 26, 2020.
  42. ^ "Cloudflare CDN Content Delivery Network". Cloudflare. Retrieved September 26, 2020.
  43. ^ "Cloudflare for Teams: Protecting corporations without sacrificing performance". Help Net Security. January 8, 2020. Retrieved February 11, 2021.
  44. ^ Newsdesk. "Cloudflare creates Workers Unbound platform for serverless development". datacenternews.asia. Retrieved May 26, 2021.
  45. ^ "Cloudflare is testing a Netlify competitor to host Jamstack sites". TechCrunch. December 7, 2020. Retrieved January 15, 2021.
  46. ^ "Cloudflare launches Cloudflare Pages, a platform to deploy and host JAMstack sites". TechCrunch. Retrieved May 26, 2021.
  47. ^ Simcoe, Luke (June 14, 2012). "The 4chan breach: How hackers got a password through voicemail". Maclean's. Archived from the original on January 15, 2014. Retrieved August 22, 2019. What makes the 4chan hack interesting is how it was done. UGNazi got to 4chan by attacking the site's host — a company called Cloudflare. 'The attack was the result of a compromise that allowed the hacker to access my Cloudflare.com email addresses, which runs on Google Apps,' wrote Cloudflare's CEO Matthew Prince. In Prince's case, the keys to his business were available to anyone with access to his voicemail.
  48. ^ Ms. Smith (June 3, 2012). "Hacktivists UGNazi attack 4chan, Cloudflare and Wounded Warrior Project". Privacy and Security Fanatic. NetworkWorld. Archived from the original on November 12, 2013. Retrieved August 22, 2019.
  49. ^ a b c d Turton, William (March 9, 2021). "Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals". Bloomberg. Retrieved March 10, 2021.{{cite news}}: CS1 maint: url-status (link)
  50. ^ Goodin, Dan (March 10, 2020). "Hackers access security cameras inside Cloudflare, jails, and hospitals". Ars Technica.
  51. ^ Gartenberg, Chaim (March 9, 2021). "Security startup Verkada hack exposes 150,000 security cameras in Tesla factories, jails, and more". The Verge.
  52. ^ a b Patterson, Dan (May 10, 2021). "Hack of video security company Verkada exposes footage from 150,000 connected cameras". CBS News.
  53. ^ a b Lucas, Manfredi (March 9, 2021). "Tesla, Equinox, Cloudflare among victims in hack exposing over 150,000 security cameras". FOX Business.
  54. ^ Graham-Cumming, John (March 10, 2021). "About the March 8 & 9, 2021 Verkada camera hack". The Cloudflare Blog. Archived from the original on March 10, 2021. Retrieved March 10, 2021.
  55. ^ Murdock, Jason (March 10, 2021). "Twitter Suspends Verkada Hacker Tillie Kottman's Account After Tesla Security Footage Leak". Newsweek.
  56. ^ Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved August 22, 2019.
  57. ^ Steinberg, Joseph (February 24, 2017). "Why You Can Ignore Calls To Change Your Passwords After Today's Massive Password Leak Announcement". Inc. Retrieved February 24, 2017.
  58. ^ Molina, Brett (February 28, 2017). "Cloudfare bug: Yes, you should change your passwords". USA Today. Retrieved March 1, 2017.
  59. ^ "About Cloudflare". Cloudflare. Retrieved June 16, 2021. Every week, the average Internet user touches us more than 500 times.
  60. ^ "Incident report on memory leak caused by Cloudflare parser bug". Cloudflare. Retrieved June 16, 2021. 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage.
  61. ^ Schwencke, Ken (May 4, 2017). "How One Major Internet Company Helps Serve Up Hate on the Web". ProPublica. Retrieved May 6, 2017.
  62. ^ "Internet security CEO explains why harassed complainants should've used fake names". South China Morning Post. May 9, 2017. Retrieved May 2, 2021.
  63. ^ Prince, Matthew (May 7, 2017). "Anonymity and Abuse Reports". The Cloudflare Blog. Retrieved August 22, 2019.
  64. ^ Cheng, Michelle (July 15, 2019). "Cloudflare shows how transparent tech companies should be". Quartz. Retrieved July 17, 2020.
  65. ^ Graham-Cumming, John (July 12, 2019). "Details of the Cloudflare outage on July 2, 2019". The Cloudflare Blog. Retrieved July 12, 2019.
  66. ^ Dassanayake, Dion (July 17, 2020). "Discord DOWN: Server status latest, connection and chat problems confirmed". Daily Express. Retrieved July 17, 2020.
  67. ^ Carpenter, Nicole (July 17, 2020). "Discord, Riot Games down with reported Cloudflare outage". Polygon. Retrieved July 17, 2020.
  68. ^ Perez, Sarah (June 24, 2019). "Cloudflare issues affecting numerous sites on Monday". TechCrunch. Retrieved June 16, 2021. Cloudflare is having network problems this morning — and taking down a lot of its customers' sites and apps in the process. Affected companies include podcast app Overcast, chat service Discord, managed hosting provider WP Engine, eCommerce hosting provider Sonassi, public web front-end CDN service CDNJS, and many others — including the sites that rely on the web hosting or who partner with Cloudflare for their CDN service.
  69. ^ Medina, Angelique. "Why Rostelecom's Route Hijack Highlights the Need for BGP Security". ThousandEyes. On April 1, 2020, at 7:30 PM UTC, JSC Rostelecom announced a more specific /21 route to Cloudflare's services. By 12:35 PM, all illegitimate routes were withdrawn, and traffic was flowing normally to affected services.
  70. ^ Goodwin, Jazmin (August 31, 2020). "Major internet outage: Dozens of websites and apps were down". CNN Business. Retrieved June 16, 2021. Cloudflare CTO Graham-Cumming claimed that CenturyLink was responsible for the outage, which took Cloudflare and its customers down with them. The outage followed a shorter one on Saturday.
  71. ^ Medina, Angelique. "Even Magic Can't Stop Internet Outages". ThousandEyes. Retrieved June 16, 2021. Today, we focused on an interesting outage that impacted Cloudflare. On May 3rd at approximately 22:00 UTC, ThousandEyes vantage points connecting to sites using Magic Transit began to detect significant packet loss at Cloudflare's network edge—with the loss continuing at varying levels, for approximately 2 hours.
  72. ^ Claburn, Thomas (June 11, 2021). "Cloudflare network outage disrupts Discord, Shopify". The Register. Retrieved June 16, 2021. 'Cloudflare is aware of an issue which potentially impacts multiple customers,' the company said. Chat service Discord, reported 'connection failures in US East due to issues upstream of our service.' Shopify likewise reported service issues around 1607 UTC and said the problems were resolved by 1712 UTC.
  73. ^ "Controversial US infosec firm Cloudflare is providing potentially sanctions-busting services to Myanmar's military junta". Bofa on Insecurity. Retrieved June 6, 2021. In what is a likely violation of current US Treasury sanctions, the Junta also appears to be using the services of controversial US security company Cloudflare to protect themselves from more leaks, with at least five government websites geo-blocked to make them inaccessible outside Myanmar.
  74. ^ a b Wong, Julia Carrie (August 28, 2017). "The far right is losing its ability to speak freely online. Should the left defend it?". The Guardian. London. Retrieved August 22, 2019. Matthew Prince had the power to kill the white supremacist hate site the Daily Stormer for years, but he didn't choose to.
  75. ^ a b c Jones, Rhett (December 14, 2018). "Cloudflare Under Fire for Allegedly Providing DDoS Protection for Terrorist Websites". Gizmodo. Retrieved August 5, 2019. Cloudflare is facing accusations that it's providing cybersecurity protection for at least seven terrorist organizations—a situation that some legal experts say could put it in legal jeopardy.
  76. ^ a b Sankin, Aaron (July 11, 2019). "The Dirty Business of Hosting Hate Online". Gizmodo. Retrieved August 5, 2019. The organizations we looked at run the gamut from white supremacists, neo-Nazis, and chapters of the Ku Klux Klan to groups dedicated to stripping the rights of immigrants and LGBT people. We found 151 tech companies currently offering services to the websites on this list. While the overwhelming majority of companies only worked with one or two sites, some names came up again and again. Cloudflare, which provides protection against distributed denial-of-service attacks, works with the second largest number of sites, 56.
  77. ^ a b Cook, Jesselyn (December 14, 2018). "U.S. Tech Giant Cloudflare Provides Cybersecurity For At Least 7 Terror Groups: Among its customers are the Taliban, al-Shabab and Hamas". HuffPost. Retrieved August 5, 2019. Among Cloudflare's customers are groups that are on the State Department's list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers' Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department's Office of Foreign Assets Control (OFAC). These organizations own and operate active websites that are protected by Cloudflare, according to four national security and counterextremism experts. In the United States, it's a crime to knowingly provide tangible or intangible "material support" to a designated foreign terrorist organization or to provide service to an OFAC-sanctioned entity without special permission. Cloudflare, which is not authorized by the OFAC to do business with such organizations, has been informed on multiple occasions, dating back to at least 2012, that it is shielding terrorist groups behind its network, and it continues to do so.
  78. ^ Schwencke, Ken (May 4, 2017). "How One Major Internet Company Helps Serve Up Hate on the Web". ProPublica. Retrieved June 6, 2021. Cloudflare provides services to neo-Nazi sites like The Daily Stormer, including giving them personal information on people who complain about their content. The widespread use of Cloudflare's services by racist groups is not an accident. Cloudflare has said it will not deny its services to even the most offensive purveyors of hate. "A website is speech. It is not a bomb," Cloudflare's CEO Matthew Prince wrote. "There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain." Cloudflare also has an added appeal to sites such as The Daily Stormer. It turns over to the hate sites the personal information of people who criticize their content.
  79. ^ a b Captain, Sean (February 27, 2019). "Is Cloudflare a privacy champion or hate speech enabler? Depends who you ask". Fast Company. Retrieved August 5, 2019. Cloudflare is regularly shamed for enabling repulsive groups by helping them provide a better internet experience to their followers. In October 2018, Cloudflare stood out by continuing to support the chat platform Gab–infamous for racist chatter, including a post by Robert Bowers, who was charged with murdering 11 people in a Pittsburgh synagogue on October 27. Infrastructure companies like Joyent and GoDaddy dropped the site. But Cloudflare held on and continues to support Gab.
  80. ^ Lee, Timothy B. (August 31, 2017). "Tech companies declare war on hate speech—and conservatives are worried". Ars Technica. Retrieved August 6, 2019.
  81. ^ Peterson, Becky (August 17, 2017). "Cloudflare CEO explains his emotional decision to punt The Daily Stormer and subject it to hackers: I woke up 'in a bad mood and decided to kick them off the Internet'". Business Insider. Retrieved August 17, 2017. While Cloudflare may have been The Daily Stormer's last line of defense, Prince's decision didn't actually take the company's site offline by itself. Earlier in the week, both GoDaddy and Google publicly announced they had dropped The Daily Stormer as a customer of their domain-hosting services.
  82. ^ Kelly, Makena (August 4, 2019). "Cloudflare to revoke 8chan's service, opening the fringe website up for DDoS attacks". The Verge. Archived from the original on August 5, 2019. Retrieved August 5, 2019. Saturday's shooting in El Paso, where at least 20 people were killed and two dozen injured, is the third mass shooting linked to both 8chan and white nationalist ideology this year. The first, in Christchurch, New Zealand, brought the fringe website into the mainstream discussion back in April, but Cloudflare declined to revoke its service.
  83. ^ a b c Wong, Julia Carrie (August 4, 2019). "8chan: the far-right website linked to the rise in hate crimes". The Guardian. Retrieved August 5, 2019. Protection from Cloudflare: 8chan would have difficultly operating if it didn't receive protection from Cloudflare, a US-based company that provides internet infrastructure services to websites. Cloudflare faced renewed public pressure over its protection of 8chan in the wake of the Christchurch massacre. And in a phone interview with the Guardian on Saturday night, Prince reiterated his belief that Cloudflare should not cease to provide services to sites such as 8chan based on their content.
  84. ^ a b c Mezzofiore, Gianluca; O'Sullivan, Donie (August 5, 2019). "El Paso shooting is at least the third atrocity linked to 8chan this year". CNN. Retrieved August 5, 2019.
  85. ^ a b c Kohlmann, Evan F. (January 27, 2015). "Charlie Hebdo and the Jihadi Online Network: Assessing the Role of American Commercial Social Media Platforms" (PDF). United States House of Representatives. Retrieved August 22, 2019. How does ISIS manage to reliably operate its own official proprietary dot-com social media platform on the Internet in order to disseminate videos such as the beheading of James Foley and the "martyrdom" will of Amedy Coulibaly? The answer is San Francisco-based American tech company Cloudflare. Two of ISIS' top three online chat forums—including the notorious Alplatformmedia.com—are currently guarded by Cloudflare. It is extremely difficult to reconcile the paradox that it is illegal to give pro-bono assistance to a terrorist group, but it is perfectly legal for Cloudflare to commercially profit from a terrorist group by assisting them to communicate securely with recruits and to publicly disseminate recordings of mass murder.
  86. ^ Hern, Alex (November 19, 2015). "Web services firm Cloudflare accused by Anonymous of helping Isis". The Guardian. London. Retrieved November 19, 2015. The week before the Paris attacks, Ghost Security counted almost 40 ISIS websites that use Cloudflare's services. According to GhostSec, 34 were propaganda websites, four were discussion forums, and two offered technical services.
  87. ^ Hackett, Robert (November 18, 2015). "Anonymous' Gripes About ISIS Are 'Absurd,' CEO says". Fortune. Retrieved August 22, 2019.
  88. ^ a b Roose, Kevin (August 4, 2019). "8chan Is a Megaphone for Gunmen. 'Shut the Site Down,' Says Its Creator". The New York Times. Retrieved August 5, 2019.
  89. ^ a b O'Neill, Patrick Howell (November 17, 2014). "8chan, the central hive of Gamergate, is also an active pedophile network". The Daily Dot. Retrieved August 5, 2019. On numerous public forums, 8chan users share graphic images of children, plus links to hardcore child pornography.
  90. ^ a b Machkovech, Sam (August 17, 2015). "8chan-hosted content disappears from Google searches: Domain-specific searches contain warning about "suspected child abuse content."". Ars Technica. Retrieved August 5, 2019.
  91. ^ Dewey, Caitlin (January 13, 2015). "This is what happens when you create an online community without any rules". The Washington Post. Retrieved August 22, 2019. When a number of people reported 8chan's active pedophilia boards to Cloudflare, the company that protects the site from malicious traffic, Brennan took screenshots of their names and e-mail addresses and tweeted them publicly.
  92. ^ "Cloudflare embroiled in child abuse row". BBC News. October 22, 2019. Retrieved November 15, 2019. Cloudflare helps websites host illegal content. The company insists it is powerless because it does not actually host the offending sites. Campaigners say Cloudflare's services make it easier for clients to avoid detection by "hiding" their locations.
  93. ^ Wong, Julia Carrie (August 3, 2019). "8chan: the far-right website linked to the rise in hate crimes". The Guardian. London. Retrieved August 3, 2019. Three attackers in six months allegedly posted their plans on the site in advance. 8chan would have difficultly operating if it didn't receive protection from a company called Cloudflare. Cloudflare faced renewed public pressure over its protection of 8chan in the wake of the Christchurch massacre. CEO Matthew Prince explains his "moral obligation" to keep 8chan online and reiterated his belief that Cloudflare should not cease to provide services to sites such as 8chan based on their content.
  94. ^ Uebele, Hannah (August 6, 2019). "El Paso: When Freedom Of Speech Turns Violent". WGBH. Retrieved June 6, 2021.
  95. ^ Collins, Ben (August 4, 2019). "Investigators 'reasonably confident' Texas suspect left anti-immigrant screed". NBC News. Retrieved August 22, 2019. The screed posted to the anonymous extremist message board railed against immigrants in Texas and pushed talking points about preserving European identity in America. The attack left at least 20 dead and 26 injured.
  96. ^ Yadron, Danny (September 29, 2014). "Cloudflare Pushes More Encrypted Web". The Wall Street Journal. New York. Retrieved August 10, 2015.
  97. ^ Kovacs, Eduard (March 17, 2014). "Underground Payment Card Store Rescator Hacked and Defaced". Softpedia News. Retrieved August 10, 2015.
  98. ^ Krebs, Brian (January 15, 2015). "Spreading the Disease and Selling the Cure". Krebs on Security. Retrieved August 14, 2015. booter services are proliferating thanks mainly to services offered by Cloudflare, a CDN that protects virtually all of the booter services currently online. That includes the Lizardstresser, the attack service which knocked the Microsoft Xbox and Sony Playstation networks offline on Christmas Day 2014. Most booter services probably would not be able to remain in business without Cloudflare. The Web site crimeflare.com, which tracks abusive sites that hide behind Cloudflare, has cataloged more than 200 DDoS-for-hire sites using Cloudflare.
  99. ^ "Counterfeit and Piracy Watch List" (PDF). The European Commission. December 7, 2018. Retrieved July 16, 2021. CloudFlare is used by approximately 40% of the pirate websites in the world. It operates as a front host between the user and the website's back host, routing and filtering all content through its network of servers. Out of the top 500 infringing domains based on global Alexa rankings, 62% use CloudFlare.
  100. ^ Maxwell, Andy (December 10, 2018). "New EU Piracy Watchlist Targets Key Pirate Sites and Cloudflare". TorrentFreak. Retrieved July 16, 2021. The EU has published its debut 'Counterfeit and Piracy Watch List' based on consultations with stakeholders, decisions handed down against sites by national courts, the UK's Police Intellectual Property Crime Unit's infringing website list, Google's Transparency Report, plus various Europol assessments. It lists sites, services, and other players who allegedly engage in, facilitate or benefit from counterfeiting and piracy. Cloudflare is accused of offering services to approximately 40% of the world's pirate sites, helping to anonymize their operators and hide sites' true hosts.
  101. ^ Van der Sar, Ernesto (October 14, 2020). "Italian Court Orders Cloudflare to Block a Pirate IPTV Service". TorrentFreak. Retrieved July 16, 2021. Many copyright holders have complained that Cloudflare does little to nothing to stop pirate sites from using its services. The company receives numerous DMCA notices but aside from forwarding these to the affected customers, it takes no action.
  102. ^ Nordemann, Jan Bernd (July 12, 2021). "Duties of DNS resolvers and CDN providers – the CoA Cologne finds Cloudflare accountable". Wolters Kluwer. Retrieved July 16, 2021. According to a recent Cologne Court of Appeal ruling, providers may be held accountable to block websites which run an illegal business model dedicated to copyright infringements. Additionally, CDNs have a duty to stop the use of their services for such rogue websites. In this case, Cloudflare provided both DNS resolver and CDN services to the rogue website ddl.music.to. Cloudflare and its anonymization services attract structurally copyright infringing websites.
  103. ^ "Spamhaus Botnet Threat Report Q1-2020, ISPs hosting botnet C&Cs". The Spamhaus Project. Retrieved May 1, 2020.
  104. ^ "Cloudflare and Spamhaus". Word to the Wise. July 16, 2017. Retrieved February 28, 2017.
  105. ^ "The Spamhaus Project". The Spamhaus Project. Retrieved September 30, 2019.
  106. ^ Edgecombe, Graham (October 12, 2015). "Certificate authorities issue SSL certificates to fraudsters". Netcraft. Retrieved October 14, 2015.
  107. ^ a b c Lee, Timothy B. (December 4, 2017). "Cloudflare's CEO has a plan to never censor hate speech again". Ars Technica. Retrieved August 5, 2019. Cloudflare CEO Matthew Prince hated cutting off service to the infamous neo-Nazi site the Daily Stormer in August. And he's determined not to do it again. The problem was that other Cloudflare customers started calling and threatening to cancel their service if Cloudflare didn't cut the Daily Stormer off. "The pressure to take it down just kept building and building," Prince told Ars. "We thought that was the wrong policy. We reached out to various civil libertarian organizations and said we need some air cover here. People said 'we'd rather not stick our necks out on this issue.'" So, Prince said, "we needed to change the conversation."
  108. ^ a b Johnson, Steven (January 16, 2018). "Inside Cloudflare's Decision to Let an Extremist Stronghold Burn". Wired. ISSN 1059-1028. Retrieved August 5, 2019. Keegan Hankes, an analyst at the Southern Poverty Law Center, denounced Cloudflare for "optimizing the content of at least 48 hate websites." Those sites included Stormfront and the Daily Stormer. Hankes and the SPLC weren't accusing Cloudflare of spouting racist ideology itself, it was more that Cloudflare was acting like the muscle guarding the podium at a Nazi rally. Matthew Prince didn't bother responding to the SPLC's pointed accusation. In fact, he has only the haziest recollection of hearing about it. He might have seen a mention on Twitter. He's not sure. But for Prince the criticism was nothing new. At Cloudflare, he was in the business of protecting all kinds of clients, including some whose views vaulted way outside the boundaries of acceptable discourse. He'd already been accused of helping copyright violators, sex workers, ISIS, and a litany of other deplorables. It was hardly a surprise to him that neo-Nazis would be added to the list.
  109. ^ Citron, Danielle Keats (November 28, 2017). "What to Do about the Emerging Threat of Censorship Creep on the Internet" (PDF). Cato Institute. No. 282: 3–4 – via Cato.org. {{cite journal}}: |volume= has extra text (help)
  110. ^ Keller, Daphne (August 15, 2017). "The Daily Stormer, Online Speech, and Internet Registrars". The Center for Internet and Society. Stanford Law School. Retrieved August 6, 2019.
  111. ^ Shaban, Hamza (August 18, 2017). "Banning neo-Nazis online may be slippery slope, tech group warns Silicon Valley". The Washington Post. Retrieved August 6, 2019.
  112. ^ Cooper, Joel (November 11, 2019). "Thousands call for vile racist website 'Chimpmania' to be shut down". devonlive. Retrieved January 25, 2020.
  113. ^ Klepek, Patrick (June 29, 2021). "What I Learned From Near, an Emulation Legend and Real Person". Vice. Retrieved June 29, 2021. That same friend called on Cloudflare to take action. Cloudflare did not respond, but DreamHost did, saying that Kiwi Farms uses Cloudfare's technology to hide its actual hosting company, but offered to 'review and forward any abuse reports submitted to Cloudflare to the site's current web host and website owner.' The catch-22 here, of course, is that DreamHost is explicitly promising that another company will forward your report of abuse to the owner of a website whose entire purpose is to enact abuse. Even going through the motions of attempting to report Kiwi Farms could open people to harassment.
  114. ^ Wodinsky, Shoshana (June 29, 2021). "The Worst Site on the Web Gets DDoS'd After Being Connected to Prominent Developer's Suicide". Gizmodo. Retrieved July 1, 2021. Kiwi Farms—an online forum best known for harboring stalkers, white supremacists, and being one of the worst cesspits the internet has to offer—was knocked offline temporarily on Tuesday in a Distributed Denial of Service (DDoS) attack. The alleged attack comes after the site was implicated in the recent suicide of Near, a beloved developer in the emulator community. Hector Martin shared a heartbreaking letter written by a close friend of Near's that explained some of the more explicit details of Near's death. The letter called out DreamHost and Cloudflare—Kiwi Farms' domain registrar and web network security provider—for sharing responsibility in driving their friend to suicide.
  115. ^ Wright, Steven T. (June 28, 2021). "The Highly-Respected Emulator Developer Near Has Passed Away". Gamespot. Retrieved July 1, 2021. On June 28, Martin said that he spoke to the police department in charge of the investigation, who confirmed that Near died on June 27.
  116. ^ "The Brilliant SNES Emulator Author Known As Near Has Died". Kotaku. June 27, 2021. Retrieved July 1, 2021. Hector Martin has confirmed with Japanese authorities that Near died yesterday, June 27.
  117. ^ Irorita, Franz Christian (June 28, 2021). "Near, creator of SNES emulators bsnes and higan, has died". Clutchpoints. Retrieved July 1, 2021. The escalating harassment experienced by Near, particularly by Kiwi Farms, led to their death. Kiwi Farms is an American Internet Forum focused on trolling, harassing, and doxing people they deem to be 'lolcows,' or people that can be milked for laughs. Kiwi Farms has been linked to the deaths of Chloe Sagal in 2018 as well as being implicated in the sharing of live streams and videos of the 2019 Christchurch mosque shootings.
  118. ^ Valens, Ana. "Stalking forum Kiwi Farms went down after DDoS attack, owner claims". The Daily Dot. Retrieved July 1, 2021. Kiwi Farms, dubbed the internet's "biggest community of stalkers" by New York Magazine's Intelligencer, has gone dark. An enormous distributed denial-of-service (DDoS) attack brought Kiwi Farms down. Joshua Conner Moon announced that Kiwi Farms was undergoing a 'sustained DDoS attack of 1Gbps for several hours.' 'I am trying to sort out a long-term solution with Cloudflare and other peers who can filter traffic more effectively. I'm in talks with other people interested in long term alternatives to Cloudflare so it'll get sorted eventually. Other alternatives will include buying more capable hardware and just dealing with it myself,' Moon wrote.
  • Official website
  • Cloudflare Workers
  • Cloudflare Pages
  • Cloudflare TV
  • Business data for Cloudflare, Inc.: