They're very very good at doing what they do, and that is very very bad.

Because if the only way you can keep a site on the internet against the flood of ddos, et al, is by using Cloudflare, then Cloudflare is the internet, and anyone with $20 billion dollars could effectively control the internet.

Musk tried to buy the wrong company.

I find it problematic that we would consider it bad for a company or group to be highly effective. I for one would not want to create disincentives for a company to be effective at their value prop.

It's not Cloudflare's fault that no one else is living up to the standard they are setting. There are other options out there for DDos projection that you can use. Using Cloudflare is a choice on the part of customers. A choice they should be free to make. Them being the best at what they do shouldn't be a considered a problem.

At some point, we need to think about the effect on the market in addition to the return on investment for the people who founded cloudflare.

Use Apple as a frequent target of HN ire. When it was a high growth marketplace, everyone liked the AppStore - instant distribution to a fresh new market. Now, smartphones have matured, Apple is increasingly dominant vs sleepy Google, and that AppStore that was once a land of opportunity is now a drag, a pseudo tax.

The cloudflare model would be considered predatory under different regulatory regimes. They are great at what they do, but every incentive exists for them to be a malevolent influence on the market.

This is sort of my point. Cloudflare is essentially invisible to the users unless they exhibit markers putting them in a suspicious category. Which is fine with me as a provider. Meanwhile the switching cost for me as a site provider is effectively 0.

The only effect they can really have on the market is making everyone have to up their game to be competitive. They can't lock me in because of how the internet works. If I as a site operator want to drop them it's roughly about 10 minutes worth of work.

It becomes a potential tragedy of the commons and an effective monopoly eventually. Most people don't really have a problem with Cloudflare being the best DDOS; it's when they are also the best CDN, DNS host, etc that the possibility of becoming the single point of failure grows.

Tragedy of the commons applies to a community shared resource not a service like Cloudflare. Effective monopoly makes a little more sense but I guess I sort of object since there is literally nothing other than money preventing someone from competing with them.

Switching costs for Cloudflare are effectively 0 other than the cost of using a less effective competitor. I could turn them off right now for my properties and have almost no impact. They still have to compete to maintain that position so monopoly doesn't feel like the right term here.

The shared commons is the open interconnection of the internet. By becoming a mediator at scale, CF potentially renders the value of the commons moot.

The ill effects aren’t on you - you’re just a node in a larger network.

What happens when Google, Microsoft or Oracle buy them? Pretty obvious.

I don't follow this at all. The open interconnection of the internet still works no matter what Cloudflare does. My users can still get to my site. When they no longer can because of Cloudflare I can easily drop them and/or switch to an alternative. Cloudflare is literally not capable of preventing people from reaching my site unless they ask me to. The minute they cause a problem I can drop them. There is no shared commons problem or monopoly problem here.

Of all the useful replies given to my question, this one seems the most significant. I had not considered from the buyout perspective.

This probably has a high risk of happening within the next 10 years. An if Cloudflare continues doing what they do so well and expanding their presence and utility, we may suddenly find ourselves (as users/customers) in bed with Meta or something just because of a buyout.

Their main product is breaking end-to-end encryption.

You could certainly argue that that's no different than relying on azure, aws, or gcp to issue your cert and technically having the ability to decrypt traffic to your server for whatever reason they want to. And that all of this is just a matter of who to trust. It's just very very centralized for something so crucial.

Cloudflare so far hasn't been successful with its other product offerings, but they could go in a direction where they can blackmail you into being their customer: IF, for example, cloudflare were to succeed in making their 1.1.1.1 service (https://1.1.1.1) as popular as they have been able to with the DOS/DNS service, there is nothing that would stop them from either not serving a page to you as an end-user UNLESS you use (and pay for) 1.1.1.1, or stop them from serving your website as an operator UNLESS you use DOS/DNS service offered by them. As other commenters have pointed out their blanket rules on TOR traffic is both understandable practically, and a preview of this if it were to be used maliciously.

I am in no way insinuating that cloudflare builds their products with this motivation, or that their current team has any of these (In fact I do tend to agree with you that the people who work there mostly just want to build great products.) The issue is that I'd rather not have a company around that can be in a place to do any of that once the good people leave.

It'd just be a lot nicer if some of the fundamental things of the internet could follow some of the more original philosophies of building great concepts, and allowing anyone to implement them. I don't want to get to a place where there's a "cloudflare internet."

None of this is to say that cloudflare is the only or even most concerning actor to whom this criticism applies. But that is who you asked about.

How would you make a CDN that doesn't require decryption?

A politic-neutral version would be that having one company monopolise client to server connections across the internet is questionable and provides a single point of failure.

On top of everything else, Cloudflare blocks Tor users or makes them solve captchas, which won't work without javascript and cookies enabled. It was making some noise at one point about having developed some sort of privacy-preserving cookies for Tor users, as if that were ever going to appease anyone other than its established apologists.

As a site administrator you can do some rules to allow for a leaner treatment of Tor (I think it is bundled as a country).

this is unfortunately the reality of Tor, your exit node traffic is shared with (potentially) bad actors.

and any agent that has no idea what tor is would end up punishing that source of traffic eventually

Cloudflare isn't bad. As a matter of fact, Cloudflare is the best and most viable alternative to AWS - they are offering basic cloud services like alternatives to Lambda, S3, and KV DBs, but distributed across their own CDN rather than hosted in centralized data centers. You can argue (and I do) that this is the future of the cloud.

If you are even a little concerned about the power and influence that AWS, Microsoft, and Google have over modern application hosting services (such as cancelling people for disagreeing with the TechLords' pet political stances), you should be cheering Cloudflare on. They are scrappy competitors taking a very different approach, and offering a lot of value. Yes, they're several years behind AWS, but then, so is everyone else, and you can build real apps on the pieces they have available today.

I'll add that Cloudflare has consistently been among the most unbiased and most transparent cloud services providers out there. (For instance, their 1.1.1.1 DNS service is regularly audited by a third party with the reports posted for all to see that Cloudflare is indeed operating the service as they claim. That's a level of accountability I really don't see from other cloud services providers.)

Those who worry about Cloudflare and aren't fighting AWS tooth and nail have no real-world perspective. AWS is far more of a danger than Cloudflare could possibly be for many years to come, especially since they have proven they will pull services with no notice for political infractions. The only reason Cloudflare is controversial is becasue they do NOT do that without it being a very justified and measured response. (Even then, everyone has the right to speak freely on the net, IMO. Let even Nazis have hosting and speak their minds. Then we can ridicule them appropriately.)

I love CloudFlare; why does anyone not like them? There services are freaking amazing and their tech continues to blow me away!

People tend to like Google too, but when they control your email, your web browser, your web searching, your DNS requests, analytics of the majority of the internet, your personal photos, your phone and exact location, your TV, your contacts, your doorbell, thermostat and home lighting..

after awhile it's still worth raising the question if turning over all of this to one company is worth it to make your life 'better'

The answer still might be yes, but others have different opinions on the value of this tradeoff.

Ah, gotcha, but why just not use them for most of those things if you don't want to? I don't get it.

Use Firefox, use your ISP DNS or CF or another service, use Apple TV or Amazon TV, use an iPhone, and don't automate your doorbell, thermostat, or home lighting (or if you do use another service).

How do I change what spy service is MITM'ing my connection?

Use a VPN?

And who do I connect to on the other end if it isn't cloudflare? They are the one masquerading as example.com.

The analogy to google was because you asked "why does anyone not like them?" so the other user said "people like google but here is what you are giving to them" to which you replied "use non-google services" so I asked "how do I refrain from using cloudflare?"

The answer is you cannot.

Yes you can, but also i dont think it matters that much. Might it in the future? We shall see. But right now it sounds like the village chicken littles worrying that the only bakery in town might close…

There have been accusations that they knowingly retained an employee who tweeted the N-word and proclaimed themselves a nazi. These were blown into allegations of right wing culture at the company.

Additionally, people were unhappy that they initially refused to deplatform kiwifarms.