Ironic that a site offering anti-surveillance resources is itself hosted behind the servers of Cloudflare, a US-based company (read: must turn over all data to NSA whenever they receive a national security letter, if they're not already eagerly, voluntarily turning over that data) that MiTM's a substantial portion of all global internet traffic.
I'm not advocating against the existence of a Flock map, which is a good thing. I'm arguing that it shouldn't be hosted behind a CDN that openly cooperates with the same totalitarian surveillance state that the site in question is attempting to help people protect themselves from.
This is almost like hiring an off-duty police officer from your local police department to protect you from corrupt local police department.
The argument isn't take the site offline, it's to not use infrastructure that is openly recognized as being subservient to the same adversary the site's authors are trying to protect people from.
But the NSA isn't your local police department. Your risk from the NSA is, at the very least, different than from your local cops, and almost certainly smaller. In my day to day life, I am not worried about being jammed up by the NSA, I am worried about some local police department.
I am also less worried about some random NSA analyst going rogue to come after me. If the NSA is going to abuse its power, it is probably going to be as a whole institution. But some local cop breaking the law because he has a hair up his ass about someone happens literally every day.
MITM attack is a disingenuous label applied to a completely voluntary service that the site you're visiting opts into.
Why? Because, for many, it's a technical necessity to protect sites from the dark forest of the web (i.e., assholes.)
You can cast aspersions on the implications of that in conjunction with US intelligence access, but you're painting a completely fabricated picture of reality that borders on delusional.
Just because the site operator opted into having all of their users' traffic slurped up by what functionally amounts to a private sector branch of the NSA doesn't mean that netizens opted into such an arrangement. Being behind Cloudflare doesn't stop bots, it doesn't magically block all exploits, and as history has proven, doesn't even stop all DDoS attacks. What it does do is block off large portions of the web for people needing assistive technologies, block off large portions of the web for people who live in countries with bad rulers they didn't elect, give tyrants the ability to more or less achieve complete personalized information censorship at a moment's notice on a whim, contribute to a culture that normalizes totalitarian surveillance, protect C2 channels and other malicious infrastructure indiscriminately, discriminate against non-gecko, non-webkit, non-blink browser engines (anti-competitive, pro-monopolist, reduces competition, harming all consumers), and extort small businesses who think they're getting cheap or free DDoS protection right at the moment those small businesses are suffering attacks.
And just to be clear, your formal position is that we should all have faith in the idea the NSA, the organization tasked with collecting intelligence from more or less anything interacting with any part of the entire electromagnetic spectrum, the one that can and has silently compelled US corporations including Facebook, Microsoft, Google, and Apple to share user data with them, without a warrant, with a program that's very existence was classified, is NOT doing the exact same thing to perhaps the single highest-volume chokepoint for 20%+ of global internet traffic, all completely decrypted, a US company subject to the same laws that the PRISM companies were?
It would genuinely border on criminal negligence for the NSA to not be collecting from Cloudflare, given their capabilities and mission.
Additionally, I'd like to point out that your framing presents a false binary: the options are not "Love Cloudflare Unconditionally" or "Abandon all CDN / WAF / security tooling". There are a multitude of other options for every single function, feature, and service Cloudflare offers, including many that can be self-hosted, many that are not US corporations, many that do not infringe upon end-user privacy, many that do not discriminate against tor and vpn users (people living in repressive countries), many that do not discriminate against non-mainstream browsers (aka less untrustworthy browsers).
Finally, just because you don't care about many of these issues doesn't mean they aren't real issues causing real problems for real people, and it's very unkind to call someone delusional for raising these kinds of concerns. If dang is reading this, I hope they can remind you of HN's community guidelines around such conduct.
I don't make many of the claims you seem to tease apart from my response. I've presented no false binary, and explicitly advocated for operating with more nuance there.
I'll elaborate.
---
I'm pointing out that, in response to a seemingly innocuous post about a site, you've drawn attention to an unrelated issue, and subsequently framed the entirety of US-based companies as morally complicit with NSA surveillance.
I have no doubt that the NSA likely petitions Cloudflare, among others, for information. But, unlike you, I don't have any indication or context for relationships that would provide the NSA direct, unfettered access to all information processed by Cloudflare.
Further, I believe that the ever-holy north star of capitalism would suggest that Cloudflare, a company that operates globally with significant ties to large organizations outside the US, likely has a sufficient incentive to maintain at least a degree of friction in that access.
What I do know -
- The company issues multiple transparency reports. They declare they have never: turned over encryption keys, installed law enforcement software on their network, provided feeds of customer content to law enforcement, modified customer content at government request, or weakened their encryption.
- They are a public company, and have SEC filings which the CEO is on the hook for.
- The CEO of the company stands to make a lot more money being successful at what Cloudflare does than serving NSA requests the US govt makes -- And the latter would pose great risk to the former.
The best move if the golden goose is at risk is to make an absolute shitstorm of noise, which would put everyone on high alert. In fact, the tranparency report says as much -- "If Cloudflare were asked to do any of these, we would exhaust all legal remedies, in order to protect our customers from what we believe are illegal or unconstitutional requests. -- Accurate as of October 8, 2025"
Cloudflare, like any CDN/reverse proxy, has the technical capability to view customer traffic. There's no evidence of systematic NSA access, and plenty of evidence that would suggest resistance to it.
Suggesting that because the company is US-based that they are somehow "evil" indicates, more than anything, an anti-US sentiment that is looking for reasons to villainize the company.
None of that is to downplay the issues the Cloudflare does, in fact, create. But, proposing that there's a massive conspiracy to "slurp up your data" requires a really, really big stretch that begins to stray into tinfoil territories.
