I'm always disappointed when I read these comments about CloudFlare because we've done so much work to respect people's privacy, stand up for threatened groups/organizations [0], secure our systems [1], be transparent [2], push for better encryption and support lawsuits around National Security Letters [3].
CloudFlare has never turned over our SSL keys or our customers SSL keys to anyone.
CloudFlare has never installed any law enforcement software or equipment anywhere on our network.
CloudFlare has never terminated a customer or taken down content due to political pressure.
CloudFlare has never provided any law enforcement organization a feed of our customers' content transiting our network.
Isn't that true with: Your bank, payment processors, your doctors, social security office, credit rating agencies, the NSA, and so on and so forth.
Statement like these are, frankly, very low quality and add nothing to the discussion. It is just a worst case scenario that seeks to dismiss all opposition with no actual facts or legitimate logic to back it up e.g.: "What good is it if commercial aircraft have ACAS (traffic collision avoidance system), when the wings could just fall off! Or with a tiny fuel leak it could explode! ACAS won't help you then!!!"
I don't really have a horse in this race, but these arguments against CloudFlare are so low quality and thoughtless that I feel I must speak against them.
The person who wrote the second blog post you linked to here.
I think it's not quite fair to say CF is MITMing, but rather there is the possibility of MITM. Still, the biggest problem out there is the vast majority of sites that are still served over HTTP. Any easy and free solution to get more sites to move to HTTPS is well worth the MITM risk. CF is the best one now, and possibly Let's Encrypt when they launch. I would also place more trust in CF than unknown ISPs or people on unsecured networks.
I admire your train of thought. You decided to kick the tires, which people seldom do in a straight-forward manner these days. I do this constantly for companies and it's amazing what hides in plain sight.
I always browse with the WorldIP extension on, showing me AS number and name of websites and it's SCARY how many are behind Cloudflare now.
I'm sure the guys behind Cloudflare have good intentions, but nothing good can ultimately come from such massive centralisation. It's the opposite of how it should be.
Is this just a service selling DNS slaves, or is there something deeper about how this works? From the URL, it just looks like the normal operation of a slave DNS server. What makes it "virtual"?
It's not a slave in that it doesn't get the full zone, nor does it get updates immediately. Instead it does recursion to the original DNS servers, and replies back to the original client. Think of it like a reverse proxy for HTTP, except for DNS.
Article says: "Secondly, Virtual DNS masks the true origin IP addresses of the provider's nameservers behind CloudFlare’s IP addresses. Visitors and/or attackers only see CloudFlare’s IP addresses when requesting answers, keeping customer nameservers safe from being targeted by attackers."
If I sign up for this service, do I get a list of Cloudflare IPs so I can firewall everybody else off? Otherwise this is mostly security through obscurity. Nameserver names are often easily guessable (ns1.example.com, ns2.example.com, ...).
Some: https://blog.paymium.com/2014/02/19/the-cloudflare-mitm/
of: https://stirling.co/blog/cloudflare-mitm/
us: https://news.ycombinator.com/item?id=8377029