CloudFlare’s last Warrant Canary was published over a year ago(cloudflare.com) |
CloudFlare’s last Warrant Canary was published over a year ago(cloudflare.com) |
Bizarre they appear to have skipped the H2 2022 transparency report unless I’m missing something
If adamgamble's speculation were the case, I'd go to jail for things I'd have illegally signed in our SEC disclosures attesting to the sources of our revenue and any government contracts. Suffice it to say, I like not being in jail. It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons. So… once we went public I kind of thought this silly speculation would end. But guess not.
Beyond that, if you think about it, it's a way better business to run Cloudflare and serve the world than serve some US intelligence entity. That's just per se true. So if that's the case why would we ever do anything that would remotely compromise the trust necessary to, you know, be Cloudflare?
Lastly, here's a funny story. Early in our history one of our investors suggested that we talk to In-Q-Tel. Here's how naive Michelle and I were: we had no idea it was the CIA's venture capital arm. So we showed up in their office on Sand Hill Road. It was weirdly austere compared with other VCs we'd visited. And lots of security cameras. The partner at some point came out and greeted us. As he was walking us back he looked back right before we crossed the threshold back to the inner offices, "You're both American citizens, right?"
"No," Michelle said. "I'm Canadian."
"Oh." the VC said. Then you can't come back here.”
"I'm not going back there without her," I said.
"Ok, well, I guess we'll have to do the meeting in the reception area," decided the In-Q-Tel VC.
We had a very cordial meeting and then left. As we were driving away Michelle said, "Those guys were weird." And that was the end of that. Never talked to In-Q-Tel again.
But maybe it's the Canadian equivalent of the CIA/FBI/NSA we're beholden to??! ;-)
In fairness, there are quite a number of public companies that turned out to be operating partially as fronts for spying agencies (AT&T is the shining example here). So simply being a public company could not be expected to serve as some kind of proof of independence.
CIA/FBI/NSA agreements include immunity from prosecution in the US at least. Your problem would be in foreign jurisdictions only.
As difficult as it was to keep PRISM and the many other overt and covert arrangements (public, private but leaked, and private but not yet leaked) between backbones, carriers, CDNs, hosting providers, ISPs, etc., and the agencies leveraging them, out of each firm's public filings?
Because evidence is it's not difficult at all, considering the whole of the 30 years since the Internet went commercial.
Can you guarantee my Firefox browser will keep on working on 'the open internet' now Chrome moves towards "Web Environment Integrity" and Safari towards "Private Access Tokens" and Cloudflare is supporting and implementing such technologies on scale?
I intent to not participate in these DRM APIs with my Firefox browser and would like to keep browsing the internet.
Not many users who encounter your service while trying to connect to a website will know _anything_ about your company, let alone knows its public or read disclosures.
Cloudflare has a public perception and sentiment problem and dismissing it as you have will lead to an inevitably negative outcome.
Their lack of reply (if that turns out to be the case) on this post would be telling.
https://www.mtsu.edu/first-amendment/encyclopedia/case/30/co...
They can say "don't do anything". They can't say "don't avoid doing something." That's the point if the age of the warrant canary notification--they stopped updating it. This is in effect a dead canary, they're saying they are subject to an order they can't disclose.
There was, is. There likely won't be, going forward.
1. Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.
2. Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
3. Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.
4. Cloudflare has never modified customer content at the request of law enforcement or another third party.
5. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
6. Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
Cloudflare has never been compelled to give up information to an agency called AAA. Cloudflare has never been compelled to give up information to an agency called AAB. ...etc.
It doesn’t mean that they are not helpful. Just that - as warrant canaries go - they are not complete.
You would assume, but when the Riseup canary expired plenty of people seemed willing to believe that a procedural issue or carelessness was to blame.
From a practical perspective I don't imagine that cloudflare removing a canary could give any one organization a signal - I don't know what the bar for a 'disclosure' is but informally I would not consider it a targeted specific warning.
EDIT: the other component I am curious about is duration, there is still utility in the canary even if it comes late, future users will know that there was a compromise and that further ones are likely, right?
No warrant is needed by any government agent to read your email that is over six months old and the major providers just give them a backdoor so as not to waste any time/money with requests.
Who is going to stop them from doing that with anything else? The supreme court? Good luck with that belief system. You think the NSA ever stopped just because they were discovered? Or did they just switch to "try to stop us".
Fraud? Fraud against who? For what damages?
Signaling that their infrastructure has been compromised is kind of a weird lie for them to make though...
Bear in mind Google doesn't have a warrant canary because it is served literally hundreds or thousands of warrants per year, to the tune it's just called a transparency report to count them.
Can you please cite one example of a court compelling the maintenance of a warrant canary?
What IS crazy is that they exist with very little consideration of a corrupt POTUS, judiciary, and/or congress. Seems the writings of the founders did worry about that significantly in later years, but evidently not in time to enshrine many guardrails in the US Constitution, not even a clear prohibition against self-pardon. Seems such a thing was considered so obviously wrong and corrupt that it didn't need to be mentioned. so here we are two and a half centuries later with people arguing that it should be possible.
I think that it does seem crazy that they exist. To give a single politician the power to simply override our justice system is dangerous and crazy. If that's really necessary in order to ovoid miscarriages of justice, then we need to fix the real problem, not introduce a new one.
Why is the pardon ability a problem? Because it's the judgement not just of one person, but of a person who is a political animal. There is no way that power will be used in a way that is impartial, and there is no single person who is so wise that they should be entrusted with such decisions. That it's a politician making the decisions all but guarantees that the decisions will be made out of political interest, not some interest in actual justice.
All the pardon power does is to increase the potential for corruption.
No it's not. Twitter and Facebook have had defacto government censorship collusion, as suspected by the paranoid.
For years and years it was dismissed as conspiracy, but clear evidence has now come out that it was happening in these public companies.
Source?
Including on this platform...
Cloudflare isn't the bad guy in this scenario, it's the hostage.
Thanks for the comments and clarifications in this thread.
It does not feel right to call an IRS tax return "speech".
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
The owner of the domain has to choose to integrate a CDN. They implicitly trust the vendor who runs the CDN just like they implicitly trust the cloud provider that asserts their VPC between their server that terminates TLS and any API servers behind that which don’t use encryption for data in transit.
3rd party could mean a DBA, IT consultant, AWS support tech, CDN support tech, MSSP employee, cloud platform, etc. those all come with different levels of risk, different contract terms, etc.
I’m trying to say that just saying the TLS connection is terminated by a vendor, who then creates another to the origin server doesn’t tell you anything valuable from a security / risk standpoint. The CDN-fronted connection that shows the warning may be highly secure while a self-managed reverse proxy that terminates the TLS connection to another serve owned+managed by the same person/org might be completely insecure. The warning is not a useful signal.
If it turned out "End to end" encrypted chat went through a third party that even transiently had access to the plaintext version of the chat (like how Cloudflare works) you'd be apoplectic.
IAAL and advise on data protection and privacy.
Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.
My impression is that a lot of people use these services without really understanding the implications.
For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.
Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.
That said, I routinely use Cloudflare for my personal projects.
>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.
That doesn't mean they are an attack. That is just how a CDN works.
Amazon HQ2, Arlington Virginia: https://en.wikipedia.org/wiki/Amazon_HQ2
(Not to point to a conspiracy to silence political opposition, just to highlight that, at least to me, the extent of their cooperation was really surprising relative to how little they talked about it)
For instance, 2 and 3 narrowly specify just law enforcement agencies, of which the CIA and NSA are not.
<https://en.wikipedia.org/wiki/National_security_letter>
A warrant canary asserts that no such obligation has been incurred.
I just don’t understand how a voluntary use of proxy can be called MITM attack.
I’m not saying I like the fact that CF is part of so much of the Internet, or that CF isn’t on some level a security risk. But that has nothing to do with being an MITM attack.
'Expression' would arguably be a better word for it, but the term of art is what it is.
In the same way, you can use a proxy to access sites, and the server cannot bypass that, either.
It's still a MitM. It's a centralised entity that sees a huge share of the global Internet's traffic, unencrypted. I doubt most people are aware of that.
Someone in another comment mentioned AWS is one as well, and they're right. AWS, GCP and Azure all have TLS-terminating gateways of some kind.
Take Cloudflare, AWS, GCP and Azure, all USA companies bound by the CLOUD act, and nearly all Internet traffic is immediately accessible by US authorities, unencrypted.
Makes the whole "think of the children" rhetoric being spun to pass anti-E2EE laws tame in comparison.