CloudFlare CDN: We Have To Stay Open, Even To Evil

“There is a lot of stuff on the Internet which I find deeply troubling and some of that stuff is on CloudFlare,” says the Matthew Prince, CEO of the CloudFlare CDN (content delivery network). “But just because I’m offended it doesn’t mean that that is a reason to kick something off the network.”

CloudFlare,  launched to the public at the TechCrunch Disrupt conference on 27 September 2010, came to prominence earlier this year when it emerged at the RSA 2012 conference it had recalcitrant hacktivist group LulzSec on its network. LulzSec’s website stayed online largely because of CloudFlare’s technology, which consists of nodes dispersed around the world that help deliver websites quicker to end users in whatever geographical location they are in.

The service also swallows up any peaks in traffic for its customers, so it is well known for offering decent protection against distributed denial of service (DDoS) attacks. When black hat hackers and, allegedly, US law enforcement agencies tried to take the LulzSec site down, they failed, as CloudFlare’s data centres acted as Web-based punching bags.

But LulzSec hackers were known to have broken the law, so why was it allowed to remain on the CloudFlare CDN? Prince says the company has an unbreakable belief in the openness of the Internet. It will allow anyone to run on their network and share whatever information they like, regardless of how immoral it may be.

Internet idealists

“Maybe I’m an idealist in this sense, but I believe that if you are publishing information, no matter how offensive that information, it is part of the debate and our responsibility is to be a reflection of the Internet and therefore that is something we are going to allow to be on our network,” Prince tells TechWeekEurope.

Does it draw the line anywhere though? Only when it comes to security. If someone on its network is pushing out malware from their site or has set up a phishing scam, CloudFlare will remove the webpage and replace it with one telling visitors what has happened, offering some security education too. Otherwise, CloudFlare will only step in if told to do so by a US court.

So Prince wouldn’t even consider throwing a self-harm website off its network? Or one promoting child abuse? Again, only if a court order were issued. One issue is that, unlike a hosting firm, if CloudFlare does remove someone from its community, the content will remain on the Internet. “If we terminate a customer, that doesn’t actually remove the content, it just makes it slower and not as protected from hackers,” Prince adds.

“I don’t think that I, or anyone at CloudFlare, or really anyone in the world, should sit in the position of deciding what content is right and what content is wrong. That creates a slippery slope and I’m not sure once you go down that path where you stop.”

Testing times

The company’s resolve has repeatedly been tested, however. The biggest test came a matter of months ago, when Prince himself was targeted. First, his personal mobile phone was hacked. Then the hacker used the control of the phone to get into Prince’s Gmail, using that to bypass the Google Apps email that CloudFlare uses. From that, they managed to get into one of its customers’ accounts. After an hour and a half, Prince says, the attack was over and the attackers were locked out.

It later emerged that the hackers were based on CloudFlare, and even used the site based on the CDN to brag about it. But they were not banned from the network. Prince, despite being furious, remained stoical and took the moral high ground. “Somebody attacked me and I was really angry, really angry. I wanted horrible things to happen to them, but that’s the test of whether or not we really believe in this,” he says.

“They didn’t use CloudFlare’s network to break into my cellphone, they didn’t use it to hack into Gmail or our systems. All they did was use CloudFlare’s network to brag about it.

“Sure, we could throw them off, but my idealism says if we stand for a free and open Internet, then that means that the person who is the most repugnant to us, as long as they are not doing something that is per se harmful, then we have to stand up and say ‘listen, that’s our policy’.”

Hackers have caused problems for CloudFlare in other ways. Once they figured out CloudFlare was getting good at preventing DDoS attacks, they tried to take advantage of the abuse process run by the CDN provider, Prince says.

In a bid to get hold of an IP address of a target, attackers sent in what looked like a legitimate copyright enforcement notices, which Prince’s firm often receives. Once they had that IP address, they could get around CloudFlare’s DDoS protection.

Once the provider cottoned on to the method, changes were enforced immediately. “The alleged copyright holder writes to us, we do some basic checks on the validity of that complaint, if it meets those basic checks, we forward a copy of the complaint to the email address we have recorded with the particular website that was involved.

“A copy of the complaint and IP address of that site is sent to the provider that is hosting the content. Then we respond to the complainant with a message that says, ‘here is the hosting provider, we are not going to give you the IP address, but you can work with hosting provider to resolve issue.’” This means CloudFlare doesn’t have to make a judgement and remains the middleman.

Lighting up the cat signal

Putting its ideological money where its mouth is, CloudFlare is one of the chief partners of the Internet Defense League, which was formally inaugurated earlier this month. The League will issue a call to arms – in the form of a cat signal (see below) not too dissimilar from Batman’s bat signal, but cuter – every time something “threatens” the Internet. It wants to create a community of websites that show their opposition to egregious rules that put a leash on the openness of the Web.

As part of the IDL, CloudFlare will allow its customers, with the simple click of a button, to blackout their websites and replace them with whatever they want when a protest is enacted. This reporter refers to it as the kitty button. At the same time, CloudFlare has promised its users that their websites’ Google rankings will not be harmed, nor will anything else affecting the quality and popularity of those sites.

“We got a number of customers who wanted us to help them blackout their site. We wanted to make sure we did it in a way which was both meaningful in terms of getting the message out whilst not hurting the underlying site. For instance, if Google came to crawl their site we didn’t want that one day of protest to hurt the overall site,” Prince says.

He claims tens of thousands used the company’s free app in order to protest SOPA, the proposed US Stop Online Paracy Act, which was killed in Congress in January, after many sites including Wikipedia blacked out in protest . “It was a very effective way of protesting across the web.”

At the same time, if, say, an Anti-Internet Defense League were born, and customers wanted a similar app, Prince would set it up. “We want to help websites get messages out that their owners care about in a way that is extremely easy and responsible.

“We haven’t had anyone approach us yet about a pro-SOPA or a pro-ACTA banner, but my hunch is that if somebody did do that, our position would be that … if we did have customers who wanted to put that on their site, then we would make that possible for them.”

Trying to make a “better internet”

Despite that pledge, it’s clear CloudFlare has a left-leaning position. Co-founder Michelle Zatlyn sits on the advisory committee on net neutrality to the Federal Communications Commission. As TechWeekEurope spoke to Prince, he claimed Zatlyn was in Washington DC talking with officials about that polarising topic.

The overall goal, says Prince, is to build a “better internet”. He claims CloudFlare sees more traffic passing through its network than Amazon (not including AWS, just Amazon.com), Wikipedia, Twitter, Zynga, Apple, AOL, Bing, Paypal, eBay and Instagram combined. Its consumer base is doubling in size every three months, the CEO says, and it is planning a major global data centre expansion. That includes doubling the capacity at its London hub, and opening another nine data centres this month.

Prince expects that with its exponential customer growth, its ‘open to everyone’ strategy will be challenged ever more.

“There will be very hard things that we will face. It will be a constant struggle for us to stay on top of that,” he adds.

“It is very tempting, with the position of power that we are in, to judge, and frankly it would be easier. But that’s just not right.”

How well do you know Anonymous? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago