Cloudflare as a Security Risk


Besides being a major annoyance, Cloudflare is increasingly becoming a security risk.

Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Tor Traffic

Tor Project maintainers are also accusing CloudFlare of adding cookies to Tor traffic sessions so they could track users.

IMO even worse, is that whether you trust Cloudflare or not is largely irrelevant. You are often required to enable javascript on the underlying website to pass the CAPTCHA. I would prefer a full redirect so I could just whitelist Cloudflare itself. Cloudflare has become so ubiquitous for Tor users, that subscribing to Cloudflare could be an excellent method for websites hosting malicious javascript to ensure that it gets executed.

How much anonymity should I be willing to compromise to avoid Cloudflare? In other words, should I use a proxy after my Tor exit node? Really difficult issue… Starting point: Connecting_to_Tor_before_a_tunnel-link


Popular VPN IP’s are blacklisted similarly to Tor exit nodes so no help there.

Private VPN / VPS might have clean IPs but would make you pseudonymous.

http / socks proxies are more vulnerable to mitm and snooping attacks.

Ideal solution would be an encrypted http/socks interface. Preferably one with dynamically assigned, shared nodes / IPs. Free. Running open-source software.


At @2xiangzi’s suggestion, I tried tunneling Lantern p2p proxy network through Tor. It seems the project has taken some steps back. Very possible I screwed up but what I experienced was more akin to an alpha than a beta product. Outdated, incomplete docs. Major design changes (like eliminating “friends”) without any accompanying explanations… Lack of diagnostics / monitoring / status. Won’t revisit for 6 months at least. Please correct me if I’m wrong.

(Rant: I have to mention the appalling lack of emphasis on proper precautions. Their warnings focus on protecting client privacy not on end-user servers providing proxies. Tor exit nodes are often hosted by institutions or power users on cloud servers. And they are listed in a public database. On the other hand, Lantern users seem more accustomed to sharing music albums than proxies. Why would the DEA doubt that Mary-Jane Jones has 500 lbs of cocaine in her garage when it gets traced to her IP? On the user forum, well-meaning end-users offer themselves as proxies to anonymous “Chinese/Iranian dissidents”. They seem to largely be torrenters who think in terms of RIAA penalties and not realize that SWAT could remove a wall after a bomb threat. Perhaps, this is why there is no “friends” option at the moment. The problem still exists - guess it just happens randomly now.)

As time permits, I will try to test some of the other suggestions on the list as well as some of the censorship circumvention ideas here:
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports Would like to hear your experiences.

It’s not just Cloudflare - the trend is worsening for Tor acceptance:

vpn after whonix (inside workstation) Not work anymore with TBB

Good day,

really, like you’ve observed, these “protection services” for website-owners can hardly be effectively avoided without compromising security, which, to be honest, makes sense though, otherwise such a solution couldn’t provide the services it does. The best thing to do, is actually just stop using sites which enforce things like Cloudflare. Maybe write a nice/passive aggressive letter to the provider of the site and hope for the best. That’s all you may really do, because like you’ve observed, VPNs are almost always blocked by CF too, especially if JavaScript, as recommended, is deactivated, since this drives the risk value “calculated” by CF up, which in turn is what triggers the verification page in the first place…

Have a nice day,



@Ego I might have to dispute the thread move! Despite title, it’s Whonix-related, ie tunnels. :slight_smile:

Wouldn’t it be possible for a website to redirect you to cloudflare.com? You fill out a captcha to prove you’re human, get a token, then get sent back? In that case, I would only need to whitelist cloudflare and not every website I visit.

You don’t surf much or I have too much time on my hands. (Probably the latter :wink: )

This I wasn’t aware of.

Conceptually, Lantern could work well - as long as Average Joe doesn’t get swatted every other week. It’s supposed to circumvent cloudflare by routing you to proxies that don’t trigger it.


Good day,

I see, changed it back.

That is what happens at the moment to, it’s just not visible to you. The reason why you have to do it multiple times is probably stream isolation based, meaning since every tab and window of the TBB has a different exit node, it needs it’s own verification. Even if that isn’t the case, CF still periodically asks you for the captcha again, simply due to the fact that your “risk-value” calculated by their software is really high due to the configuration you use. So changing the system according to your idea wouldn’t change anything actually. Also, this token could make you trackable accross multiple sites in even more ways than it is currently possible.

Have a nice day,



There is a good probability but different stream does not necessarily mean different Tor exit relay. Could also just be a different middle relay.


One quick way to avoid cloudflare is a webproxy that you use for sites where cloudflare block the tor exit node

I use webproxys when i need to get to the content but on every other site with cloudflare i just leave it. Its not worth it to sacrifice anonymity for some lazy centralized tracking service like cloudflare

my 2 cents


Block Global Active Adversary Cloudflare

Now this is simply too funny to resist posting here. :smile:


Yes, please block Cloudflare once and for all. I’m expecting some kind of “Isecure connection” errorpage
to block further connection without user consent.

For example, when I visit “CloudflareMustDie.com”,

TBB will show “Insecure connection” errorpage.
User will decide what to do - go back, try a cache, or ignore.

Here’s my idea of errorpage design:

Your connection is not secure

The owner of CloudflareMustDie.com is using Cloudflare on their website.
To protect your privacy from being attacked, Tor Browser has not connected to this website.

(Learn More)
[Go Back] [Connect anyway]

(Learn More) is a link, to Tor documentation or wiki, to explain the cloudflare’s MITM activity.
[Connect anyway] is a button. If the user click it, Show warning dialogue with 3 seconds timelock:

This connection is MITMed. Are you sure you want to do this?

[No] [Yes(3)]


Either you are obfuscating, or you are technologically incompetent. Quick proof: Assume the opposite. If Cloudflare did not act as a MITM proxy with full, active access sufficient to read and modify TLS plaintext of all connections passing through them, then they would be unable to inject the HTTP headers which this bug proposes to detect for blocking. [Sequential dotted initials “Q.”, “E.”, “D.” forbidden by Trac spam filter.]

Cloudflare is a MITM, by design. That is the primary (only?) service they offer. It does not matter what the site’s service level with them is. From the connecting user-agent’s perspective (here apropos), it does not even matter if the site uses its ​so-called “keyless SSL” service to preserve secrecy of its long-term private keys. Cloudflare always, always has the symmetric key to the session; and within the ostensibly encrypted session, Cloudflare is by definition a Man-In-The-Middle which decrypts, modifies, and proxies the plaintext.

Why, it is exactly as if Cloudflare were designed as a mass surveillance tool! So, what rationalizations could be supposed for those who use their services, or ignore them as a global threat?

“But Cloudflare is a trustworthy provider of Internet infrastructure.” Then, why do we need TLS at all? Just make peering arrangements with trustworthy networks who agree to pass your packets only through trustworthy routers! TLS eliminates trust in the network: By design, TLS promises end-to-end encryption. Meaning, with the endpoint. By design, Cloudflare makes a mockery of this promise.

“But most sites are on third-party hardware, anyway.” Irrelevant: Cloudflare centralizes trust.

Without the Cloudflare MITM proxy, little-newbie-web-shop.com’s TLS is handled by cheap-shared-web-host.com; chic-trendy-cloud-buzzword-startup.com’s TLS is handled by AWS; at-risk-controversial-activism.org and high-security-bitcoin-services.com should (we hope) do all their crypto on hardware under their respective owners’ physical control. The site visitor is responsible for deciding which endpoints to trust with private information. (N.b.: Reading interests and “clicktrails” are private information.) When all these sites sign up for Cloudflare, then Cloudflare becomes the one-stop decryption shop. Do you trust Cloudflare to be the “secure” Internet, or some huge proportion thereof?

Centralizing trust has a much worse effect than allowing access to many individual sites: It creates a single point at which to perform mass dragnet surveillance. As of today, Cloudflare has access to the plaintext data of more TLS sessions to more endpoints than anybody else on Earth.[1] Here, the whole is more than the sum of the parts: They are in a position to track, tap, and link Internet activity across a wide range of sites. This is why they have been declared a Global Active Adversary.

If I were the NSA or another TLA, and I sat down to design a mass-interception network to MITM TLS on a large portion of the Internet, then the result would look exactly like Cloudflare. They are in a position where they in fact do intercept the communications of billions of people with millions of websites. That is not a hypothetical: It is a description of what they actually doevery day, right now. Then, they cross their fingers and promise to respect people’s privacy. “Trust us; we will make you ‘safer’.” Againwhy use any encryption at all?

On that level, Cloudflare is even worse than “key escrow” or another backdoor would be. Since the 90s, advocates of “key escrow” have promised that if centrally trusted parties are allowed to keep a backdoor key, then that would really, truly only ever be used to intercept the communications of whatever they deem “bad guys”. (Pinky swear!) Cloudflare walks in through the front door, and takes the plaintextall of it, without exception, for everybody whose connections pass through them.

And worst of all, the design of Cloudflare removes responsibility and decision-making power from the initiator of communications. End-users are fooled into believing they connect to many different sitesall of which run through a single chokepoint. The purpose of this bug is to mitigate that problem, in a web browser specifically designed for security, privacy, and unlinkability on an anonymity network.