The merits of Cloudflare

Pollux

hydnj

Remember, if you ever start to run out of bandwidth under the free plan, before upgrading, you can use Cloudflare. (will save around 70 to 90 percent monthly bandwitch)

I force the usage of encrypted connections (SSL) with my website. The main reasons for this are privacy concerns regarding my members. Why should I then deliberately invite a man in the middle (Cloudflare), and even worse a US company (you invite the NSA as well), just to save some bandwidth? Find more about this issue here at reddit:

I thought about using a subdomain for static content like .js, .css, and images files and serving only this subdomain through Cloudflare, but until now I have not found a way to achieve that with flarum.

hydnj

Pollux of course Cloudflare is a completely optional suggestion. I've been using Cloudflare from since 2009/10 beta development/testing period for some website properties. And I've used prior to that since Cloudflare's beginnings started with the "The Honey Pot Project. See: https://www.cloudflare.com/our-story/ (or wikipedia etc).

People try to demonize and scare others about Cloudflare all the time are usually uninformed about 3 things, 1) the company itself 2) how Cloudflare works and 3) that they are already sharing the same imformation they worry about and far more to other tech companies who have be come a more generally accepted 'norm'.

If one is worried about the type of data passing over an encrypted connection on a web forum they have a bigger problem than Cloudflare. You are using either Google (Chrome), Mozilla (Firefox) or Apple (for the most part) to read this right now. Where's the worry there?

Don't talk about Facebook, Twitter or IG (also fb) ...who we know for a fact track you so heavily that they resell ads so targeted that you can buy ads targeted to people who have traveled to Las Vegas recently, who are interested in guns, between the ages of 18 - 35 who also have visited specific websites recently and who don't speak English. And in less that 5 mins.

It's going to be your individual decision on something like this. Also based on the sensitivity of the data in question that you are hosting.

But remember CLoudflare didn't launch offing SSL encryption, but its natural to offer free ssl compatibility given other solutions such as Let's Encrypt, AutoSSL, etc and the trend to encrypt rightfully pushed by Google and others. The whole SSL industry was far more of a big scam basically paying for reputation to verify something so simple. Another topic.

I would encourage one to do their own research. Arrive at your own choice. Also don't receive your cert bundle download via any email (esp Gmail) if worried like this. If you are dealing with highly sensitive data then Cloudflare would be the very tip of huge privacy sharing and policies iceberg.

Also setup to pass PCI and other compliance which can be achieved with and without Cloudflare: See: https://www.pcisecuritystandards.org

Your only safe bet if you do have such highly sensitive data or preferences is to setup everything by hand in that sense, avoid the cloud and avoid almost all 3rd party services.

Edit: Other good reads:
Cloudflare’s Transparency Report for Second Half 2016 and an Additional Disclosure for 2013.

Pollux

hydnj

People try to demonize and scare others about Cloudflare all the time are usually uninformed about 3 things, 1) the company itself 2) how Cloudflare works and 3) that they are already sharing the same imformation they worry about and far more to other tech companies who have be come a more generally accepted 'norm'.

I don't worry about the company, as I don't have any evidence of wrongdoing on their side. What bothers me is the combination of the technical implications of using their service and the mere fact, that they are subject to the jurisdiction of the US. Even if they had the very best intentions, they could not withstand requests from the NSA and they couldn't even talk about it.

If one is worried about the type of data passing over an encrypted connection on a web forum they have a bigger problem than Cloudflare.

I am not worried because it's a web forum, I would care for any website I am responsible for. That's a question of principle for me. If I show people, that I can do without Google analytics, without Facebook's like or share buttons, they may be encouraged to try the same.

I know, that it can be difficult at times, especially if you need to monetize your website. But as I don't need to do that, I like to get rid of as much as possible of anything that could be used for surveillance, whether it's actually used by anyone ore not.

You are using either Google (Chrome), Mozilla (Firefox) or Apple (for the most part) to read this right now. Where's the worry there?

I would like to differentiate between the measures I take as a user and the ones I take for my website. One is a personal decision, the other is a kind of social or - if you like - political responsibility.

Don't talk about Facebook, Twitter or IG (also fb) ...

I don't subject anyone on my website to any of these companies, nor do I include any analytics scripts. And personally, I don't use any of these "services" either.

But remember CLoudflare didn't launch offing SSL encryption, but its natural to offer free ssl compatibility given other solutions such as Let's Encrypt, AutoSSL, etc

By design, Cloudflare is not able to pass through our encrypted data. That's why you have to use cloudflare's certificates for the communication between the browser and their servers. Encryption is useless if it's interrupted at the most critical point, at a company that has no defence against the NSA and isn't even allowed to warn its customers.

jordanjay29

This was getting off topic, so I split it from the original