There has recently been a fairly widespread discussion about unethical things that programmers have been asked to do. I am lucky enough not to have any nasty examples of my own, although recently I have written some code that I am not entirely happy with.
At work there has been a big "cybersecurity" push this year. The management have brought in some security consultants to help us out because the permanent staff are already overcommitted.
One of the consultants' recommendations was to deploy some off-site denial-of-service protection, and the supplier they chose was Cloudflare.
Cloudflare's technology is closely integrated with the DNS, so as the Hostmaster it was my job to integrate Cambridge's DNS provisioning systems with Cloudflare.
Cloudflare is technically excellent. They have highly competent staff, and they are very good at describing their work on the Cloudflare blog.
I went to their birthday party a few months ago in their London office, which was good fun with lots of awesome people to chat to.
However, Cloudflare has an abuse problem.
There are a few factors that combine to make it particularly bad.
Firstly, they have a free plan. Anyone who has provided free services on the Internet will know they are magnets for spam, warez, and other network abuse. The usual answer is aggressive policing by the provider to keep their service clean.
However, Cloudflare is very keen on freedom of speech, and they like to see themselves as a content-neutral service. So they don't police their customers. If you report abuse to Cloudflare, they just pass the report on to their customer's back-end hosting provider. (See their abuse policy.)
Cloudflare repeatedly say they aren't a hosting provider. This is somewhat disingenuous: they are not (strictly) a web hosting provider, since they just proxy the content rather than hosting it themselves (though I don't know quite how to square that claim with their "always online" feature where Cloudflare keep your website working even when the origin server is offline); but they are a DNS hosting provider - their normal deployment model is that they take over your DNS so they can do clever CDN tricks.
So although they say they can't remove specific content from a website, they can disable the entire website. But Cloudflare won't do that unless they are legally required to, or given some similarly compelling reason.
Being a spammer won't get you kicked off Cloudflare, so Cloudflare always has loads of listings on Spamhaus. (Spamhaus's usual escalation process for spam-supporting services doesn't work in this case, because Cloudflare's corporate email is hosted on Gmail which is effectively unblockable by the SBL.)
Brian Krebs is an investigative journalist who specializes in online crime - credit card fraud, DDoS attacks, and so forth. Many of the subjects of his investigations use Cloudflare.
Every so often huge flamewars appear on network ops mailing lists about Cloudflare's abusive customers - see for example NANOG in July, towards the bottom. (I have many more examples, but usually on mailing lists with closed archives.)
These complaints have been going on for years - see this post about Cloudflare being blacklisted by Spamhaus in 2012.
The worst accusation against Cloudflare is that they are (in effect) running a DDoS protection racket, or as Brian Krebs calls it, spreading the DDoS disease and selling the cure. The business model can be summarized as:
Cloudflare provides free hosting services to
booters and stressers
Booters and stressers sell DDoS-for-hire services
DDoS-for-hire services make enterprises keen to get DDoS protection
Cloudflare sell DDoS protection services to enterprises
Profit!
It's clear from Cloudflare's large customer base that many people do not see this conflict of interest as a big problem, though opinions differ.
On the one hand, after suffering a large DDoS attack in 2013, Spamhaus started using Cloudflare for DDoS protection.
On the other hand, Brian Krebs's web site was booted off Akamai by a DDoS attack that was too large for Akamai to handle. Cloudflare offered to help out but Krebs instead moved his site behind Google Project Shield. (That thread on Hacker News is another classic Cloudflare abuse flamewar.)
I would prefer not to use Cloudflare on sites I am responsible for, to avoid complicity in their conflict of interest. And I argued against using them at work, but the choice had already been made without my input.
So, I have written the code we need to make Cloudflare work for our sites reasonably easily and reliably. And I am mollifying my conscience by writing this article.