CloudFlare’s last Warrant Canary was published over a year ago
cloudflare.comThe glossary entry on warrant canaries is dated December 2020, but there is a more recent canary list in their 2022 transparency report (https://www.cloudflare.com/en-au/transparency/) with the same 6 items in it.
Bizarre they appear to have skipped the H2 2022 transparency report unless I’m missing something
H2 2022 and H1 2023
Give H1 2023 has only just wrapped up I optimistically presumed it would be in production now, but I’ve got no idea what the lead time on these reports historically has been
also on that page: "Confirmed: July 31, 2023"
Maybe I’m just getting old and distracted, but I feel like CloudFlare went from “whoa some HN pros are doing great CDN work with some serious chops and an underdog work ethic” to “is it possible to never connect to them” like, really fast.
I think there was 10 or so years in the middle there :)
I think we’d all be pleased to build something out of passion and have it survive a decade without corruption, probably harder than it sounds
I love cloudflare, but honestly I assumed they WERE the CIA/FBI not just compromised by them. It would be the perfect front company for the government.
These threads amuse me.
If adamgamble's speculation were the case, I'd go to jail for things I'd have illegally signed in our SEC disclosures attesting to the sources of our revenue and any government contracts. Suffice it to say, I like not being in jail. It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons. So… once we went public I kind of thought this silly speculation would end. But guess not.
Beyond that, if you think about it, it's a way better business to run Cloudflare and serve the world than serve some US intelligence entity. That's just per se true. So if that's the case why would we ever do anything that would remotely compromise the trust necessary to, you know, be Cloudflare?
Lastly, here's a funny story. Early in our history one of our investors suggested that we talk to In-Q-Tel. Here's how naive Michelle and I were: we had no idea it was the CIA's venture capital arm. So we showed up in their office on Sand Hill Road. It was weirdly austere compared with other VCs we'd visited. And lots of security cameras. The partner at some point came out and greeted us. As he was walking us back he looked back right before we crossed the threshold back to the inner offices, "You're both American citizens, right?"
"No," Michelle said. "I'm Canadian."
"Oh." the VC said. Then you can't come back here.”
"I'm not going back there without her," I said.
"Ok, well, I guess we'll have to do the meeting in the reception area," decided the In-Q-Tel VC.
We had a very cordial meeting and then left. As we were driving away Michelle said, "Those guys were weird." And that was the end of that. Never talked to In-Q-Tel again.
But maybe it's the Canadian equivalent of the CIA/FBI/NSA we're beholden to??! ;-)
> So… once we went public I kind of thought this silly speculation would end. But guess not.
In fairness, there are quite a number of public companies that turned out to be operating partially as fronts for spying agencies (AT&T is the shining example here). So simply being a public company could not be expected to serve as some kind of proof of independence.
> I'd go to jail for things I'd have illegally signed in our SEC disclosures attesting to the sources of our revenue and any government contracts
CIA/FBI/NSA agreements include immunity from prosecution in the US at least. Your problem would be in foreign jurisdictions only.
Immunity from prosecution seems like a marvellous way to destroy rule of law. Crazy that that and royal^H^H^H^H^H presidential pardons exist. Recipe for corruption of the state and then the justice system.
As the purpose of Presidential pardons is to provide the opportunity to right significant miscarriages of justice in system that is almost impossible to get perfect, and that is the way they were typically used, it does not seem crazy that they exist.
What IS crazy is that they exist with very little consideration of a corrupt POTUS, judiciary, and/or congress. Seems the writings of the founders did worry about that significantly in later years, but evidently not in time to enshrine many guardrails in the US Constitution, not even a clear prohibition against self-pardon. Seems such a thing was considered so obviously wrong and corrupt that it didn't need to be mentioned. so here we are two and a half centuries later with people arguing that it should be possible.
> it does not seem crazy that they exist.
I think that it does seem crazy that they exist. To give a single politician the power to simply override our justice system is dangerous and crazy. If that's really necessary in order to ovoid miscarriages of justice, then we need to fix the real problem, not introduce a new one.
Why is the pardon ability a problem? Because it's the judgement not just of one person, but of a person who is a political animal. There is no way that power will be used in a way that is impartial, and there is no single person who is so wise that they should be entrusted with such decisions. That it's a politician making the decisions all but guarantees that the decisions will be made out of political interest, not some interest in actual justice.
All the pardon power does is to increase the potential for corruption.
> It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons.
As difficult as it was to keep PRISM and the many other overt and covert arrangements (public, private but leaked, and private but not yet leaked) between backbones, carriers, CDNs, hosting providers, ISPs, etc., and the agencies leveraging them, out of each firm's public filings?
Because evidence is it's not difficult at all, considering the whole of the 30 years since the Internet went commercial.
Hi, kind of hijacking this conversation but as Cloudflare is unfortunately routing the majority of websites I visit I have to ask this:
Can you guarantee my Firefox browser will keep on working on 'the open internet' now Chrome moves towards "Web Environment Integrity" and Safari towards "Private Access Tokens" and Cloudflare is supporting and implementing such technologies on scale?
I intent to not participate in these DRM APIs with my Firefox browser and would like to keep browsing the internet.
How could Cloudflare guarantee websites dont implement WEI in their codebase. that makes no sense
"If you’re a Cloudflare customer:You don’t have to do anything! Cloudflare will automatically ask for and utilize Private Access Tokens"
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
"will you be supporting WEI and PAT in your captcha/ddos protection services" is a VERY different question to "can you guarantee my Firefox browser will continue to work on the open web"
Heh, he posted the GP comment and went to bed. Good luck getting a response.
I haven't been able to visit a site with Cloudflare's bot protection for over a year because it goes into an infinite loop on Firefox.
That usually happens when I'm faking my user agent to use the most popular (windows + Chrome). Once I go back to the default (Linux + Firefox) then CloudFlare seems to allow it.
what a truly ridiculous question to ask the ceo of cloudflare.
Your response really shows a disconnect with the user and what was said
Not many users who encounter your service while trying to connect to a website will know _anything_ about your company, let alone knows its public or read disclosures.
Cloudflare has a public perception and sentiment problem and dismissing it as you have will lead to an inevitably negative outcome.
Ha thanks for the reply, was mostly just joking didn't expect a reply from Matthew directly :). I appreciate that you're active on HN though!
Why wouldn’t they fund the worlds largest MITM attack?
Cloudflare is not a MitM attack. By that same logic AWS would be an even bigger MitM attack.
What am I missing? They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.
Not an attack but certainly a person in the middle.
IAAL and advise on data protection and privacy.
Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.
My impression is that a lot of people use these services without really understanding the implications.
For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.
Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.
That said, I routinely use Cloudflare for my personal projects.
And AWS has control of all of your servers and everything stored on them. If it's part of your systems architecture and how it's intended to work it isn't being attacked.
>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.
That doesn't mean they are an attack. That is just how a CDN works.
Does CloudFlare proxy your website without your permission?
You're being needlessly pedantic. It might not be an attack in the usual sense, but it's a MITM "access point" and agencies like CIA/NSA/FBI would definitely have that kind of access. This access transforms Cloudflare's role into a de facto MITM "attack" on their customers and end users who didn't intend to share unencrypted data with 3-letter agencies.
I don’t think I’m being pedantic. In practical, the parent comment’s description is not that of MITM attack, but how a proxy works. Proxy is everywhere, useful, and voluntary.
I just don’t understand how a voluntary use of proxy can be called MITM attack.
I’m not saying I like the fact that CF is part of so much of the Internet, or that CF isn’t on some level a security risk. But that has nothing to do with being an MITM attack.
It doesn't, but it does proxy my connections to several websites without my me having a chance to say no - in fact, without even telling me.
It’s always the website’s choice what infrastructure is used to serve the website, including whether a proxy is used. You don’t have a chance to say no if the website owner wants a proxy in front of their site. The web owner has a say in how they want their server to be connected.
In the same way, you can use a proxy to access sites, and the server cannot bypass that, either.
I know. I understand the tech and the business decisions behind all of this. I understand the value of a CDN.
It's still a MitM. It's a centralised entity that sees a huge share of the global Internet's traffic, unencrypted. I doubt most people are aware of that.
Someone in another comment mentioned AWS is one as well, and they're right. AWS, GCP and Azure all have TLS-terminating gateways of some kind.
Take Cloudflare, AWS, GCP and Azure, all USA companies bound by the CLOUD act, and nearly all Internet traffic is immediately accessible by US authorities, unencrypted.
Makes the whole "think of the children" rhetoric being spun to pass anti-E2EE laws tame in comparison.
That's a lie. Cloudflare decrypts HTTPS connections
By that same logic, it would not be surprising to discover AWS working with the feds either.
You're right. That definitely wouldn't be surprising!
This might be anticipated, it won't be a surprise.
> By that same logic AWS would be an even bigger MitM attack.
Amazon HQ2, Arlington Virginia: https://en.wikipedia.org/wiki/Amazon_HQ2
It's worse. You can't just start Mitm'ing regular encrypted internet traffic without compromised infrastructure. With Cloudflare everything is already in place.
You can avoid that with some programming/setup and money: https://developers.cloudflare.com/ssl/keyless-ssl/
Remember, Cloudflare CEO/CTO is active on HN.
Their lack of reply (if that turns out to be the case) on this post would be telling.
Hmm. Don't think that's intentional. Will ping legal and policy team and make sure they get a heartbeat published ASAP.
Sorry for the delay. I was writing our Q2 earnings script rather than checking HN. And John (CTO) is in Lisbon where he's probably just waking up. Also: he's on vacation this week.
Morning.
Think you’re supposed to be on vacation.
Time to muster, HackerNews community decided to make a PR event this morning.
Thanks for the comments and clarifications in this thread.
Well, it’s been 4 minutes. I’m calling it!
Warrant canaries are largely believed to be unworkable. Ie federal lawyers are going to say "cute, but no, you cannot disclose that we warranted you in this or any other way."
Compelled speech of any kind has been repeatedly ruled unconstitutional. Also many companies have triggered their canaries, including Apple, Silent Circle, and Reddit. If Apple's legal department considers it valid I'm inclined to agree with them absent positive evidence of the contrary.
Is there a precedent for compelling speech, even with something like an NSL?
Compelled speech has lots of examples from warning labels, disclosures, truth in advertising, etc.
What you should be asking is their precedent for compelled false speech, which is a much more interesting and difficult to answer.
Not just that, but compelled false advertising—false advertising itself already being a federal crime.
Many of those seem to be "you cannot do this legally codified activity unless you also fulfill the requirements enumerated therein". Can't sell food in retail setting without labeling it as required in the law that regulates food sales, and so on. That seems separate from compelling a creation of a false statement unrelated to business activity.
Why is the commentary of far-right reactionary, who is not a legal expert, commenting on a canadian law, that has nothing to do with warrants, with a citation pointing out that legal experts disagree with him, at all relevant to this conversation?
This forum requires a basic assumption of good faith for posters, especially when it comes to such a trivial mistake like having the wrong anchor section on a link to a short article. It was probably an artifact of their browser trying to be “helpful” when they were copying the link to the full article. Your aggression is unwarranted.
No aggression I can see, remember the good faith assumption!
What aggression? Nothing they said was aggressive.
Probably the giant “United States” section with dozens of examples?
But they linked a specific section, and it wasn't the United States section.
I do not think that the United States section of that article is valid. It seems to equate speech with communication.
It does not feel right to call an IRS tax return "speech".
US law uses 'speech' that way.
'Expression' would arguably be a better word for it, but the term of art is what it is.
Speech in this context means an expression of ideas, wether literal speech, or a newspaper article, or...
Perhaps, but until there's a test case we're all just guessing. So far the Supreme Court has been fairly strict in following the compelled speech doctrine.
https://www.mtsu.edu/first-amendment/encyclopedia/case/30/co...
Yes and no.
They can say "don't do anything". They can't say "don't avoid doing something." That's the point if the age of the warrant canary notification--they stopped updating it. This is in effect a dead canary, they're saying they are subject to an order they can't disclose.
What's more likely, they removed it to signal they think canaries are a legal uncertainty or because of something else?
If they don't think warrant canaries are legally doable, wouldn't they have put out a statement saying that?
Untested except obliquely but it is a compelling idea given the tests of the first that we've seen so far.
Is there a point to a company as large as Cloudflare even having a warrant canary? Half the internet goes through their servers. Of course the US government had or has hooks in them for something or other.
To legitimize the suspicion. That's always been the point.
No they don't.
And, it's not like there are really alternatives. So what if they were served a warrant? What are they, and the people, going to do about it?
Until the people go on a general strike and stop working, the gears will continue to turn and squeeze the vice tighter.
> Is there a point to a company as large as Cloudflare even having a warrant canary?
There was, is. There likely won't be, going forward.
So they got a warrant that they can't talk about. That seems obvious.
Their Canary has more to do with their infrastructure being compromised. It's likely one or more of these statements are no longer true:
1. Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.
2. Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
3. Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.
4. Cloudflare has never modified customer content at the request of law enforcement or another third party.
5. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
6. Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
I'll state right here: all these are still true. We'll get the canary updated. Checking with legal and trust & safety why it hasn't been for so long. Likely just slipped someone's mind. Will make sure that doesn't happen again.
How about make `https://www.cloudflare.com/.well-known/warrant-canary.txt`, and use a Cloudflare Worker with a Cron Trigger to trigger an email to legal if it's approaching expiry?
I wonder how pedantic you could legally get with that.
Cloudflare has never been compelled to give up information to an agency called AAA. Cloudflare has never been compelled to give up information to an agency called AAB. ...etc.
As we sort of saw with the Twitter Files (and other incidents with foreign governments, eg the Indian government), they can get extremely pedantic about describing the kind of cooperation they have with government agencies.
(Not to point to a conspiracy to silence political opposition, just to highlight that, at least to me, the extent of their cooperation was really surprising relative to how little they talked about it)
Suuuuper pedantic.
For instance, 2 and 3 narrowly specify just law enforcement agencies, of which the CIA and NSA are not.
I think we'd consider them "law enforcement agencies." But, for the sake of complete clarity, I'm happy to say that we haven't done any of these for the CiA or NSA or any non-US equivalent.
Buuuut, since 703 allows law enforcement agencies to harvest data captured by intelligence agencies any statement that doesn't specifically exclude those intelligence agencies is essentially meaningless.
Why do we have to be pedantic and can't just say when the FBI or CIA come after us?
Because these agencies are horrifically corrupt beyond any usefulness. These agencies could go after any number of human and drug traffickers and make these problems nearly vanish almost overnight because they collect practically all of our communications. But they don't do that. They are used as targeted political cudgels when its handy and when there is much money to be made.
The essence of a canary is you can't say they did, but you can stop saying they didn't.
In the U.S., national security letters (NSL) typically include a nondisclosure requirement:
<https://en.wikipedia.org/wiki/National_security_letter>
A warrant canary asserts that no such obligation has been incurred.
Gag orders.
#5 seems most likely.
Agree #5 is the riskiest right now with the Quad9 decision in Germany and some of the cases we're facing in Italy, Austria, and elsewhere. The copyright industry has decided that DNS is their new target; never mind that anyone can setup their own local DNS resolver. Good news: those are extremely public cases. And, if we lose, we'll make a lot of news about how dangerous they are. If you're in Europe, it'd be really helpful for more people to be telling the courts and legislatures: DNS is not the right place to try and censor the Internet.
They all seem likely given that they all have multinational precedent.
Bear in mind that there are multiple ways for Cloudflare to give law enforcement or intelligence agencies customer information that do not breach one of these six statements.
It doesn’t mean that they are not helpful. Just that - as warrant canaries go - they are not complete.
> That seems obvious.
You would assume, but when the Riseup canary expired plenty of people seemed willing to believe that a procedural issue or carelessness was to blame.
Same with Spideroak.
What happened with SpiderOak?
"SpiderOak removes its warrant canary" https://news.ycombinator.com/item?id=17696276
What is the language around the non-disclosure order? There seems to be speculation that a warrant canary would be construed the same as a disclosure, but are you required to not inform the concerned party, or required to not disclose law enforcement contacting you at all?
From a practical perspective I don't imagine that cloudflare removing a canary could give any one organization a signal - I don't know what the bar for a 'disclosure' is but informally I would not consider it a targeted specific warning.
EDIT: the other component I am curious about is duration, there is still utility in the canary even if it comes late, future users will know that there was a compromise and that further ones are likely, right?
It's weird to me people think warrants are still used.
No warrant is needed by any government agent to read your email that is over six months old and the major providers just give them a backdoor so as not to waste any time/money with requests.
Who is going to stop them from doing that with anything else? The supreme court? Good luck with that belief system. You think the NSA ever stopped just because they were discovered? Or did they just switch to "try to stop us".
Their "canaries" don't make any reference to warrants, and two of them explicitly rule out providing a backdoor for governments ("Cloudflare has never installed any law enforcement software or equipment anywhere on our network" and "Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network").
So.. what? Endless despair?
Source?
What action do I need to take in response? Please advise.
I'm not an expert, but my course of action is to stop using cloudflare. I never used them for whatever that other thing they do is, but I switched my upstream DNS to quad9 (9.9.9.9).
So what's stopping these people that claim to be so righteous by using canaries from lying to you? Anyhow the ISPs and internet backbones are all tapped as many whistle-blowers have already revealed.
Nothing stops anyone from lying to you. In this case it would be considered fraud if the lie was discovered or leaked. Which is one of the rationales on why courts cannot compel a company to lie and post false warrant canaries, because it would incriminate them.
Courts absolutely can and do compel companies to maintain warrant canaries.
Fraud? Fraud against who? For what damages?
> Courts absolutely can and do compel companies to maintain warrant canaries.
Can you please cite one example of a court compelling the maintenance of a warrant canary?
Fraud against paying customers, if they can demonstrate they wouldn't have paid if the company didn't lie. Also competitors if they can demonstrate they lost business due to the lie.
Sorry, I must have missed the claim of righteousness in the canary. Can you point me to it?
Nothing is stopping them from lying.
Signaling that their infrastructure has been compromised is kind of a weird lie for them to make though...
The SEC could throw me in jail. And, sure, you could believe that the FBI or whoever could tell the SEC what to do. We have European and Asian investors too, so their financial regulators could also sue me personally for lying. Perhaps the FBI/CIA/NSA control them too? Gets tricky to believe: the bigger the conspiracy the faster it falls apart. It's really, really hard to be part of some grand conspiracy as a public company.
> It's really, really hard to be part of some grand conspiracy as a public company.
No it's not. Twitter and Facebook have had defacto government censorship collusion, as suspected by the paranoid.
For years and years it was dismissed as conspiracy, but clear evidence has now come out that it was happening in these public companies.
>clear evidence has now come out
Source?
Twitterfiles, various publications on government access to Facebook takedown portal.
Including on this platform...
The concern isn't a grand conspiracy, it's that you've been coerced to comply with the kind of surveillance overreach that US intelligence and enforcement agencies have repeatedly engaged in.
Cloudflare isn't the bad guy in this scenario, it's the hostage.
Chrome should starting warning users if Cloudflare is used to protect a website, due to the risk of MITM.
The biggest MITMer should complain about another service being an MITM? How much has Google now routed to go through themselves or be checked by them prior to serving your destination?
Bear in mind Google doesn't have a warrant canary because it is served literally hundreds or thousands of warrants per year, to the tune it's just called a transparency report to count them.
Okay, Firefox should start warning users.
How do you think any CDN works?
By MITMing traffic between you and the host. Maybe Firefox should display a warning when it detects intermediaries that could have decrypted the traffic between the host and you?
This seems like a useless warning.
The owner of the domain has to choose to integrate a CDN. They implicitly trust the vendor who runs the CDN just like they implicitly trust the cloud provider that asserts their VPC between their server that terminates TLS and any API servers behind that which don’t use encryption for data in transit.
That's fine but the user has no way of knowing if a third party is party to the communications or not. Surely they should know?
Again - that seems like a useless warning.
3rd party could mean a DBA, IT consultant, AWS support tech, CDN support tech, MSSP employee, cloud platform, etc. those all come with different levels of risk, different contract terms, etc.
I’m trying to say that just saying the TLS connection is terminated by a vendor, who then creates another to the origin server doesn’t tell you anything valuable from a security / risk standpoint. The CDN-fronted connection that shows the warning may be highly secure while a self-managed reverse proxy that terminates the TLS connection to another serve owned+managed by the same person/org might be completely insecure. The warning is not a useful signal.
I guess you like those cookie warnings that pollute the Internet these days? Because this would be cookie warnings all over again. Any site that's reasonably popular uses a CDN to increase scalability, improve performance, and add reliability. Half the Internet would need a new pop-up warning that a CDN is in use. The last thing we need is yet another pop-up when a page loads....
It doesn't need to be a pop up. Just behave like a HTTP site ("not secure" warning) when you could be MITM'd between yourself and the entity you think you are communicating with.
If it turned out "End to end" encrypted chat went through a third party that even transiently had access to the plaintext version of the chat (like how Cloudflare works) you'd be apoplectic.
It's impossible to know if a third party had access to the plain text. Hell even Cloudflare can be setup with actual end to end encryption where they can never see the contexts of the traffic. Most users don't want that as they want CDN features that require unencoding the data.
Do you want a similar warning on every site that the server might be compromised? Because I don't think that risk is smaller than the CloudFlare MITM risk.
I want a similar warning on any provider that is known to routinely MITM and send data unencrypted across the Internet. As far as I know that would only be sites hosted by Cloudflare and sites using certificates issued by the government of Kazakhstan. There's a difference between screwing up (and I wouldn't be against holding companies liable for that) and wilfully setting up a https:// URL that sends your requests unencrypted over the public Internet.
That's fair. It would be good for CloudFlare to force backend encryption.