Skip to content

Cloudflare accused of shielding malicious websites, enabling cybercrime

  • by
  • 3 min read

Cloudflare, a prominent content delivery network recognised for protecting websites from denial-of-service (DDoS) attacks, is protecting malicious domains and not promptly resolving abuse complaints. This finding has sparked a renewed debate about whether Cloudflare’s content-neutral approach aligns it with being a defender of free speech or a facilitator of malicious activities.

Cloudflare’s laissez-faire approach to traffic moderation has long sparked debate. The company’s policy of providing services to virtually any entity, regardless of behaviour, has drawn praise from free speech advocates and ire from cybersecurity professionals.

Spamhaus, a nonprofit organisation dedicated to combating spam and malware, recently criticised Cloudflare, revealing that 10% of the domains on its blocklist are protected by the company.

This amounts to over 1,200 unresolved abuse complaints. According to Spamhaus, cybercriminals frequently use Cloudflare’s services to mask their activities, a tactic known as ‘living off trusted services’ (LOTS).

Cloudflare maintains that it is not responsible for policing its users’ content or behaviour. Its pass-through services, designed to streamline content delivery and prevent DDoS attacks, do not involve hosting the material.

The content delivery network’s abuse policy emphasises the importance of maintaining a content-neutral stance, comparing internet infrastructure to physical infrastructure that should be available to all.

“While content curator services are designed around moderating content, infrastructure services operate without content-based distinction to help make the Internet function more securely, efficiently, and reliably,” Cloudflare’s abuse policy states. “Everyone benefits from a well-functioning Internet infrastructure, just like other physical infrastructure, and we believe that infrastructure services should generally be made available in a content-neutral way.”

However, critics argue that this stance allows harmful content to thrive. Security reporter Brian Krebs, whose site was hit by a DDoS attack, reflects this sentiment. Despite being offered Cloudflare’s protection, Krebs declined due to concerns over the company’s tolerance of DD0S-for-hire services.

The abuse policy of Cloudflare has broader implications for online safety, particularly for vulnerable groups such as transgender, Black, or Jewish internet users who are often targets of harassment. Critics argue that Cloudflare’s neutral stance facilitates these abuses by providing a haven for malicious actors.

In response to Spamhaus’s criticisms, Cloudflare reiterated its commitment to a comprehensive abuse reporting process. The company claims it flags suspected illegal or malicious activity to hosting providers, website owners, and law enforcement when appropriate.

“While we disagree with Spamhaus on this issue, especially when terminating users will only remove security services for websites while not removing the content, we note that Spamhaus uses Cloudflare’s services itself, and we welcome further engagement with organisations like Spamhaus on how best to address malicious activity,” Cloudflare told Ars Tehnica.

Despite criticisms, Cloudflare’s content-neutral approach has its fair share of supporters. The Electonic Frontier Foundation argues that infrastructure providers like Cloudflare are not well-positioned to evaluate the harm caused by online content. They caution that cutting off sites deemed harmful could have unintended consequences.

In the News: Ransomware attack on C-Edge hits 300+ small Indian banks

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>