Information Security
tls http-proxy nsa caching tls-intercept
Updated Thu, 16 Jun 2022 10:42:48 GMT

Can I use CloudFlare if I want to avoid NSA and FISA secret orders?


We're running a web service in Europe, secured with TLS and we're using private keys generated on our private hardware.

We would like to use CloudFlare for DDoS protection and caching reverse proxy.

However, putting my tinfoil hat on, I'm wondering is there any technical way to avoid being potentially MitM'd by NSA or any other entity that FISA likes to support? Let's assume that I can trust CloudFlare to not leak any secrets for extra money only. If I have understood correctly, CloudFlare is able to generate certificates for any domain they want (they are a CA) and NSA or FISA should be able to get backdoor to reverse proxies run by CloudFlare because CloudFlare headquarters are in the USA. If I point our DNS entries to CloudFlare, that is a free pass to read and modify any traffic on our site.

The problem with FISA is that its decisions are not public. If CloudFlare was forced to work against my will by any public court orders, I could just switch to another CDN. However, when CloudFlare is forced to do something by secret FISA court order, nobody is any wiser and I cannot switch.

(I guess the same applies to Akamai and any other reverse proxy CDN administered by any company with headquarters located in the USA.)

Solution

First of all, just because you use CloudFlare does not mean that the traffic will pass through the US. CloudFlare currently has 102 edges, and requests will be sent to the nearest one. This is what is called "anycast". So if someone in Europe requests your page the request will go from them to an edge somewhere in Europe, and from there to your origin. In other words, using CloudFlare will not force the majority of your traffic through the US.

Concerning the use of TLS, CloudFlare offers three different models:

  • Flexible SSL: Traffic is only encrypted between the end user and CloudFlare, and not between CloudFlare and your origin. Obviously, this is not safe against government actors...
  • Full SSL: Traffic is encrypted all the way, but you have to give CloudFlare your private key so they can decrypt traffic. So your private key is only a court order away from the NSA.
  • Keyless SSL: You do not how to give them your private key, but they still "decrypt, inspect and re-encrypt traffic". Read about how it works here. You don't need to have your tin foil hat on to suspect that the US government could preassure a US company into providing data from servers located outside the US.

So, in conclusion, what you need to worry about is not the traffic passing through the US, but that CloudFlare will share your decrypted traffic with the US government. There is no way for a CDN to get around this - to do their job as a reverse caching proxy, they need to decrypt the traffic. Either you trust your CDN, or you don't use one.

Comments (5)

  • +0 – Yeah, I trust that CloudFlare is not going to pass all the traffic trough the US because latency would be too bad. However, as long as they have headquarters in the US, FISA court orders can have an effect and as long as FISA works the way it does, the customers of CloudFlare cannot be informed about the fact. — Feb 20, 2017 at 12:36  
  • +1 – What FISA does and doesn't do is a legal question that I will not try to answer here, but I think the important point is this: CloudFlare will always be able to decrypt your traffic, and therefore they will always be able to share it with others. If you don't trust CloudFlare not to do that, for legal reasons or otherwise, you can not consider CloudFlare safe. — Feb 20, 2017 at 12:45  
  • +0 – Given that "trust" includes whatever FISA or any other government body enforces, I agree. I personally believe that CloudFlare does not share the traffic without court order but after that they will do whatever the court is ordering. The problem with FISA is that the court order is not public. — Feb 20, 2017 at 13:22  
  • +1 – @MikkoRantalainen Then you will have to live without a CDN. If you find one that doesn't need to be able to decrypt traffic you could still benefit from the DDoS protection, but obviously you would get no cache benefits. — Feb 20, 2017 at 13:27  
  • +1 – I think a CDN located in a country with less insane jurisdiction than FISA would work pretty fine, too. All the big ones (e.g. CloudFlare and Akamai) have headquarters in the US, though. — Feb 20, 2017 at 13:32  

External Links

External links referenced by this document:

References