I don't want to diminish the good things Cloudflare has done for privacy on the web, and I welcome alternatives to Google Analytics, but Cloudflare's mission is to get the entire web behind them and give them complete control over all their TLS certificates, traffic, and now analytics. They may be okay right now, but there is absolutely nothing stopping the next CEO, or some future board or big investor group from changing that privacy focus and abusing it.
If you give this large a chunk of web traffic to a company, then let them also decrypt everyone's TLS traffic, I can't see that ending well.
Transparency disclaimer: I briefly worked for them and was very uncomfortable with the work they were doing the whole time.
give them complete control over all their TLS certificates
Yes. Cloudflare is both a middlebox service and a certificate authority that can issue itself an SSL cert for any web site. What could possibly go wrong?
People have said this for years, and yet there still isn't a viable competitor to Cloudflare.
They still have the best performing and most feature-ful CDN available. The competition is not even that close. Fastly is the only other CDN I could really consider, but their featureset just doesn't compare.
"They still have the best performing and most feature-ful CDN available."
I don't think thats true. Do you have an actual reference for this? I've used CLoudFlare heavily, along with Akamai, Fastly, Verizon, Bunny, etc.
I would say CloudFlare is the most approachable CDN with a wide set of easily accessible features. Its free tier is terrific too. I would argue that feature for feature, CDN's like Akamai have a much larger feature set, and are also far more complex to deploy.
Cloudflare is more than just a CDN unlike Fastly and Bunny. Verizon and Akamai are clearly enterprise focused with long feature lists but they still don't match the same useful and modern features like Workers.
The place where Cloudflare truly doesn't have competition is in the non-enterprise space. If you're worried about your blog or SMB website getting overloaded or attacked you'd probably be pretty tempted to switch to Cloudflare's free plan. I can't imagine Akamai or Verizon even bothering themselves with a customer that small.
And many of those small customers have turned into large customers. Clearly their success shows that it's a big market so it's even more strange that there's such a lack of competition.
As near as I can tell, Cloudflare has never turned a profit, so its debatable to what extent they have been a "success". Not every business is comfortable running at a loss indefinitely.
It's a public company with about 80% gross profit margin and growing rapidly. It seems they're taking the best approach in reinvesting to scale as much as possible while they can.
Well Cloudflare is now publicly listed, and as far as I can tell, they are investing far more in growth, hence the loss. And their cash flow is pretty damn good with growing revenue. Not a problem in today's ultra low interest rate. As a matter of fact, it is the preferred model in today's economic climate.
Akamai performs admirably (perhaps even better?) just that they're not as active as Cloudflare employees around these parts.
The CDN space is rife with healthy competition all around, especially with 5G around the corner, but sure, Cloudflare seems to move the quickest and probably has the strongest product vision that resonates with news.yc crowd, a lot. Nothing inherently good or bad about that: In fact, I seem to enjoy using their products as a developer more than other Cloud vendors.
There are viable competitors, but none of them are willing to offer dirt-cheap service like Cloudflare is, and that's really a shame. Fastly, akamai, etc. focus entirely on Enterprise and don't see making their product accessible to small business/personal project sites as a worthy business venture (which it probably isn't), so that leaves most SMB/personal sites the choice of either hoping they don't get attacked, using/paying for AWS/GCP DDOS protection, just not running their site, or using Cloudflare.
Browsers that supported srv dns records for http/s traffic would be a good start imo. That way you could 'roll your own' cdn without all this bgp/asn low level network switching. Would it be as good as what CloudFlare provides? Probably not, but for a lot of purists, it would certainly be a welcome compromise.
Part of the problem here is that the actual product is flawed, a competitor to Cloudflare that does everything they do would have the exact same problems (it destroys the entire security model of the web). Instead, use another CDN (there are plenty of those), and another DDoS protection, and remember that just because they're cheap doesn't mean you're not paying with something other than money.
I don't see Cloudflare ever capturing even >50% of the market by bandwidth. Companies who have big enough demands (Netflix, Amazon, YouTube) are simply better off managing their own CDNs and I think that customer needs are varied enough that Cloudflare simply won't be able to satisfy all customers.
If you go along with the above premise, I don't see what the problem is. You will always have the option of switching CDNs if Cloudflare starts snooping in on user data.
Of course, if you disagree and think CF will take 100% of the market, then what you said makes sense. Personally, I don't see that happening.
I've always thought of cloudflare as a plan to centralize the traffic that is not large enough to warrant their own CDN. All the examples you mentioned run their own content delivery in some way.
IMO cloudflare represents the death of the small player on the public internet, before it most small players ran their own internet-facing services, with it many choose to just run behind cloudflare.
Is the most relevant metric bandwidth, page views, or websites?
They may not have the bandwidth as you point out, but they have a pretty big chunk of websites. (Obv not 100%)
(That said, AWS has a lot more than “just” the TLS connection on a large fraction of the web, including all of my web properties, so yeah, who are you going to trust and for how long?)
Bandwidth is useful because it most directly corresponds to deployed physical hardware. If other providers have made that capital investment, taking customers away from Cloudflare is a matter of gradually rolling out features to meet their needs. Not trying to trivialize the effort, but it seems doable.
That’s not actually true. Compute cycles would be the best proxy for deployed hardware. Just delivering bits doesn’t actually take much hardware. (And not even sure why the amount of deployed hardware is a great metric.)
We specifically aren’t interested in pure bit delivery. It’s a commodity business that will have its margins squeezed to zero over time. We provide CDN services because caching is a useful tool in computer science when you want to deliver performance for other applications. If you measured our revenue per bit delivered, it would be far more attractive than any of the traditional CDN providers because we aren’t primarily selling bit delivery where they primarily are.
I don't think they'll actually manage to take 100% of the market, but if they take some big chunk they could still do a lot more damage than Google when they decide to start selling all free tier data or something (or even when they get an order from a future government to start doing something sketchy with traffic on their network, if that's more of a threat you're worried about; remember, they can see inside your TLS).
And you don't really have the option of switching CDNs (at least, not easily) if you've bought into all their proprietary stuff like their workers implementation, various optimization techniques that your site couldn't survive without, etc.
Is good competition in this space ever a _bad thing_? inb4 capitalism bad arguments. I think that if ${BAD_POLICY} happens, a competitive market will produce a new "cloudflare"-like company that eats their lunch. There's a reason why GA has so many privacy focused competing apps, e.g. Fathom or Matomo.
Competition is fine, the problem is a mix of vertical integration (which is generally anti-competitive) and that their entire product just destroys the security model of the web.
If you don’t want to use Google Analytics, respect your users’s privacy, while still getting feedback on visited articles, you can always self-host a first-party Matomo instance.
You can, for example, disable its tracking cookie, anonymize IPs, make it deactivate when seeing DNT requests, and it would still work fine. Session tracking would be much less accurate of course, but you didn't use that anyway, and even if you did, be grateful that tracking is still possible.
Matomo is cheap to self-host and easy to maintain, via its Dockery setup.
Cloudflare entering this space is cool, as it would save people from self-hosting stuff, further bringing cost down. But they are still a third-party that you, and your visitors, will have to trust.
Did you know that Cloudflare sets a tracking cookie in every response, on every website, with no way to turn it off?
After seeing that cookie, with no clear explanation to how it is used, my trust in them was shaken. Now they are getting into analytics, so I guess I now know why it's there.
And therefore my worry as a user. You can block requests to Google Analytics, but blocking requests to Cloudflare essentially means blocking the Internet. Checkmate content blockers ;-)
> You can block requests to Google Analytics, but blocking requests to Cloudflare essentially means blocking the Internet. Checkmate content blockers ;-)
You can still mostly evade their tracking: they're intentionally letting the Tor Browser through, most of the time[1]. Though it's still a tad annoying how they decided that legitimate Tor traffic may only come from the TBB, so you even have to fake certain headers for them to let plain Firefox over Tor use this feature[2].
Cloudflare is a threat to privacy and security with their "Flexible" SSL/TLS option. With the click of a button, Cloudflare will happily strip the TLS connection off your visitors requests and proxy it over plain-text back across the internet to your origin.
When I reached out to Cloudflare on this 3 and a half years ago, asking if they could at least inject a header like X-CF-SSL: Flexible or something to indicate to the end-user that their connection was in fact not secure. Extension developers could then use this header to inform the user that this was happening. I was told that they would "pass it along", but of course nothing has changed.
CloudFlare will give you a privately signed, 15 year certificate to use to secure communication between Cloudflare and your origin in the event you can't get a publicly signed certificate, so there's really no excuse to continue to allow this terrible feature.
Flexible SSL/TLS is useful as it truly does provide some of the benefits of a secure connection–it certainly prevents ISP ad injection and casual coffee shop network sniffing–but its major problem is the one you've identified, which is that it's difficult to distinguish from a "true" SSL connection. I suspect the people who are using this feature are doing so because they won't be using a secure connection at all otherwise, not because they are somehow unable to set up Let's Encrypt.
I've had Flexible SSL default on several times when setting up domains, it's not always a conscious choice. For small businesses who perhaps don't know any better, they move their site to CF, see the green lock in the browser and think everything is fine. It's an extremely dangerous feature and for a security company CF should really be doing better.
How would you go about helping small businesses who don't know any better do things correctly in a way that would be easy for those with sharply limited technical resources to implement?
Flexible SSL is a measurable security improvement over no SSL at all. I'd argue that end ISPs are far more likely to tamper with or inspect packets than the tier 1 providers between CF and your infra.
So, it's better than nothing. It doesn't make HTTP sites worse.
Of course they would, soon after they would start getting questions about that red lock next to their domain name. CloudFlare is here preventing browsers to do the right thing.
So i just migrated some domains there recently just for DNS for first time and i was really confused about that feature (some of it was turned on automatically).
Ux wise it seems they want you to have it on. Not sure why.
I recently started migrating a chunk of my personal domains to Cloudflare's registrar service, just to ensure that my renewal costs were being minimized and check out some of their other offerings.
I always thought of Cloudflare as mostly a WAF/CDN/DNS option but I was really shocked to see all of the available functionality that they provide. They already had some analytics available before this announcement. The option for workers as an edge computing option is great to know about as well. CNAME flattening is a really handy DNS feature too. I'm going to eventually migrate everything, but the built in email proxy that I've had with Namecheap to this point means that I've got to go setup a replacement for each domain.
But I didn't realize that they'd even created a remote friendly business networking service. Cloudflare Access and Cloudflare Gateway specifically. I'm a little shocked that I haven't seen more news about these two options because it seems like their usage would be skyrocketing right now.
I was eager to transfer my domains, but they still require to set nameservers to CloudFlare's, so that's still not a completely free registry-cost registrar in my book.
Having ~20 active domains, and a good registrar with reasonable prices is good enough and the potential $20-50 savings per year really isn't that meaningful if I have to move my nameservers to CloudFlare.
How is it better privacy-wise to give your users' data to big tech company B from California (Cloudflare) instead of big tech company A from California (Google)?
I as your user did not consent to you giving my data to anybody in the first place. In fact I did not even want YOU to collect data on me.
Surely the privacy problem is collecting your users' data and giving it away in the first place, not who you give it to?
The idea of Cloudflare over Google is in their business model to me.
Google is in the business of giving stuff away for free (mostly) and then harvesting as much data as they can to build ad profiles on you.
Cloudflare is in the business of charging money for their services (other than the free tier which is really just a sales funnel) and nothing I have seen from them is about selling or sharing that data in a non anonymized way.
I'm not a fan of 3rd party either. I think my comments in this thread show that pretty clearly. However, we know that GA data is used to push sales of ads. Cloudflare is claiming that they are making their service without the sale to use of that data.
For those of use that are capable of setting up, maintaining, etc a 1st party analytics package, a 3rd party solution will always bring up questions. For the 99.8% of the rest of the world, someone that allows them to copy&paste a bit of text that allows them a nice GUI to that data with charts and maps and pretty pictures, it is well worth it to them. Add on top that access to those analytics is not shared does seem to be a nice selling point. However, the 99.8% that want this type of service probably doesn't care/know/understand the difference between this and GA.
You know how in the police procedural dramas the detective has to tell people that they aren't from Immigration/DEA in order to get them to stop running away/talk to them?
It's the same Principle of Least Privilege. You divide power between parties that have no incentive to collaborate, and the little guy doesn't get squished as bad (or at least, as fast).
It's hard to take Cloudflare and Privacy seriously in the same sentence. Even with a basic implementation they have even more power over you and your customers than Google would (with a simple JS include) in so many ways.
The only way it adds privacy is by being more limited in some forms of tracking, but in the wider big data collection, tracking people across domains, etc, they really don't have much of an argument. Especially when they are working to control such a big % of internet traffic. It's still all going to a centralized DB where correlations can be done.
In many ways they could already vacuum up this information whether you enabled analytics or not.
Just because they claim not to be doing it, doesn't mean its fundamentally privacy oriented.
Awesome, it's good to see more options in the backend/no-JS analytics space. Netlify has a product but it is of course limited to Netlify-hosted static sites. Cloudflare Analytics appears to be a lot more flexible since you only need to be using them for DNS in order for it to work.
These days, google analytics provides very unreliable data due to the usage of ad-blockers that happen to also block tracking scripts.
Even more so when the audience is tech-literate.
Glad I can do my part! If only I could pollute Google's data further.
Even though this offering from Cloudflare is something from another 3rd party, I'm going to watch it to see how it pans out. However, it would be even more impressive if they offered a 1st party version. The JS runs on the same domain, it points to a database you control, and only your org has access to the data.
How is that what I just described? That's another 3rd party analytics system. The difference from GA is that you have to pay for it. Your data is still leaving your site, and being stored on a 3rd party. That means having 3rd party JS includes. That means it gets blocked. Did I miss something in buried text for a 1st party version?
That's a horribly irresponsible title, even for Fortune.com. Cloudflare isn't on a "privacy crusade". They're on a control everything crusade. We'll have less privacy because of them, not more.
I can't keep from thinking this is a misguided step. If they are going after the google analytics market of non paying users maybe they are able to lure some, but remember that these are non paying users so they are not likely to bring much revenue anyway, google can justify because it sells the value of their ad business. On the other hand there's an enterprise market they just can't compete with, a market Google is #2 and Adobe is #1.
So they are spending a lot of valuable eng cycles and a ton of computing resources to go after a very narrow and low revenue market.
Cloudflare is a business, and businesses exist to make money. So anything they do ultimately has an ulterior motive of getting more business. Even if it is a loss leader type of service.
However, could it possibly be that there is a company that has decided that they could give back to the community they make money from to push back against the hoovering of all data just because? I currently use no Cloudflare service(s), but small things like this get my attention.
Static hosts like Netlify or Vercel don't play nice with Cloudflare, so if you come for the analytics you might stay for their static CDN and serverless stuff as well.
This is very interesting, if it's not arbitrarily limited hit/etc wise it could be a great solution to some of my problems.
One of my sites has been flirting with the Google Analytics data limits, and all the options I have looked into for addressing that or moving off GA seem like they would reduce usefulness dramatically, take lots of work, lots of money, or lots of extra hardware.
From a quick look, I don't see any limits mentioned for this, so if it's just the typical incredibly high CF limits, it would be very welcome news.
The main thing Cloudflare lacks for this sort of thing is a proper member directory with delegated access to zone edits/analytics/security stats. You can get this, but it costs a lot of money through their Enterprise plan, which puts small/medium sized businesses/agencies out of it.
It's interesting to see a multi-billion dollar company step into the privacy-first analytics scene. Moving from one centralized, tech giant to another. I was so fired up that I wrote this: https://usefathom.com/blog/big-tech-vs-fathom
If you give this large a chunk of web traffic to a company, then let them also decrypt everyone's TLS traffic, I can't see that ending well.
Transparency disclaimer: I briefly worked for them and was very uncomfortable with the work they were doing the whole time.