I totally get the intention behind this and the final outcome is definitely a safer internet. It's also somewhat justified considering the author has mentioned they never controlled its domain, yet the library has been distributed through that domain, correct? This is a reflection of the extremely poor security practices in the web development world.
At the same time, there is a wrongness in Cloudflare being able to overwrite content and changing the 'truth'. I'm like that larry david gif, I just don't know how to process this.
One more thing to note, if you go to the polyfill repo, they've also mentioned they're using Cloudflare to distribute the library.
For me, this is why it makes sense: customers on Cloudflare signup (at least in part) for Cloudflare to protect them against attacks.
Cloudflare is all about changing the "truth". When your site is behind Cloudflare, they block many requests to your site. The lock in the browser can be lies. Cloudflare is decrypting that content - and if the site owner hasn't setup TLS between Cloudflare and the backend, it's being re-transmitted over the internet unencrypted. On paid plans, Cloudflare will compress images and swap in their version. Cloudflare will compress an uncompressed response before returning it. Cloudflare will take the HTML returned by your backend and obfuscate any email addresses in that HTML before sending it along to the browser.
Your server returns a page with evil-polyfill/bad.js and Cloudflare inspects the HTML and rewrites it to say good-polyfill/good.js
You might not want this behavior and you can shut it off in Cloudflare, but it seems like a reasonable default given that customers have signed up for a product meant to protect them against attacks. Cloudflare has never been about passing back the raw HTML it receives from the backend or passing along the raw requests it receives from browsers.
My question is when does cloudflare starts to inject ads into my content?
Is it “shots fired” situation?
Because you know bullies and other bad people start testing ground to see what they can get away with. That is why you slap them hard and quick on the first attempt right away so they see that they cannot fool around.
So I am asking can it be we have to say - well yeah technically they are right - but stop right there doing that and never do it again!
They could make terms that they don’t serve vulnerable things from their cache and it is up for the customer to update or fix it - but they shouldn’t overwrite stuff, period.
> At the same time, there is a wrongness in Cloudflare being able to overwrite content and changing the 'truth'.
This is one of the many features of Clouldflare though, that you can enable additional features that modify your website in various ways - whether it's image resizing or analytics or security scanning.
If you don't trust Cloudflare to deliver your website, then you shouldn't use Cloudflare.
I think GP’s point was more about the truth for the consumer of the site. As a user, I trust a site to deliver the content it intends to deliver. Of course this is just a trust by proxy with Cloudflare because you’re trusting the site’s judgment on who to trust. As a user of the site, it makes me just a little bit more uncomfortable knowing there’s another layer of indirect control over the content coming in.
Of course this is all just philosophical anyway. We’ve not even touched on external module usage.
Cloudflare can't just do this at will. This only applies to websites that have explicitly trusted Cloudflare with their TLS cert in order to protect themselves from cases exactly like this one.
Odd that github archived the repo claiming it contains malware. Was any of the malicious code even in the repo? I would guess it's only on the server they're serving the polyfill from, since it has very specific conditions for triggering.
Nobody tell him about the “Google Safe Browsing” censorship bloom filter list used by Firefox, Chrome, AND Safari.
Relevant today as ever given that the Supreme Court ruled that the 1A challenge to the executive branch asking big tech to censor doesn’t have standing to be ruled on.
Google has a big red button that can shut down any webpage on the internet for 99.9%+ of the web browsing public. There’s no bypass button in the UI like a TLS failure.
This is sort of exactly what cloudflare does, though. They host your content on their servers. They're serving a mirror of the original files from polyfill.io and browsers are getting the same original bytes. If it's a fact that pulling content from polyfill.io is a security issue, why wouldn't you want them to do this? The "truth" as you describe is a third party that you don't trust (who acquired a service you use from the original provider). The status quo is inherently bad. "We served your page for you, but without the injected code and with full compatibility" feels like an awfully nice thing for Cloudflare to do that they simply didn't need to do.
Cloudflare is rewriting the link on websites hosted on Cloudflare. I think it can be argued that those websites have in some sense opted in to some limited rewrites by Cloudflare? (Presumably they wouldn't be doing it unless their terms allowed it.)
"Contrary to what is stated on the polyfill.io website, Cloudflare has never recommended the polyfill.io service or authorized their use of Cloudflare’s name on their website. We have asked them to remove the false statement and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted."
> We have taken the exceptional step of using our ability to modify HTML on the fly to replace references to the polyfill.io CDN in our customers’ websites with links to our own, safe, mirror created back in February.
I get that they want to do a good thing, but is this something you agree to when you sign up as a Cloudflare customer? If so, that’s kind of crazy.
edit: I am talking about both free and paid users. A toggle does not discount my question whatsoever, especially if this is on by default for free users. I am asking specifically about terms of service.
People are often using cloud flare to improve the security of their site. I think in this case if they failed to act when they could that would be worse.
> It does show that you have to trust cloudflare, which seems like a safe bet given their desire to keep the internet secure.
This is assuming that Cloudflare's interests will now and always align with your own interests, and that their desire to "keep the internet secure" will never lead to them actually screwing over you and your customers.
It's a lot like many classic AI Sci-Fi stories. If their mission ever comes into conflict with your real interests, a mission statement that sounds perfect in theory can suddenly become very very dangerous.
True, but they say "we decided". That implies they could also have decided to turn it on immediately. And they did for the log4j and Shellshock issues.
Unfortunately, neither of these early warnings seem to have gotten much attention. I wonder if there is some news site or service that would make suspicious ownership transfers of this sort more noticeable? Or maybe this type of supply chain changes actually happen all the time and we just got used to them?
Hi Matthew, Cloudflare just charged my card $235 with no prior warning (for a service I intended to cancel when I received the renewal reminder). I did not receive any renewal reminders, no advance notice of payment, no invoice. Nothing.
Is this normal operating behaviour for Cloudflare? This seems like very very bad anti-consumer behaviour?
cloudflares business model is literally to mitm their customers. they incidentally also get access to unencrypted versions of all https traffic to cloudfare enabled sites
Setting a dangerous precedent, especially doing this by default (no opt-in) needed.
But then again, if the people who carelessly include 3rd party dependencies (i.e. playing with fire) are those who use CF... they probably won't object to it :-)
They're a US based man-in-the-middle for large parts of the internet at the mercy of the America's secretive FISA Court. There is no way they don't have a Room 641A.
They're US based now, but there's no guarantee it'll stay that way, if a buyer were to come along with enough money. I guess if your theory is correct then pressure would be applied to make sure any foreign buyout didn't happen.
In any case it's extremely unlikely to happen any time soon, but who knows what could happen 50 years down the line, especially if they were to lose market share or the internet fades from relevance.
I'm not accusing cloudflare of anything malicious, I want to be clear. But this polyfill wasn't originally malicious either, it was just eventually bought by a malicious actor.
My original comment was just commentary on the symmetry of the exploit and the mitigation, they're essentially the same vector.
Readit News
At the same time, there is a wrongness in Cloudflare being able to overwrite content and changing the 'truth'. I'm like that larry david gif, I just don't know how to process this.
One more thing to note, if you go to the polyfill repo, they've also mentioned they're using Cloudflare to distribute the library.
https://github.com/polyfillpolyfill/polyfill-service/commit/...
Cloudflare is all about changing the "truth". When your site is behind Cloudflare, they block many requests to your site. The lock in the browser can be lies. Cloudflare is decrypting that content - and if the site owner hasn't setup TLS between Cloudflare and the backend, it's being re-transmitted over the internet unencrypted. On paid plans, Cloudflare will compress images and swap in their version. Cloudflare will compress an uncompressed response before returning it. Cloudflare will take the HTML returned by your backend and obfuscate any email addresses in that HTML before sending it along to the browser.
Your server returns a page with evil-polyfill/bad.js and Cloudflare inspects the HTML and rewrites it to say good-polyfill/good.js
You might not want this behavior and you can shut it off in Cloudflare, but it seems like a reasonable default given that customers have signed up for a product meant to protect them against attacks. Cloudflare has never been about passing back the raw HTML it receives from the backend or passing along the raw requests it receives from browsers.
Is it “shots fired” situation?
Because you know bullies and other bad people start testing ground to see what they can get away with. That is why you slap them hard and quick on the first attempt right away so they see that they cannot fool around.
So I am asking can it be we have to say - well yeah technically they are right - but stop right there doing that and never do it again!
They could make terms that they don’t serve vulnerable things from their cache and it is up for the customer to update or fix it - but they shouldn’t overwrite stuff, period.
This is one of the many features of Clouldflare though, that you can enable additional features that modify your website in various ways - whether it's image resizing or analytics or security scanning.
If you don't trust Cloudflare to deliver your website, then you shouldn't use Cloudflare.
Of course this is all just philosophical anyway. We’ve not even touched on external module usage.
Cloudflare shouldn't have such a control over a part so big of the internet.
But since they do, they are right to use this control against malware.
Relevant today as ever given that the Supreme Court ruled that the 1A challenge to the executive branch asking big tech to censor doesn’t have standing to be ruled on.
Google has a big red button that can shut down any webpage on the internet for 99.9%+ of the web browsing public. There’s no bypass button in the UI like a TLS failure.
This is sort of exactly what cloudflare does, though. They host your content on their servers. They're serving a mirror of the original files from polyfill.io and browsers are getting the same original bytes. If it's a fact that pulling content from polyfill.io is a security issue, why wouldn't you want them to do this? The "truth" as you describe is a third party that you don't trust (who acquired a service you use from the original provider). The status quo is inherently bad. "We served your page for you, but without the injected code and with full compatibility" feels like an awfully nice thing for Cloudflare to do that they simply didn't need to do.
Probably a good idea to not claim affiliation with cloudflare without permission.
Didnt his friend from work own and sell it?
I get that they want to do a good thing, but is this something you agree to when you sign up as a Cloudflare customer? If so, that’s kind of crazy.
edit: I am talking about both free and paid users. A toggle does not discount my question whatsoever, especially if this is on by default for free users. I am asking specifically about terms of service.
It does show that you have to trust cloudflare, which seems like a safe bet given their desire to keep the internet secure.
This is assuming that Cloudflare's interests will now and always align with your own interests, and that their desire to "keep the internet secure" will never lead to them actually screwing over you and your customers.
It's a lot like many classic AI Sci-Fi stories. If their mission ever comes into conflict with your real interests, a mission statement that sounds perfect in theory can suddenly become very very dangerous.
The article says that if you are a paying customer this is off by default.
https://blog.cloudflare.com/polyfill-io-now-available-on-cdn...
In the earlier thread, there was a link to triblondon's post on 2024-02-25 where he urges users to remove that dependency:
https://x.com/triblondon/status/1761852117579427975
Unfortunately, neither of these early warnings seem to have gotten much attention. I wonder if there is some news site or service that would make suspicious ownership transfers of this sort more noticeable? Or maybe this type of supply chain changes actually happen all the time and we just got used to them?
Is this normal operating behaviour for Cloudflare? This seems like very very bad anti-consumer behaviour?
Doesn’t seem to make a lot of sense, does it?
But then again, if the people who carelessly include 3rd party dependencies (i.e. playing with fire) are those who use CF... they probably won't object to it :-)
Some grim future who knows if cloudflare will be the ones under new owners re-writing payloads to serve adverts (or worse).
edit: I think my comment is being misunderstood, I'm not saying this will happen, there's just a neat symmetry between exploit and mitigation.
https://en.wikipedia.org/wiki/Room_641A
In any case it's extremely unlikely to happen any time soon, but who knows what could happen 50 years down the line, especially if they were to lose market share or the internet fades from relevance.
I'm not accusing cloudflare of anything malicious, I want to be clear. But this polyfill wasn't originally malicious either, it was just eventually bought by a malicious actor.
My original comment was just commentary on the symmetry of the exploit and the mitigation, they're essentially the same vector.