Talk:Cloudflare/Archives/2022

This page is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

Founded year

Latest comment: 1 year ago3 comments2 people in discussion

Sidebar and article introduction disagree whether it's founded in 2009 or 10. --RubenKelevra (talk) 07:01, 1 August 2022 (UTC)

Good catch. According to the SF Gate story cited in this Wikipedia article: "CloudFlare started as a school project at Harvard Business School in January 2009. My classmate there, co-founder Matthew Prince, had already started working on the idea and he asked me to join in. When our project won the Business Plan Competition at Harvard, we knew the idea had huge potential. That summer, we moved to California and started collecting venture capital. One year later we launched."

Changed the date on the infobox accordingly. Cheers! 98.155.8.5 (talk) 08:00, 28 August 2022 (UTC)

@Funcrunch: Thanks for repairing the template. Sorry about that! Cheers. 98.155.8.5 (talk) 03:35, 29 August 2022 (UTC)

Why does Matthew Prince's name redirect to Cloudflare?

Latest comment: 1 year ago2 comments2 people in discussion

This seems like hiding in plain sight kind of situation? Shouldn't he have his own history? 87.121.95.54 (talk) 05:55, 1 September 2022 (UTC)

Either he's not notable enough to have his own stand-alone article, or no one has been bothered enough to write one about him yet. Endwise (talk) 07:21, 1 September 2022 (UTC)

Request Edit 2022

Latest comment: 1 year ago3 comments2 people in discussion

Part of an edit requested by an editor with a conflict of interest has been implemented. The reviewer would like to request the editor with a COI attempt to discuss with editors engaged in the subject-area first.

Hi, I have a few more suggestions for this article, including correcting several significant accuracy and NPOV problems . As noted previously, I have a COI as a Cloudflare employee, so I cannot make these changes myself. Thanks very much.

1. In Controversy, sub-section Reaction to 2022 Russian invasion of Ukraine

Please replace:

During the 2022 Russian invasion of Ukraine, Cloudflare refused to join the international community and withdraw from the Russian market. Research from Yale University updated on April 28, 2022 identifying how companies were reacting to Russia's invasion identified Cloudflare in the worst category of "Digging In", meaning Defying Demands for Exit: companies defying demands for exit/reduction of activities. ^[1]

With:

After Russia invaded Ukraine in late February 2022 Ukrainian Vice Prime Minister Mykhailo Fedorov^[2] and others^[3] called on Cloudflare to stop providing its services in the Russian market amidst reports that Russia-linked websites spreading disinformation were using the company’s content delivery network services.^[4] Cloudflare CEO Matthew Prince responded that “[i]ndiscriminately terminating service would do little to harm the Russian government but would both limit [Russian citizens’] access to information outside the country and make significantly more vulnerable those who have used us to shield themselves as they have criticized the government.”^[5] The company later said it had minimal sales and commercial activity in Russia and had "terminated any customers we have identified as tied to sanctioned entities."^[6]

Explanation: replaces WP: Primary with WP:RS; corrects NPOV issues; corrects factual errors ; includes WP:DUE.

2. The first paragraph in the Intrusions subsection of the Security and Privacy Issues section is a highly inaccurate accounting of the event (including a doctored quote), concerning an attack of the website 4chan by a hacker group called UGNazi via accessing Cloudflare’s back-end. The paragraph is sourced to two blog posts.

Here is the current version of the first paragraph]:

The hacker group UGNazi attacked Cloudflare in June 2012 by gaining control over Cloudflare CEO Matthew Prince's voicemail and email accounts, which were hosted on Google. From there, they gained administrative control over Cloudflare's customers and used that to deface 4chan. Prince later acknowledged, "The attack was the result of a compromise that allowed the hacker to eventually access my Cloudflare.com email addresses" and as the media pointed out at the time, "the keys to his business were available to anyone with access to his voicemail."^[7][8]

And here is a version that is actually accurate,:

On June 1, 2012, the hacker group UGNazi redirected visitors to the website 4chan to a Twitter account belonging to UGNazi by “hijacking” 4chan’s domain via Cloudflare. After initiating a password recovery for the Google Apps’ hosted email account of Cloudflare CEO Matthew Prince, UGNazi then allegedly tricked AT&T support staff into giving them access to his voicemail. Exploiting a bug in Google App’s two-factor authentication security procedures, the hackers allegedly used the voicemail-recovered password to access Prince’s email account without a second layer of authentication. Once in control of Prince’s email account, they were able to do a redirect of the 4chan domain through Cloudflare’s database.^[9][10]

Explanation: The current Wikipedia paragraph inaccurately says this was an attack on Cloudflare, rather than 4chan and it severely doctors a quote to omit text saying that the security “compromise” was with Google Apps – in order to imply it was a Cloudflare “compromise”:

Here is the actual quote from Maclean’s

“The attack was the result of a compromise of Google’s account security procedures that allowed the hacker to eventually access to [sic] my CloudFlare.com email addresses, which runs on Google Apps,” wrote CloudFlare’s CEO Matthew Prince.

And here is how it has been doctored on Wikipedia, to omit mention of Google:

“The attack was the result of a compromise that allowed the hacker to eventually access my Cloudflare.com email addresses” 

Either an accurate version of the event should replace the current version or the paragraph should just be omitted because it was only covered by two niche blogs and is not relevant to the history of the company. WP:NOTEVERYTHING, and WP:NOTNEWS).

3. In the Security and Privacy Issues section, Data leaks subsection, the first paragraph should be replaced because it is inaccurate, poorly sourced and violates WP:NPOV. Here’s the current version:

From September 2016 until February 2017, a major Cloudflare bug leaked sensitive data, including passwords and authentication tokens, from customer websites by sending extra data in response to web requests.^[11] The leaks resulted from a buffer overflow which occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected.^{[12][13][14][15]}

Here is a suggested replacement:

In February 2017, a bug within Cloudflare's services was discovered by a Google engineer. According to USA Today, “When Cloudflare encountered a website with poorly-constructed HTML, data from other websites using Cloudflare's programs could leak onto those sites, making the data easy to read.” Cloudflare reported that there was no evidence that any sensitive information was leaked as a result of the Cloudbleed bug. It was fixed within a week.^[13]

Explanation: The current Wikipedia paragraph definitively states there was a bug that resulted in customer data being leaked, In fact, the USA Today source cited explicitly says that Cloudbleed "may have leaked" data, and Cloudflare was quoted in the USA Today piece saying that “there’s no sign the bug was exploited” by anyone. In the second sentence of the paragraph, three of the four sources are primary (all blog posts), and the fourth, USA Today, does not state “more than 18,000,000 times before the problem was corrected.” Without press coverage, cherry-picking details from company blog posts fails to establish encyclopedic relevancy. Instead it’s WP:OR.

4. In the [Cloudflare#Service outages|Service outages subsection] of the Security and Privacy Issues section, the first sentence is WP:CRYSTAL and should be removed. It reads:

Cloudflare outages can bring down large chunks of the web.[16]  

This is speculation about what may happen (and the source speculates about multiple CDNs, not just Cloudflare). The following two sentences are actual events.

Thanks again for considering these requests. Ryanknight24 (talk) 19:45, 23 March 2022 (UTC)

Partially Accepted

I accepted edits 1, 2, & 4 with minor modifications. Your suggested edit for issue 3 discussing Cloudbleed need some additional work, as your edit request appears to downplay the issue and leave out information. Other sources specifically note that there was leakage of "passwords, cookies, authentication tokens".^[17]

The current text could use still use improvement, so please discuss here if you think there are still edits required.

Jttx76 (talk) 18:39, 30 June 2022 (UTC)

@Jttx76: Hi, thanks very much for your comments and for implementing Proposals 1, 2, and 4 above. Regarding #3, It was certainly not my intention to downplay things, but while it’s true that the Today source I worked from does say that there is no evidence the exploit was used, TechCrunch article, as you noted in your reply, does say that Cloudbleed vulnerabilities were exploited. Strictly speaking, an argument could be made that USA Today is a more “prominent” source (as per WP:BALANCE) and therefore takes precedence over TechCrunch here. (There have also been questions over the years about the reliability of TechCrunch. WP:TechCrunch) But since at least one reputable source says that information was leaked, it seems to me that a more reasonable way to deal with the issue is to provide the information from both sources, as opposed to cherry-picking one of the two.

With that being the case, here’s my revised suggestion #3 above, which now includes both sources and attributes the reporting to each one as per WP:BALANCE:

In February 2017, a bug within Cloudflare's services was discovered by a Google engineer. According to USA Today, “When Cloudflare encountered a website with poorly-constructed HTML, data from other websites using Cloudflare's programs could leak onto those sites, making the data easy to read.”^[13] USA Today also reported that Cloudflare had said there was no evidence that any sensitive information was leaked as a result of the Cloudbleed bug,^[13] but TechCrunch reported that at least some sensitive information, including passwords, had in fact been leaked.^[18] After its discovery, the Cloudbleed bug was fixed within a week.^[13]

What do you think? Ryanknight24 (talk) 17:33, 14 July 2022 (UTC)

Kwii Farms

This section seems like a puff piece? 00:31, 2 September 2022 (UTC)

References

1. "Over 750 Companies Have Curtailed Operations in Russia—But Some Remain". Yale School of Management. Retrieved 28 April 2022.
2. Timberg, Craig; Zakrzewski, Cat; Menn, Joseph (4 March 2022). "A new iron curtain is descending across Russia's Internet". Washington Post. Retrieved 11 May 2022.
3. Moore, Logan; Vanjani, Karishma (25 March 2022). "These Companies Haven't Left Russia. Behind Their Decisions to Stay". Barrons. Retrieved 17 May 2022.
4. Stone, Jeff; Gallagher, Ryan (8 March 2022). "Cloudflare Rebuffs Ukraine Requests to Stop Working With Russia". Bloomberg. Retrieved 11 May 2022.
5. Brodkin, Jon (8 March 2022). "Cloudflare refuses to pull out of Russia, says Putin would celebrate shutoff". Ars Technica. Retrieved 19 April 2022.
6. Morrow, Allison (26 May 2022). "Crypto is dead. Long live crypto: Davos Dispatch". CNN. Retrieved 26 May 2022.
7. Simcoe, Luke (June 14, 2012). "The 4chan breach: How hackers got a password through voicemail". Maclean's. Archived from the original on January 15, 2014. Retrieved August 22, 2019. What makes the 4chan hack interesting is how it was done. UGNazi got to 4chan by attacking the site's host – a company called Cloudflare. 'The attack was the result of a compromise that allowed the hacker to access my Cloudflare.com email addresses, which runs on Google Apps,' wrote Cloudflare's CEO Matthew Prince. In Prince's case, the keys to his business were available to anyone with access to his voicemail.
8. Smith, Ms. (June 3, 2012). "Hacktivists UGNazi attack 4chan, Cloudflare and Wounded Warrior Project". Privacy and Security Fanatic. NetworkWorld. Archived from the original on November 12, 2013. Retrieved August 22, 2019.
9. Simcoe, Luke (June 14, 2012). "The 4chan breach: How hackers got a password through voicemail". Maclean's. Archived from the original on January 15, 2014. Retrieved August 22, 2019.
10. Smith, Ms. (June 3, 2012). "Hacktivists UGNazi attack 4chan, Cloudflare and Wounded Warrior Project". Privacy and Security Fanatic. NetworkWorld. Archived from the original on November 12, 2013. Retrieved August 22, 2019.
11. Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved August 22, 2019.
12. Steinberg, Joseph (February 24, 2017). "Why You Can Ignore Calls To Change Your Passwords After Today's Massive Password Leak Announcement". Inc. Retrieved February 24, 2017.
13. Molina, Brett (February 28, 2017). "Cloudfare bug: Yes, you should change your passwords". USA Today. Retrieved March 1, 2017. Cite error: The named reference "USA Today" was defined multiple times with different content (see the help page).
14. "About Cloudflare". Cloudflare. Archived from the original on March 4, 2017. Retrieved 16 June 2021. Every week, the average Internet user touches us more than 500 times.
15. "Incident report on memory leak caused by Cloudflare parser bug". Cloudflare. February 23, 2017. Archived from the original on February 23, 2017. Retrieved 16 June 2021. 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage.
16. Dodds, Io (12 June 2021). "Why the internet is just one domino away from collapse". The Telegraph. Archived from the original on January 12, 2022. Retrieved 13 August 2021.
17. Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved June 30, 2022.
18. Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved June 30, 2022.

Better example/attribution needed.

Latest comment: 1 year ago4 comments2 people in discussion

"Cloudflare has been accused of pinkwashing their message, by highlighting donations they have made to groups like The Trevor Project, an LGBTQ suicide hotline." I'm not really sure about this sentence. It was previously attributed to twitter users, which very likley isn't due weight, and now does attribute at all. The daily dot is a reliable source, but I think a better source with better attribution is needed. Thoughts? Ananinunenon (talk) 06:42, 2 September 2022 (UTC)

Another source has been added, regarding GLAAD asserting similar concerns:

Los Angeles Blade: Will it take another death to stop the spread of anti-trans hate online

Cheers! 98.155.8.5 (talk) 07:29, 2 September 2022 (UTC)

Edited it to better reflect such. Cheers! Ananinunenon (talk) 07:51, 2 September 2022 (UTC)

Yeah, well done! Thanks! 98.155.8.5 (talk) 07:56, 2 September 2022 (UTC)

Contributes to hate/far right

Latest comment: 1 year ago2 comments2 people in discussion

This statement is politically biases and is explicitly staying that if it weren't for cloudflare they would be able to ddos the sites and noone could use them. Criminal activity. This kind of nonsense doesn't belong in an unbiased article. 90.210.240.179 (talk) 12:19, 8 September 2022 (UTC)

I have made the material reflect what the source says. Endwise (talk) 12:44, 8 September 2022 (UTC)

Make far-right content section a subsection of terrorism section

Latest comment: 1 year ago3 comments3 people in discussion

It would make the article look neater and less chaotic but people keep reverting my edits Skibidabappundada1-41 (talk) 21:50, 8 September 2022 (UTC)

None of the content that you're trying to group under that section has been described as terrorism in the sources on this page. You would need sourcing to support that arrangement. GorillaWarfare (she/her • talk) 17:38, 9 September 2022 (UTC)

Not to mention the fact that official definitions regarding domestic terrorism are generally far more stringent than what is applied in the international realm. Cheers. 98.155.8.5 (talk) 22:15, 10 September 2022 (UTC)

Switter

Latest comment: 1 year ago12 comments3 people in discussion

Found an article from Vice News that discusses Cloudflare's position on this:

Cloudflare: FOSTA Was a 'Very Bad Bill' That's Left the Internet's Infrastructure Hanging

Feel free to help improve this section of the article, thanks! 98.155.8.5 (talk) 19:15, 1 September 2022 (UTC)

Also, a quick word on why this is perhaps significant and worthy of inclusion: in part because of Cloudflare's strong and seemingly uncompromising stance on free speech. For example, did they file any legal challenges to the SESTA laws and stand up for freedom of expression? I'm not sure, because I haven't looked into it enough yet, but it does seem relevant in terms of the history of the company and the libertarian values of their CEO, Matthew Prince. Cheers! 98.155.8.5 (talk) 19:28, 1 September 2022 (UTC)

It also quoted in "The Digital Closet: How the Internet Became Straight", page 164, as a specific example of the effect of FOSTA on sex workers. Misc (talk) 23:23, 1 September 2022 (UTC)

That's also given as a example in this 2022 paper https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4095115 . I think that given it is quoted in at least 2 academics publications, it might be significant enough to be mentioned. Misc (talk) 23:29, 1 September 2022 (UTC)

@PBZE and Ptrnext: Hi, let's discuss here rather than edit-warring! Cheers. 98.155.8.5 (talk) 01:21, 2 September 2022 (UTC)
Okay, I've put a bit of effort into this section of the article, and I hope it is balanced enough for folks. Cheers! 98.155.8.5 (talk) 23:53, 2 September 2022 (UTC)

Hello @98 dot, I'm rather questioning the existence of this sub-subsection rather than concerns with the balance. This sub-section was removed for (ir)relevance by multiple editors under 40 hours of you first adding this, but you reverted asking to seek consensus here. At that point, you should be the one trying to seek consensus on its inclusion.

Switter itself is not notable, sources reported about it when Cloudflare dropped them and when it closed down. There is no reason why it should be mentioned under Cloudflare controversies. It was a one-off incident which was caused due to the passage of law. Switter soon/eventually found a different CDN and its demise years later was not related to Cloudflare. There were no after-effects due to Cloudflare dropping them, besides some downtime and additional costs. The fact that you dug up a news about them four years after it happened and include it under 'Controversies' is a good indication that it probably shouldn't be included.

"Also, a quick word on why this is perhaps significant and worthy of inclusion: in part because of Cloudflare's strong and seemingly uncompromising stance on free speech." Damn if he does, damn if he doesn't, eh – the company can't win. Not dropping bad actors is a legitimate controversy, but dropping someone per terms the client signed up for isn't. Also, many events receive coverage in the news and yet are not of historic or lasting importance. This one is an isolated incident, and isn't worth mentioning here.

The other issue with @PBZE reverting the tag I added was about the length of 'controversies' and 'issues' sections in the page. When you look at Big Tech companies which have significant controversies, we don't drown the page with it. When it grows significantly, we fork it to a new page. (e.g. see Microsoft#Controversies and Criticism of Microsoft). Or balance it. Ideally Cloudflare page should be fixed to not overwhelm it with controversies and make it balanced section-wise.

Thanks, Ptrnext (talk) 04:55, 7 September 2022 (UTC)

Thanks for your comments. Switter on its own is perhaps not super notable, but the impacts on Section 230 and ramifications of SESTA I think, are important. I believe it's also of general relevance because Switter is one of only a small handful of clients that has *ever* been dropped by Cloudflare, including 8chan, The Daily Stormer, and now Kiwi Farms. Perhaps this info can be made to focus more on Section 230 and SESTA, as it relates to Cloudflare and Switter. I will think about how to change the presentation of this information in the next few days.

Agreed that ideally the page could be balanced with more info about Cloudflare itself as a company, its finances, and services, etc. but I will leave that to someone else who is more knowledgable about their history and business operations. Cheers! 98.155.8.5 (talk) 06:30, 14 September 2022 (UTC)

"...but the impacts on Section 230 and ramifications of SESTA I think, are important" Not sure I understand this, do you mean Cloudflare dropping Switter had an impact/affected Section 230 and SESTA? If so, how?

"Switter is one of only a small handful of clients that has *ever* been dropped by Cloudflare" To me, this is a false analogy, because the latter were dropped by Cloudflare for their notoriety, but not Switter (it was a victim of passage of law), so this criticism belongs in SESTA criticisms, not here.

Thanks, Ptrnext (talk) 09:09, 16 September 2022 (UTC)

Not sure I understand this, do you mean Cloudflare dropping Switter had an impact/affected Section 230 and SESTA? If so, how?

The opposite. SESTA's impact on Cloudflare's ability to do business, and the weakening of Section 230 protections for infrastructure providers. 98.155.8.5 (talk) 22:17, 16 September 2022 (UTC)

Exactly, so this is on SESTA. Cloudflare and therefore Switter are both victims here. Now, it would be a Cloudflare controversy if the public launched a campaign or demanded service to Switter be reinstated – but nothing of that sort happened. Best, Ptrnext (talk) 22:57, 16 September 2022 (UTC)

Yeah, it shouldn't be under the "Controversies" section necessarily. Perhaps the Controversies title itself needs to be changed, or separated into a couple different broader things. I'm not sure exactly what though. Cheers! 98.155.8.5 (talk) 04:37, 17 September 2022 (UTC)