Hi David,
there are some important downsides to using CloudFlare for HTTPS, especially for non-US servers. While it does help protect customers from attackers on their local network, at the same time it opens them up to attacks from NSA etc. by directing all your data through a US company's data centers. But what's even more important even if one doesn't care about the spooks is Cloudflare's obnoxious CAPTCHA practice. You wouldn't believe how many sites want me to solve one (i.e. several screens of) of Google's usual train-our-AI CAPTCHAs every freaking couple of minutes simply because I'm in Laos. Or when I use a VPN via my server in Europe. Or when I'm on mobile in Thailand. Client sites don't even notice Cloudflare is doing this and when you test from one of the better-known ISPs you're not subjected to it, but it's so annoying here the site has to be really really important for me to put up with it. For Cloudflare that results in statistics that sell - look how many people didn't get past the CAPTCHA, those were all bots that we're protecting your from!!! - but in reality it's often annoyed people taking their business elsewhere.
Configuring your server to use LetsEncrypt is pretty easy, there are many good tutorials for it already. By all means use Cloudflare if you have trouble with being slashdotted or some other scaling/DOS problem, but for users' privacy and convenience doing it yourself is the much better way.
Thank you for the information, Matthias. First time I hear about the practice of CAPTCHAs by Cloudafe - sounds quite tedious for any real user. I will do my research on LetsEncrypt and add a section about it on this post (with the corresponding credit). Thank you again.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi David,
there are some important downsides to using CloudFlare for HTTPS, especially for non-US servers. While it does help protect customers from attackers on their local network, at the same time it opens them up to attacks from NSA etc. by directing all your data through a US company's data centers. But what's even more important even if one doesn't care about the spooks is Cloudflare's obnoxious CAPTCHA practice. You wouldn't believe how many sites want me to solve one (i.e. several screens of) of Google's usual train-our-AI CAPTCHAs every freaking couple of minutes simply because I'm in Laos. Or when I use a VPN via my server in Europe. Or when I'm on mobile in Thailand. Client sites don't even notice Cloudflare is doing this and when you test from one of the better-known ISPs you're not subjected to it, but it's so annoying here the site has to be really really important for me to put up with it. For Cloudflare that results in statistics that sell - look how many people didn't get past the CAPTCHA, those were all bots that we're protecting your from!!! - but in reality it's often annoyed people taking their business elsewhere.
Configuring your server to use LetsEncrypt is pretty easy, there are many good tutorials for it already. By all means use Cloudflare if you have trouble with being slashdotted or some other scaling/DOS problem, but for users' privacy and convenience doing it yourself is the much better way.
Thank you for the information, Matthias. First time I hear about the practice of CAPTCHAs by Cloudafe - sounds quite tedious for any real user. I will do my research on LetsEncrypt and add a section about it on this post (with the corresponding credit). Thank you again.