Cloudflare is a DNS provider that is famous for its DDOS protection for websites. This sounds harmless, as this company is offering DDOS protection for websites, probably at a cost.
That is where you would be wrong; Cloudflare's DDOS protection is completely free. We all have heard the saying, "If you're not paying for it, you're the product" (unless it's FOSS, where everyone actively makes the product better, but maybe I should go outside and stop overthinking things), and this is true at this time. What could Cloudflare be getting from its DDOS protection?
First, how does Cloudflare's DDOS protection work?
- Cloudflare is contacted for the IP address of a website.
- Cloudflare sends you one of its own IPs.
- You make a request to the Cloudflare IP asking for a website.
- Cloudflare gets your request and then makes a request to the real website, acting as the user.
- Cloudflare gets a response from the real website.
- Cloudflare then forwards the response to you.
You request the IP address of a website from Cloudflare; this could be a risk if Cloudflare starts giving you different ips or if they track that you made a request. We already know that Cloudflare tracks how many websites are checked with their DNS server, so it's safe to assume that they do the same for the websites they are the DNS server for. These risks are the same for every DNS server, and there is not much that can be done to stop them.
Cloudflare sending a request to the website for you is the scary part. Cloudflare does some checks on the request to make sure that nothing skechy is going on, then accepts the request. This means that Cloudflare has to be able to access all the data that you and your server send to each other. Cloudflare also has the ability to edit or change anything. The scariest part is if they scan the contents of what is sent and data mine it.
Looking at how Cloudflare works, even if SSL is enabled on your webserver, you are going to have to give it the keys, or Cloudflare is going to use its own generated SSL certs so the user thinks the website is secure. In reality, not only the website but also Cloudflare can see all the data.
If cloudflare does not do any data mining on the data, if cloudflare gets hacked, then the hackers can see all the data sent over the network. Know what data is usually sent in plain text over SSL? Usernames and passwords—the passwords part is the scary part, as the hackers would be able to access yours and everyone else's. If you use that password everywhere, then you are doomed, as these hackers don't need access to any database and don't need to brute force a database.
If you use Cloudflare for the free SSL certificates, please use LetsEncrypt; it's the same people that Cloudflare uses but is an actual trusted organization.
If you use Cloudflare for the DDOS protection, you can use iptables in Linux to block connections from bad sources, and there are many lists online for ip addresses to block.