Author did a surprisingly good job hanging on to all the receipts to support his claim "cloudflare bad." But his alternatives are all CDN providers - which is not even the side of the business that makes cloudflare unique and makes them money. The piece, thorough as it may be, does not offer alternatives to products that cover the exciting parts of their business and I was looking forward to seeing what those were - for example tailscale or Pangolin (Open source alternative to Cloudflare Tunnels) or equivalents for serverless/edge compute. This makes it feel as if the author does not _really_ understand cloudflare's role/position and that this article is just a collection of links that report of the company's (valid) imperfections. For example, their workers platform, DDoS protection, and software-defined network functions (WAN, firewall, Zero-trust, etc) have made my life as a developer in my last few roles very productive and successful. And migrating away from those services was just as easy as signing up.
It might sound like I am defending cloudflare, but I am not. I share the author's concern about them becoming a monopoly that MITM's a lot of the Internet. But the author provides no evidence of to this claim. My experience has been the opposite: cloudflare interoperated with legacy systems and other cloud providers without locking us in or using anti-competitive tactics. Their presence often improved integration even when other vendors didn’t reciprocate. When people flock to a service because it’s genuinely useful rather than "can't leave Hotel California", that’s not a monopoly — it’s market preference.
That said, there is a real risk if innovation stalls or leadership becomes greedy. Companies that stop innovating sometimes resort to aggressive or extractive practices to stay relevant. It seems to be the trend once companies get too big to die - innovation stalls and their flywheel slows and they become desperate (or greedy) to stay relevant. I would monitor for those signs before I sound any alarm.
The Internet runs at the will of the government(s). Every government (national, regional, local) has regulations that must be obeyed. Depending upon where you live, some of those regulations may be kept secret from those most affected. An entity like Cloudflare is a juicy target that can be used cooperatively, or abused uncooperatively by those enforcing the regulations.
So Cloudflare has solved one problem (DDoS), while creating several new ones, which most people feel is a fair trade, but it's not a prefect world and there is no perfect solution.
> Cloudflare has become a highly attractive target for state-sponsored attacks, suffering from recurring breaches. Their sheer scale, considering that they are serving a substantial portion of the internet, means that an outage or compromise could have widespread, costly consequences.
I'm unsure how much of these can actually be called "attacks" rather than "complying with local laws" that lets them operate in a lot of countries. Including hostile ones.
They really don't segment customer data sufficiently to mittigate this either. CloudFlare even officially says that they don't actually enforce even Regional Services and you have to do that yourself as a customer. Rest of customers get even fewer guarantees than that.
> Regional Services operates on your hostname's IPs. We recommend using DNSSEC and/or DNS over HTTPS to ensure that DNS responses are secure and correct.
This of course is funny considering how CloudFlare has used the same DNSSEC key signing key for ⪆10 years. It also doesn't mention BGP hijacks or similar MITM attacks, because there's also not much anyone besides CloudFlare can do against that.
It's pretty disappointing that the author (writing in 2025) says "perhaps to maintain its status as the world’s largest botnet operator," and links to a Spamhaus report from Q1 of 2020.[0]
If you check the most recent version of the report from Spamhaus (Jan to June 2025)[1], Cloudflare is nowhere to be seen, and Digital Ocean, who they recommend as a Cloudflare alternative is listed as third largest botnet host in the world.
Looking back through the historical reports this isn't a new phenomenon, in Q4 of 2022 Digital Ocean was ranked #2 and Cloudflare was down at #17.
Author did a surprisingly good job hanging on to all the receipts to support his claim "cloudflare bad." But his alternatives are all CDN providers - which is not even the side of the business that makes cloudflare unique and makes them money. The piece, thorough as it may be, does not offer alternatives to products that cover the exciting parts of their business and I was looking forward to seeing what those were - for example tailscale or Pangolin (Open source alternative to Cloudflare Tunnels) or equivalents for serverless/edge compute. This makes it feel as if the author does not _really_ understand cloudflare's role/position and that this article is just a collection of links that report of the company's (valid) imperfections. For example, their workers platform, DDoS protection, and software-defined network functions (WAN, firewall, Zero-trust, etc) have made my life as a developer in my last few roles very productive and successful. And migrating away from those services was just as easy as signing up.
It might sound like I am defending cloudflare, but I am not. I share the author's concern about them becoming a monopoly that MITM's a lot of the Internet. But the author provides no evidence of to this claim. My experience has been the opposite: cloudflare interoperated with legacy systems and other cloud providers without locking us in or using anti-competitive tactics. Their presence often improved integration even when other vendors didn’t reciprocate. When people flock to a service because it’s genuinely useful rather than "can't leave Hotel California", that’s not a monopoly — it’s market preference.
That said, there is a real risk if innovation stalls or leadership becomes greedy. Companies that stop innovating sometimes resort to aggressive or extractive practices to stay relevant. It seems to be the trend once companies get too big to die - innovation stalls and their flywheel slows and they become desperate (or greedy) to stay relevant. I would monitor for those signs before I sound any alarm.
The Internet runs at the will of the government(s). Every government (national, regional, local) has regulations that must be obeyed. Depending upon where you live, some of those regulations may be kept secret from those most affected. An entity like Cloudflare is a juicy target that can be used cooperatively, or abused uncooperatively by those enforcing the regulations.
So Cloudflare has solved one problem (DDoS), while creating several new ones, which most people feel is a fair trade, but it's not a prefect world and there is no perfect solution.
> Cloudflare has become a highly attractive target for state-sponsored attacks, suffering from recurring breaches. Their sheer scale, considering that they are serving a substantial portion of the internet, means that an outage or compromise could have widespread, costly consequences.
I'm unsure how much of these can actually be called "attacks" rather than "complying with local laws" that lets them operate in a lot of countries. Including hostile ones.
They really don't segment customer data sufficiently to mittigate this either. CloudFlare even officially says that they don't actually enforce even Regional Services and you have to do that yourself as a customer. Rest of customers get even fewer guarantees than that.
Have fun, three-letter agencies.
https://developers.cloudflare.com/data-localization/limitati...
> Regional Services operates on your hostname's IPs. We recommend using DNSSEC and/or DNS over HTTPS to ensure that DNS responses are secure and correct.
This of course is funny considering how CloudFlare has used the same DNSSEC key signing key for ⪆10 years. It also doesn't mention BGP hijacks or similar MITM attacks, because there's also not much anyone besides CloudFlare can do against that.
It's pretty disappointing that the author (writing in 2025) says "perhaps to maintain its status as the world’s largest botnet operator," and links to a Spamhaus report from Q1 of 2020.[0]
If you check the most recent version of the report from Spamhaus (Jan to June 2025)[1], Cloudflare is nowhere to be seen, and Digital Ocean, who they recommend as a Cloudflare alternative is listed as third largest botnet host in the world.
Looking back through the historical reports this isn't a new phenomenon, in Q4 of 2022 Digital Ocean was ranked #2 and Cloudflare was down at #17.
[0]https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-thre...
[1]https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-thre...