Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> We have taken the exceptional step of using our ability to modify HTML on the fly to replace references to the polyfill.io CDN in our customers’ websites with links to our own, safe, mirror created back in February.

I get that they want to do a good thing, but is this something you agree to when you sign up as a Cloudflare customer? If so, that’s kind of crazy.

edit: I am talking about both free and paid users. A toggle does not discount my question whatsoever, especially if this is on by default for free users. I am asking specifically about terms of service.



People are often using cloud flare to improve the security of their site. I think in this case if they failed to act when they could that would be worse.


A manual toggle is required for paid customers. Only free customers were automatically turned on.

It does show that you have to trust cloudflare, which seems like a safe bet given their desire to keep the internet secure.


> It does show that you have to trust cloudflare, which seems like a safe bet given their desire to keep the internet secure.

This is assuming that Cloudflare's interests will now and always align with your own interests, and that their desire to "keep the internet secure" will never lead to them actually screwing over you and your customers.

It's a lot like many classic AI Sci-Fi stories. If their mission ever comes into conflict with your real interests, a mission statement that sounds perfect in theory can suddenly become very very dangerous.


> This is assuming that Cloudflare's interests will now and always align with your own interests, and that their desire to "keep the internet secure" will never lead to them actually screwing over you and your customers.

This is literally the tradeoff of using any SaaS/PaaS/IaaS vendor. Every single one. It's not unique to cloudflare in any way.


Correct. I'm just noting that Cloudflare's mission to keep the internet secure doesn't make them a "safe bet" for any given company, no more so than any other provider.


"Safe" is subjective. Someone else with different values might consider them an extremely safe bet. After all, they're financially secure, reliable (by all accounts), trusted by lots of folks, and have a track record of not fucking up too badly.


> This is assuming that Cloudflare's interests will now and always align with your own interests

If you don't assume this, why are you using Cloudflare?


I'm not.


I don't trust cloudflare at all. Why would I trust someone trying to monopolize all internet traffic?


> I get that they want to do a good thing, but is this something you agree to when you sign up as a Cloudflare customer? If so, that’s kind of crazy.

The article says that if you are a paying customer this is off by default.


True, but they say "we decided". That implies they could also have decided to turn it on immediately. And they did for the log4j and Shellshock issues.


I can’t think of an enterprise use case where someone would be upset they did that. can you? I’m struggling. I helped triage the log4j incident in a pretty traumatic week and was pretty happy they took the steps they did. It’s like, kind of what you are paying for.


Users of these sites they fixed the polyfill for didn't agree to getting infected with malware.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: