It’s a bit more about how miserable it is to work with Cloudflare and their unwillingness to remove abuse in general, opting to say they’re “not the host” and that they cannot tell you where it is but they cannot do anything. It’s hardly an ethical decision to say that phishing and bulletproof hosting aren’t the bedfellows you want.
skullgiver@popplesburger.hilciferous.nl 3 months ago
garrett@infosec.pub 3 months ago
There’s a balance to be struck here but Cloudflare is truly the most miserable entity I have to work with from an abuse perspective. They’re not necessarily “ignoring” warrants but most phishing doesn’t get reported with a legal takedown request. In those cases, Cloudflare will be almost intentionally obtuse. I’m happy to outline the misery of a host working with Cloudflare but it’s not necessarily important to this. TLDR; Cloudflare takes steps that don’t make sense for its “we’re not responsible” stance while also having zero automation in the year of our lord 2024.
I suppose everything could be a legal request but that just makes the whole process so infinitely worse for NGOs like Spamhaus and only serves to make lawyers excited that their consultation fees are going up. I see that the laziest pathway is “Youtube-like strikes” which is misery as well but they could just shift to investigating accounts receiving a high volume of reports as potential fraud or abuse actors since it is a drag on their services and these accounts are not paying or are paying with stolen credit cards.
Ultimately, I don’t disagree with you that much but there’s a lot of room for CF to improve their management of fraud & abuse without becoming a trash platform or invalidating legal protections.