GoDaddy Helps Break the Internet by Hard Adopting CloudFlare CDN

Your website just got a boost!

We’ve updated your GoDaddy CDN with new features that make your site faster and safer.

Faster? NO. CloudFlare and all other CDNs can actually make my site SLOWER. I have tested this many times. In various instances, users have reported that the implementation of CDNs led to increased latency rather than improved performance, particularly for specific configurations or traffic types.

Safer? NO. CloudFlare’s code repositories were accessed during a breach, which means hacker(s) potentially have access to critical vulnerabilities and exploits. Additionally, there are concerns regarding outdated code being used by CloudFlare, as highlighted in a blog entry discussing a service delivery failure earlier this year[1].

More Private? NO. CloudFlare is tracking human users and blocking those it can’t track. This can prevent me from accessing my own web site if I protect my privacy on line.

Not only is CloudFlare not safer and faster, it is playing out to be a spy and censorship tool. Here are a few details that everyone should know.

CloudFlare is Breaking Encryption

A major issue is that CloudFlare disrupts the intended functionality of SSL by inserting itself between users’ web browsers and servers, transmitting much of the traffic UNENCRYPTED. This represents a significant security flaw, as it allows CloudFlare the potential to intercept sensitive data, including passwords and personal information. Such vulnerabilities could be exploited by attackers if they gain access to CloudFlare’s infrastructure, which has occurred in past incidents[2][3].

Furthermore, gaps in CloudFlare’s security controls have been identified that allow malicious users to bypass protections and target other customers on the platform[1]. This shared infrastructure model raises serious concerns about the overall security of data transmitted through their services.

How Could GoDaddy Allow This?

In my own tests, CDNs (content delivery networks) slow down my web site. I don’t want a CDN, so I followed the directions to turn this off and got the worst surprise yet, the toggle to turn the has been removed. CloudFlare is now mandatory? Does GoDaddy not know that CloudFlare has been hacked? Does GoDaddy not know that CloudFlare acts as a Man-in-the-Middle attack breaking browser to server SSL encryption? This is one of the final moves for the complete destruction of privacy on the planet earth, as far as the Internet goes. CloudFlare is a private company with no authority do what it is doing.

How did CloudFlare Get so Much Power?

Cloudflare has faced speculation and concern regarding its links to the National Security Agency (NSA), particularly in light of its position as a major provider of internet security services. Here are key points regarding this relationship:

– Public Stance on Surveillance: Cloudflare has publicly opposed mass surveillance programs, including those conducted by the NSA. The company has expressed its support for the USA FREEDOM Act, which aims to limit bulk data collection by government agencies, arguing that such practices are illegal and unconstitutional[15]. Cloudflare emphasizes the importance of due process and transparency in any law enforcement requests it receives.

– Participation in PRISM: In response to allegations about the NSA’s PRISM program, Cloudflare has stated that it has never been approached to participate in such programs. The company claims it has never received an order from the Foreign Intelligence Surveillance Act (FISA) court and actively challenges broad requests for data[16]. They maintain a policy of limiting data retention and disclosing any legal requests to affected customers whenever possible.

– Concerns Over Data Handling: Despite Cloudflare’s assurances, some critics remain skeptical about its potential cooperation with U.S. intelligence agencies. Concerns have been raised about the possibility that U.S. companies, including Cloudflare, could be compelled to provide data under U.S. law, including National Security Letters (NSLs) that do not require judicial oversight[17][18]. This skepticism is fueled by the understanding that U.S. companies must comply with local laws, which may include sharing data with government agencies.

– Implications of Being a U.S. Company: As a U.S.-based firm, Cloudflare operates under regulations that could require it to assist in surveillance efforts if requested by the government. This legal framework raises questions about privacy and data security for users relying on its services[17][18].

While Cloudflare publicly distances itself from NSA programs and advocates against mass surveillance, its status as a U.S. company subjects it to potential government scrutiny and legal obligations that could complicate its commitments to user privacy.

Single Company, Single Point of Failure

Hey, let’s run the entire Internet through one company. What could go wrong? Cloudflare operates one of the largest networks on the internet, with data centers in over 330 cities across more than 120 countries. This extensive reach allows Cloudflare to deliver content and services with minimal latency, enhancing the performance of websites and applications for users worldwide. The company processes an average of 60 million HTTP requests per second and 39 million DNS queries per second, showcasing its capacity to handle massive traffic volumes effectively … until it gets hacked or has an outage.

Security Risks: Centralizing services increases the stakes; if Cloudflare were compromised, it could potentially expose vast amounts of data or disrupt numerous services simultaneously.

What “Breaking the Internet” Actually Means

The Internet is intended to be broadly distributed without major points of failure which can be attacked. This is why people say that CloudFlare is breaking the Internet. CloudFlare is breaking the resilience of what is supposed to be a secure and self-healing web of computers and servers which automatically routes traffic around failed nodes. To break this for money, power, convenience or any other reason may be one of the last stupid nearsighted things humans ever do. You don’t realize it, but the now evaporating self-healing decentralized Internet has stood in the way of tyranny and world domination for decades. To rule the world with lies, the Internet, as it was intended to operate, must die. You will probably not loose connectivity to AI bots impersonating humans on social media or to Amazon sized online stores, but your connection to other humans will be progressively filtered and controlled, until it no longer exists. This is the type of breaking that CloudFlare is enabling by owning and centralizing control of Internet traffic. We will get exactly what we are stupid enough not to stop.

Censorship

If you doubt that CloudFlare will censor, please note that it already has done so. It can only do this if server owners allow it to be put in between their servers and Internet users, which they should not do!

• “Cloudflare has already said it will isolate and block Brazilian IP addresses from reaching ExTwitter” [12]
• “Cloudflare’s CEO stated that while they generally resist terminating services based on content, the immediate threat to human life justified their actions in this case.”[13]
• In 2017, Cloudflare terminated its services for The Daily Stormer, a neo-Nazi website, after it published an article mocking the victim of a violent incident. This is a case where CloudFlare, a private company, dictated what is permissible on the internet.[14]
• CloudFlare either now does or will in the future participate with Google in shadow banning web sites, stopping human traffic while allowing bot traffic to avoid arousing suspicion.

The point is they should not be given this power at all. The company should not exist.

Call GoDaddy and Request NO CloudFlare

I have been a loyal GoDaddy customer for decades and this mandatory CDN security hole is unacceptable, so I called GoDaddy.  They confirmed that the toggle is missing, that I can’t turn it off myself, that this was rolled out for all users–does that mean just all managed WordPress users?– and they opened a ticket to turn off the CDN for my site and to make this permanent, as they did previously, which was at that time never supposed to be undone!

CloudFlare, a Stealth Surveillance and Censorship Apparatus

Many of us tech savvy people have their own web sites like this one because big social media is controlling and censoring content. Installing CloudFlare allows that corporate censorship to extend to individuals with web sites. A creeping crud of communication control is at the door. CloudFlare is grabbing control of your private data as an arm of surveillance capitalism. In practical terms, this means that if you reasonably try to protect your online privacy using a VPN or other means, CloudFlare can block you from your own web site. It can act as a gate keeper to stop all human traffic to any site it “supports” which is a potential disaster for human rights and freedom.

What alternatives to GoDaddy do not and WILL NOT use CloudFlare?

With some research I found that you can get a VPS (Virtual Private Server) with GoDaddy or some other host and run WordPress on that. This option does require some server admin experience. This option will be faster than a shared host, and in some cases, even cheaper than a GoDaddy Managed WordPress instance.  So, that’s what I’m considering for this news/art blog if GoDaddy will not turn the CloudFlare CDN off.

Status of Request

GoDaddy has put in a trouble ticket for me to DISABLE the CloudFlare CDN, since they removed the toggle from the web interface. This will be noted in my account as a permanent change. Yeah right. GoDaddy is a great company with so many excellent employees. They have helped me well over the years, but I’ve heard that before about permanent changes to avoid CloudFlare. I’m going to give them 72 hours, and if they can’t deliver the goods, I’m going to consider moving this site to a different host.

Checking if Your Server is Behind CloudFlare

To determine if newsi8.com is using Cloudflare, you can check a few technical indicators:

1. DNS Nameservers: If the domain’s nameservers end with `ns.cloudflare.com`, it indicates that the site is using Cloudflare. Windows:

nslookup -type=ns newsi8.com

MacOS:

dig ns newsi8.com

Result:

newsi8.com. 1444 IN NS pdns1.registrar-servers.com.
newsi8.com. 1444 IN NS pdns2.registrar-servers.com.

or you can use

host -t ns newsi8.com

Result:

newsi8.com name server pdns2.registrar-servers.com.
newsi8.com name server pdns1.registrar-servers.com.

The nameserver  pdns1.registrar-servers.com  is not associated with Cloudflare. It is part of the default nameservers provided by various domain registrars, such as Namecheap, for managing DNS records. These nameservers are typically used for domains registered with those registrars and do not indicate any connection to Cloudflare’s services. Cloudflare operates its own nameservers, which typically end with  ns.cloudflare.com .

Note that this could technically be changed at any time without notice by GoDaddy. Most users would never know.

2. IP Address Resolution: You can resolve the domain to see if it returns an IP address associated with Cloudflare.

The IP address 198.71.191.xxx is not associated with Cloudflare. This IP address belongs to GoDaddy, which is known for providing web hosting and domain registration services.

3. HTTP Headers: By inspecting the HTTP response headers, if you see `server: cloudflare` or headers like `Cf-Cache-Status` and `Cf-Ray`, it confirms that the site is behind Cloudflare.

You can use tools like online DNS checkers or browser developer tools (press F12) to inspect these details easily[10].

CloudFlare is Injecting Code into Web Sites

This is sneaky. The Sources in Firefox inspector shows that  cdnjs.cloudflare.com  IS being used, allowed by GoDaddy. Not only that, they are inserting this Javascript onto my site! Here is a snapshot of the code December 2, 2024.

/*!
* jQuery Mousewheel 3.1.13
*
* Copyright 2015 jQuery Foundation and other contributors
* Released under the MIT license.
* http://jquery.org/license
*/
!function(a){“function”==typeof define&&define.amd?define([“jquery”],a):”object”==typeof exports?module.exports=a:a(jQuery)}(function(a){function b(b){var g=b||window.event,h=i.call(arguments,1),j=0,l=0,m=0,n=0,o=0,p=0;if(b=a.event.fix(g),b.type=”mousewheel”,”detail”in g&&(m=-1*g.detail),”wheelDelta”in g&&(m=g.wheelDelta),”wheelDeltaY”in g&&(m=g.wheelDeltaY),”wheelDeltaX”in g&&(l=-1*g.wheelDeltaX),”axis”in g&&g.axis===g.HORIZONTAL_AXIS&&(l=-1*m,m=0),j=0===m?l:m,”deltaY”in g&&(m=-1*g.deltaY,j=m),”deltaX”in g&&(l=g.deltaX,0===m&&(j=-1*l)),0!==m||0!==l){if(1===g.deltaMode){var q=a.data(this,”mousewheel-line-height”);j*=q,m*=q,l*=q}else if(2===g.deltaMode){var r=a.data(this,”mousewheel-page-height”);j*=r,m*=r,l*=r}if(n=Math.max(Math.abs(m),Math.abs(l)),(!f||f>n)&&(f=n,d(g,n)&&(f/=40)),d(g,n)&&(j/=40,l/=40,m/=40),j=Math[j>=1?”floor”:”ceil”](j/f),l=Math[l>=1?”floor”:”ceil”](l/f),m=Math[m>=1?”floor”:”ceil”](m/f),k.settings.normalizeOffset&&this.getBoundingClientRect){var s=this.getBoundingClientRect();o=b.clientX-s.left,p=b.clientY-s.top}return b.deltaX=l,b.deltaY=m,b.deltaFactor=f,b.offsetX=o,b.offsetY=p,b.deltaMode=0,h.unshift(b,j,l,m),e&&clearTimeout(e),e=setTimeout(c,200),(a.event.dispatch||a.event.handle).apply(this,h)}}function c(){f=null}function d(a,b){return k.settings.adjustOldDeltas&&”mousewheel”===a.type&&b%120===0}var e,f,g=[“wheel”,”mousewheel”,”DOMMouseScroll”,”MozMousePixelScroll”],h=”onwheel”in document||document.documentMode>=9?[“wheel”]:[“mousewheel”,”DomMouseScroll”,”MozMousePixelScroll”],i=Array.prototype.slice;if(a.event.fixHooks)for(var j=g.length;j;)a.event.fixHooks[g[–j]]=a.event.mouseHooks;var k=a.event.special.mousewheel={version:”3.1.12″,setup:function(){if(this.addEventListener)for(var c=h.length;c;)this.addEventListener(h[–c],b,!1);else this.onmousewheel=b;a.data(this,”mousewheel-line-height”,k.getLineHeight(this)),a.data(this,”mousewheel-page-height”,k.getPageHeight(this))},teardown:function(){if(this.removeEventListener)for(var c=h.length;c;)this.removeEventListener(h[–c],b,!1);else this.onmousewheel=null;a.removeData(this,”mousewheel-line-height”),a.removeData(this,”mousewheel-page-height”)},getLineHeight:function(b){var c=a(b),d=c[“offsetParent”in a.fn?”offsetParent”:”parent”]();return d.length||(d=a(“body”)),parseInt(d.css(“fontSize”),10)||parseInt(c.css(“fontSize”),10)||16},getPageHeight:function(b){return a(b).height()},settings:{adjustOldDeltas:!0,normalizeOffset:!0}};a.fn.extend({mousewheel:function(a){return a?this.bind(“mousewheel”,a):this.trigger(“mousewheel”)},unmousewheel:function(a){return this.unbind(“mousewheel”,a)}})});

How to See This Code Using Firefox

Load a web page on Newsi8.com, then press F12 (fn F12 on Mac) and you will see the inspector tools window appear at the bottom of Firefox. Click on the Debugger tab. Under Main Thread, you will see newsi8.com and the things it loads. A separate node from Cloudflare.com contains the AJAX (asyncronous JavaScript, which means it can get loaded whenever Cloudflare wants.) Click that node to expand it and you will find the JavaScript code above.

What does this injected code allow CloudFlare to do?

When Cloudflare injects this JavaScript code into your site, it serves several stated purposes:

Performance Optimization: By using this plugin, Cloudflare may aim to enhance the user experience on your site by providing smoother scrolling behavior, which can be particularly beneficial for sites with extensive content.

Browser Compatibility: The injection helps ensure that users on various browsers have a consistent experience when interacting with mouse wheel events, which can be crucial for usability.

Potential Security Concerns: While the code itself is widely used and generally safe, any third-party script injection raises concerns about security and control over your website’s functionality. It’s essential to ensure that this behavior aligns with your site’s intended functionality.

Unstated Purposes of CloudFlare Injected Code

A Foot In the Door: This code which is allowed by GoDaddy security scanners can be changed at any time allowing CloudFlare to attack users who visit your web site, even on an individual basis depending on their computer and browser’s vulnerabilities. Yes, they can change this code at any time and then change it right back after an attack. This is a hook which allows CloudFlare or it’s puppet master to attack you and your visitors, if they want. Anyone compromising them can do the same. Everyone should be outraged, but no one, apparently not even the technical security gurus at GoDaddy, recognize the obvious threat.

Identify Human Users with Biometric Data: Mouse movements are one way to identify humans. Over time, such movements can be very unique, so they represent digital fingerprints. We spent a lot of time and money making our own web sites to get away from the spying, filtering and censorship which is rampant on big social media platforms and now we get this BS! Grr! To put this is a calm way: this seemingly harmless mouse code is quite insidious. How you move your mouse can tell others many things, sometimes even your mood. Mood data is a big money maker in surveillance capitalism. This injected code now on my web site, newsi8.com without my permission, is covert surveillance of all of my web site visitors. This is like someone installing a movement sensor you can not remove in your house.

Potential for Covert Surveillance: The injection of JavaScript code like the jQuery Mousewheel plugin could facilitate the collection of these mouse movement patterns without explicit user consent or awareness. This raises privacy concerns as it may enable covert tracking of users’ behaviors across different sessions and websites.

Data Transmission: The collected data from these events can be sent back to Cloudflare’s servers through AJAX requests or as part of the HTTP request headers when the user interacts with the page. This transmission can occur in real-time or at specific intervals.

Yes, the injected code can track mouse movements on your website. Cloudflare employs JavaScript to add event listeners to web pages, which monitor user interactions such as mouse movements, clicks, and keyboard inputs. This functionality is part of their bot detection mechanism.

Denials, Lies

You can read that Cloudflare provides infrastructure services like CDN, security, and performance optimization for websites. While it may host scripts such as the jQuery Mousewheel plugin, “it does not inherently collect or analyze user interaction data unless those features are specifically enabled and configured by the site owner.” This is a lie because you can also read this:

Bot Detection: Cloudflare employs behavioral analysis techniques to identify bot-like behavior. This can include monitoring mouse movements, scrolling patterns, and other user interactions on a webpage. By analyzing these behaviors, Cloudflare can determine whether the traffic is likely coming from a human user or an automated script.

Vulnerability to Abuse: Increased data collection eventually leads to misuse by those in power. Without adequate checks and balances, personal information will be exploited for political, economic, or social gain.

Are there WordPress Plugins to Disable CloudFlare Mousewheel Code?

Ad Blockers and Browser Extensions

• While not a plugin for WordPress, users can utilize browser extensions or ad blockers that prevent tracking scripts from running, including those from Cloudflare. Examples are EFF Privacy Badger, AdBlock Plus, and NoScript.
• Plugins like WP GDPR Compliance or Complianz: These plugins help manage user consent and privacy settings, and they may provide options to disable certain scripts that track user behavior.
• Add your own JavaScript, for example to the GoogleAdSense code block which you should have removed from your site for added privacy.

// Function to disable jQuery Mousewheel plugin
function disableMouseWheel(){
    // Unbind the mousewheel event from all elements
    $(document).off("mousewheel");
    $(document).off("DOMMouseScroll"); // For Firefox support
}

// Call the function to disable mouse wheel functionality
disableMouseWheel();

Does this code work? It seems to remove CloudFlare mousewheel in some cases, but not when CloudFlare loads their code last, after your web site’s code. When external scripts, such as those from Cloudflare, are loaded last, they can re-bind mousewheel event handlers after your unbinding code has executed.

• Multiple Bindings: Also, if the mousewheel event is bound multiple times to the same element, simply calling  .off("mousewheel")  may not remove all instances unless you specify the exact handler.

So, Re-apply Disabling on Load Completion

If you know that Cloudflare scripts will load last, you can set a timeout or use an event listener for when the page has fully loaded. You might add this line:

$(window).on('load', function() { disableMouseWheel(); 
// Disable again after all scripts have loaded 
});

<!-- <script> // Function to remove unwanted event listeners
function removeUnwantedListeners() {
  // List of events you want to monitor
  const events = ['click', 'mousemove', 'keydown', 'wheel']; // Add more as needed
  events.forEach(event => {
    document.removeEventListener(event, handleEvent);
  });
}

// Function to handle events (placeholder)
function handleEvent(e) {
  console.log(`Event ${e.type} triggered`);
}

// Function to monitor DOM changes
function monitorDOMChanges() {
  const observer = new MutationObserver(mutations => {
    mutations.forEach(mutation => {
    mutation.addedNodes.forEach(node => {
   // Check if the node is a script tag
   if (node.nodeType === Node.ELEMENT_NODE && node.tagName === 'SCRIPT') {
     const scriptSrc = node.src || '';
    // Check if the script is from an external domain
    if (!scriptSrc.includes(window.location.hostname)) {
      console.warn(`External script detected: ${scriptSrc}`);
      removeUnwantedListeners(); // Remove unwanted listeners
    }
   }
  });
 });
});

 // Start observing the document body for child nodes
 observer.observe(document.body, { childList: true, subtree: true });
}

// Start monitoring the DOM when the document is ready
document.addEventListener('DOMContentLoaded', () => {
  monitorDOMChanges();
}); </script> -->

if (typeof jQuery.event.special.mousewheel !== 'undefined') {
console.log("jQuery Mousewheel plugin is loaded.");
} else {
console.log("jQuery Mousewheel plugin is NOT loaded.");
}