Thanks for the feedback.

In the case of Lantern, they were taking advantage of a bug in our system. Specifically, they were setting the SNI field (outside the encrypted packet) of a request to look like it was going to an actual CloudFlare customer (e.g., news.ycombinator.com) and then setting the host header inside the encrypted request to point to some restricted site. The bug was that we did not check that the SNI field matched the host header, which allowed Lantern to do what they were doing.

Lantern was not a customer of ours, instead they were exploiting this bug to essentially disguise traffic to look as if it was coming from one of our actual customers. One of our biggest concerns was that this would put CloudFlare's actual customers at risk of being blocked. And, beyond that, even if it weren't being used to avoid Internet restrictions, that someone could effectively impersonate the identity of a customer on our network is, per se, a flaw that we should patch. As soon as we became aware of the issue, we began matching the SNI header to the host header and, effectively, patched the bug.

We've always been very supportive of a free and open Internet. However, even if we support what someone is doing, we can't put our current customers at risk of collateral damage or keep open bugs that allow our network to be exploited.

Matthew Prince Co-founder & CEO, CloudFlare @eastdakota

> Lantern was not a customer of ours, instead they were exploiting this bug to essentially disguise traffic to look as if it was coming from one of our actual customers.

This makes a world of difference.

Just to confirm, does this mean that if the exact same attack had happened, but Lantern had been a CloudFlare customer, you wouldn't have shut them down?

That's a fair response to that case.

Still curious about this quote: “We don’t do anything to thwart the content restrictions in China or other countries,” said Matthew Prince, chief executive of CloudFlare. “We’re a tech company and we comply with the law.”"

So if Lantern were a customer, would the outcome still have been the same?

Well, if Lantern were a customer, then China could just block them like they do for any CF customer they want to block. The reason the bug was allowing people to get around the firewall was because they were pretending to access a site that wasn't blocked, but actually receiving content that was blocked.

I think that's fair and reasonable.

Patriotism is not a justification for violating the law. Granted, modern politicians and civilians use patriotism to justify literally anything they want to do as long as it's in the name of the Homeland (similar to religious martyrs justifying anything they do as in the name of their God).

Usually patriotism is the last justification used by those who have nothing else to stand on, like the KKK trying to oppress African-Americans, or the Nativists trying to oppress Irish immigrants, or modern-day politicians who decry all Islamists as terrorists, or the border states trying to oppress migrant workers, etc. Each time they've exhausted all other excuses, Patriotism is the last justification for their actions. (I won't touch on Mao, Stalin, Hitler, etc because they're too tied to specific nationalist policies)

Personally, I wouldn't want to identify myself as a Patriot, because usually they're the ones standing on the wrong side of history.

Unless you were just trolling.... ;-)

> Patriotism is not a justification for violating the law.

Actually, it is. Patriotism, in being a Patriot, is a loaded word in the American (USA) context. Specifically, it is about doing what is good/right for the country and her citizens regardless of the law (i.e. British rule.) Or so says my recollection of American History. I mean... just look at the Patriots (rebels, in the british colloquialism) in the image on the wikipedia page for Patriot_(American_Revolution).

"The Oxford English Dictionary third definition of "Patriot" is "A person actively opposing enemy forces occupying his or her country; a member of a resistance movement, a freedom fighter."[1]. In this definition, if the alleged DDoSers are Chines, attempting to block the actions of a foreigner imposing influence in their own land, they are the more Patriotic? Which is why the term is utterly useless in this argument; Dare, any other.

> Usually patriotism is the last justification used by those who have nothing else to stand on[sic]

Thus was it written.

[1]http://en.wikipedia.org/wiki/Patriot_(American_Revolution)

edit: add ambiguous ?

Patriotism isn't a word really, it's a neologism invented in the 18th century, probably attached to by the founders because the British hated the term. And while Patriotism's historical (and more ethical) definition might have been to defend the principles of one's country and the constitution given to the people, the modern definition is waaaaay different. At this point we should bring back the word Loyalist for the people who use Patriot to mean someone who blindly follows their government.

Not everyone desires to take part in geopolitics and become a tool of diplomacy. Some people just want to do their business and it's perfectly fine in my opinion. You can't force people to be patriotic or to feel a patriotic call.

From the FAQ:

> Due to the sensitive nature of the content on our web sites we prefer to remain anonymous at this point

If they want help they need to be transparent about who they are and what their objective is. One man's tool of diplomacy is anothet man's... etc.

I worked with a DDoS protection provider briefly. Suffice to say, it's quite possible that being public with identity can bring a significant chance of physical harm. Dunno about this particular case, or China, but for other people offering services to that continent-area, they had real concerns.

Ah freeriders

Patriotism is not a virtue, it's a pretty empty and meaningless value

I got confused, are you talking about bringing freedom to the US ? :) Kidding aside, not saying you're wrong, but companies that want to maximize profit take a too big of a risk alienating a possible big market...