undefined | Better HN

0 pointstialaramex7y ago0 comments

CloudFlare's customers can choose whether the backhaul, between CloudFlare and their own web servers, is HTTP, HTTPS with a CloudFlare issued private certicate, or HTTPS using publicly trusted certs from the Web PKI.

If you choose either of the latter two options, bad guys can't MITM you, the middle option has the benefit that they can't even MITM you by subverting a public CA (since only CloudFlare's own certs are trusted) the latter option has the benefit that you can "just" switch off CloudFlare and your site now works as an ordinary HTTPS site with no changes, if you ever want to do that.

0 comments

auslander7y ago

In all those options, CF still terminates (strips) SSL from user traffic to plaintext, on their platform, hence MITM by Cloudflare.

detaro7y ago

And other large parts of the internet are "MITMed" by AWS, Heroku, Microsoft Azure or other hosting companies then. For some reason people don't make the same argument in every thread about AWS though.

auslander7y ago

Well, AWS does not mess with html code, like this:

https://stackoverflow.com/questions/22775065/cloudflare-add-...

It's just my gut feeling, that CF might abuse its unique position, having access to large part of internet traffic in plaintext. What other CDN gives free services? Hint, why Google Analytics is free?

gsich7y ago

Is Cloudflare a hosting company?

1 more reply

j / k navigate · click thread line to collapse

0 pointstialaramex7y ago0 comments

0 comments

auslander7y ago

In all those options, CF still terminates (strips) SSL from user traffic to plaintext, on their platform, hence MITM by Cloudflare.

detaro7y ago

auslander7y ago

Well, AWS does not mess with html code, like this:

https://stackoverflow.com/questions/22775065/cloudflare-add-...

gsich7y ago

Is Cloudflare a hosting company?

1 more reply

j / k navigate · click thread line to collapse