undefined | Better HN

0 pointsthephyber2y ago0 comments

This seems like a useless warning.

The owner of the domain has to choose to integrate a CDN. They implicitly trust the vendor who runs the CDN just like they implicitly trust the cloud provider that asserts their VPC between their server that terminates TLS and any API servers behind that which don’t use encryption for data in transit.

0 comments

edandersen2y ago

That's fine but the user has no way of knowing if a third party is party to the communications or not. Surely they should know?

thephyberOP2y ago

Again - that seems like a useless warning.

3rd party could mean a DBA, IT consultant, AWS support tech, CDN support tech, MSSP employee, cloud platform, etc. those all come with different levels of risk, different contract terms, etc.

I’m trying to say that just saying the TLS connection is terminated by a vendor, who then creates another to the origin server doesn’t tell you anything valuable from a security / risk standpoint. The CDN-fronted connection that shows the warning may be highly secure while a self-managed reverse proxy that terminates the TLS connection to another serve owned+managed by the same person/org might be completely insecure. The warning is not a useful signal.

j / k navigate · click thread line to collapse