Comment by soheil
8 years ago
What's the rationale behind sending user PII through a CDN? Presumably that is useful to that one user only so a CDN wouldn't be super useful in distributing the load across its edges. Also doesn't CDN caching kinda defeat the purpose of having SSL?
Cloudflare terminates SSL and then forwards the request to your servers as one of their services. This isn't about the CDN, but about them terminating SSL, then leaking the plaintext data back through other requests.
What are the benefits of terminating SSL early at the CDN level? It seems to me the risks associated with not having SSL still remain they're just shifted to between the CDN and the backend. Is it much more than just giving lip service to SSL and getting away with things like browser restrictions, etc.?
DDoS protection and general ease of use. There are several options for the extent of encryption between CF's edge and the origin server but the onus is on the site owner to configure it properly.
Sure it defeats the ideals about TLS and the internet in general ala "every connection should be point to point" but we've been ruining that with firewalls and NATs for a long time and having some degree of TLS is still better than nothing at all.
1 reply →
> It seems to me the risks associated with not having SSL still remain they're just shifted to between the CDN and the backend
Exactly, it's a really bad idea for anyone who cares about their users' privacy. It's essentially an opt-in MITM attack...one that, apparently, leaks data everywhere.