Comment by homakov
8 years ago
Chrome marking Cloudflare HTTPS as "Secure" must be turned into something different, like "Not So Secure" or whatever. Secure = end to end.
Cloudflare is MitM by design. Chrome and others must not tolerate it. This vulnerability is just another reason to do it asap.
That's because HTTPS allows that. Whether it's cloudflare, or your own servers and load balancers, it's all legal. So it would be unfair to single cloudflare out. You could take some measures to identify their flexible-ssl traffic, and that's a grey area, but their regular ssl is fine. If it weren't for them, you would roll your own solution, which wouldn't be very different.
Ultimately I believe CF is sustaining its business by filling a gap in the Internet, namely DDoS protection. Until somehow the gap is closed we will see CF-like services continue to be popular even after this incident.
So there is no cheap in-house solution to DDoS but CF?
1 reply →
So is any CDN.
Forgot about that, thanks. However we can use "integrity" attribute
Yeah, that's for the traditional CDN setup, where you upload files to a CDN that serves these files from their own domain — they don't MitM the entire site! The HTML page still comes from your servers. With that setup you can use Subresource Integrity, yes.