While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
There was a guy, Snowden or something, who got some first party reports. They stated that no magical quantum crypto breaking happened at global scale, keys were simply stolen, or backdoors were used to access clear text on sender or receiver.
Ephemeral keys (not stored for possible future leakage) quickly became the default, and assumptions about global data gathering changed. Then, all of a sudden, “free” service appears that makes all of TLS improvements, bug and small, practical and theoretical, useless. What a coincidence!
For some reason, you assume that people who have been stealing everything they can (because doing crime for the Big Guy is not a crime) consider this specific company untouchable. This is impossible. Every country in the world wants to have its spying capacity at maximum (following the shameless example), and to flex muscles at American services doing the same. The reason we only read about clashes over movie piracy and other petty stuff is because more serious matters have been discussed and dealt with.
Facebook offers “free” hosting and other services for individuals (social networks are poor walled versions of the Web). Cloudflare offers “free” CDN and other services for website owners. Actual business model is the same, lies are still lies.
Hyperbole is my middle name, but I just find it repulsive that CloudFlare breaks the chain of trust, and somehow everybody is just okay with that. I'm not saying it makes HTTPS pointless, but we've moved from end-to-end encryption to trust-me-bro. Is CloudFlare malicious? Probably not - at least not right now. But I think my browser should warn me that my connection is not E2E secure, because it's not.
Care to elaborate? How do they make money?
While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
There was a guy, Snowden or something, who got some first party reports. They stated that no magical quantum crypto breaking happened at global scale, keys were simply stolen, or backdoors were used to access clear text on sender or receiver.
Ephemeral keys (not stored for possible future leakage) quickly became the default, and assumptions about global data gathering changed. Then, all of a sudden, “free” service appears that makes all of TLS improvements, bug and small, practical and theoretical, useless. What a coincidence!
For some reason, you assume that people who have been stealing everything they can (because doing crime for the Big Guy is not a crime) consider this specific company untouchable. This is impossible. Every country in the world wants to have its spying capacity at maximum (following the shameless example), and to flex muscles at American services doing the same. The reason we only read about clashes over movie piracy and other petty stuff is because more serious matters have been discussed and dealt with.
Facebook offers “free” hosting and other services for individuals (social networks are poor walled versions of the Web). Cloudflare offers “free” CDN and other services for website owners. Actual business model is the same, lies are still lies.
Hyperbole is my middle name, but I just find it repulsive that CloudFlare breaks the chain of trust, and somehow everybody is just okay with that. I'm not saying it makes HTTPS pointless, but we've moved from end-to-end encryption to trust-me-bro. Is CloudFlare malicious? Probably not - at least not right now. But I think my browser should warn me that my connection is not E2E secure, because it's not.
2 replies →
Is CloudFlare datamining that traffic to build intelligence profiles on its users and for anti-competitive business practices?
Is CloudFlare hiding that they are a terminating proxy and pretending to be a VPN for the purposes of spying on users?
The big deal isn't the technical aspect, it's what it was used for and how it was used.