Comment by sph
10 hours ago
That’s been my pet theory from day 1, and not because of DDoS. Simply because they are the SSL terminator for most of the internet and can see anything going on in cleartext (and I’ve seen them protecting some shady stuff)
I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)”
If NSA aren’t installed at Cloudflare, I wonder what they are even doing.
> I’ve seen them protecting some shady stuff
Hmm do we want them to decide what stuff is shady and what isn't?
We're already allowing payment processors to do that and it's not good.
To add: apparently that PRISM slide got its own Knowyourmeme entry: https://knowyourmeme.com/memes/ssl-added-and-removed-here
DDoS is just one of the impetuses for a service provider be MiTM'd
That slide was about the NSA sitting inside Google data centers without Google's knowledge.
That doesn't mean collusion
That's the thing though: We can't know that.
Well, we kind of can, given that "SSL added and removed here :-)" was a pretty explicit workaround to the issue of encrypted communications in Google's infrastructure, just not between sites (IIRC).
Either way, if they were directly colluding with Google, they would have had a much simpler time siphoning off that data.
It's within the realm of possibility that NSA is collecting data with Cloudflare's consent. It seems unlikely that Cloudflare would jeopardize their entire business model over it. Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers. Their entire value proposition is being an unobtrusive traffic intermediary.
Within the realm of possibility? Let's be honest, if you are a top NSA executive and you couldn't find a way to get your hands on Cloudflare's private keys (bribing or threatening the right person), you are not getting your Christmas bonus.
It is of course inconceivable that the NSA do not have the private keys for dozens of browser trusted certificate authorities
That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare.
3 replies →
Is this information derived from Enemy of the State starring Will Smith and Gene Hackman? It was a great movie and the first DVD I ever bought.
Do people in government get bonuses linked to performance?
2 replies →
> Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers
People didn’t care when they learned about PRISM, why would they care now when it’s a known fact? The sane stance would be to assume Cloudflare is in cahoots with NSA.
All the companies involved in PRISM made public statements saying they ceased participation. Google undertook a costly initiative to add encrypted connections over their datacenter circuits. The NSA leaks were a forcing function that led to a massive uptake of encryption. Up until that point it was common for websites to support only HTTP.
The NSA leaks dominated news cycles for the entirety of 2013.
7 replies →
> Cloudflare would face a near-total loss of customer
I think more people than you would expect would be happy to accept that as the price for protection against malicious actors