Not an attack but certainly a person in the middle.
IAAL and advise on data protection and privacy.
Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.
My impression is that a lot of people use these services without really understanding the implications.
For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.
Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.
That said, I routinely use Cloudflare for my personal projects.
And AWS has control of all of your servers and everything stored on them. If it's part of your systems architecture and how it's intended to work it isn't being attacked.
>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.
That doesn't mean they are an attack. That is just how a CDN works.
You're being needlessly pedantic. It might not be an attack in the usual sense, but it's a MITM "access point" and agencies like CIA/NSA/FBI would definitely have that kind of access. This access transforms Cloudflare's role into a de facto MITM "attack" on their customers and end users who didn't intend to share unencrypted data with 3-letter agencies.
james_in_the_uk|2 years ago
IAAL and advise on data protection and privacy.
Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.
My impression is that a lot of people use these services without really understanding the implications.
For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.
Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.
That said, I routinely use Cloudflare for my personal projects.
charcircuit|2 years ago
>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.
That doesn't mean they are an attack. That is just how a CDN works.
powersnail|2 years ago
dns_snek|2 years ago
cassianoleal|2 years ago
unknown|2 years ago
[deleted]