The re-encrypted part isn't necessarily true though and you have no way of knowing. Users are misled because they see a nice secure lock icon in the browser, but that only protects the connection to the local Cloudflare POP, the rest of the way to the origin is all vulnerable to MITM.
As a security company, anything less than "Full (Strict)" should not exist.
Cloudflare publishes a certificate pair you can pin to your origin servers.
They also offer CloudflareD (Tunnels, formerly Argo), which connects origin directly to their network- so no chance of interception or Bypassing their services.
So, as long as it's set up correctly- theres no opportunity to MitM between Origin and Cloudflare.
Do people set it up correctly? I doubt it. I've seen several companies think they were using CF's WAF product, when all they really setup was DNS.
telgareith|1 year ago
They also offer CloudflareD (Tunnels, formerly Argo), which connects origin directly to their network- so no chance of interception or Bypassing their services.
So, as long as it's set up correctly- theres no opportunity to MitM between Origin and Cloudflare.
Do people set it up correctly? I doubt it. I've seen several companies think they were using CF's WAF product, when all they really setup was DNS.