(no title)
ZoneZealot | 9 months ago
The customer grants Cloudflare a TLS certificate for their site either by uploading a cert manually, or letting Cloudflare issue a cert via the ACME protocol. They use that to present the site to the world. Cloudflare connects back to the origin site, and the origin either uses HTTP (bad! but possible), HTTPS with a self signed cert, HTTPS with another publicly trusted cert, or a cert that Cloudflare issues with their own (not publicly trusted) CA called Origin CA.
As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
One of those massive risks turned reality with Cloudbleed in 2016/2017: https://en.wikipedia.org/wiki/Cloudbleed
https://project-zero.issues.chromium.org/issues/42450151
https://blog.cloudflare.com/incident-report-on-memory-leak-c...
https://blog.cloudflare.com/quantifying-the-impact-of-cloudb...
yubblegum|9 months ago
In that case there is no way that company is not hooked into the intelligence services. I am certain they do go through the ceremony of legality for many actions but it is unreasonable to think no intelligence service has attempted to critically penetrate it. Add the mix of ideology du jour of the SV "VC intelligentcia" and software youth brigades.
You are entirely correct to point out that it is our "trust" that is taken for granted. And granted to CloudFlare by SV, YCombinator, and of course HackerNews itself that dumps on any voices raising concerns over these obvious "massive risks" so that the unauthorized delegation of trust is done behind our backs by capital and other interested parties. DDoS prevention is kind of like kiddie porn prevention, a perfect pretext for openning the door to equally serious violations, of our trust and rights.