Certificate Transparency makes this significantly harder to do stealthily. I’m not convinced that Cloudflare is a deep state operation either, but Cloudflare's ability to secretly MITM is a position afforded to a select few, and certainly not every CA.
Right, but if someone can snoop the connection between Cloudflare and your server, chances are they are in control of some intermediate machine and can MITM, injecting their own self-signed cert.
The only accurate part is that Cloudflare is indeed a MitM no matter what SSL mode you have enabled. An intelligence agency that thoroughly compromises Cloudflare's interception points would be able to ignore SSL for a lot of large websites.
That's just a trade-off you have to decide is worth it or not before signing up.
Assumption: End-to-end encryption to the name on the certificate.
Reality: Someone else (Cloudflare) claims to be the name on the certificate, whereas in reality they’re not.
That’s the textbook definition of MITM attack, whether you like it or not.
Of course all CDNs work like that. No one’s claiming otherwise. Cloudflare is just bringing all the ways internet is fundamentally broken to the forefront. Their unapologetic and extensive abuse of those design flaws (captcha pages) are a constant reminder of just how a hopeless mess the internet is.
Yes. I have said it before and I say it again: Cloudflare (and any other large CDNs) are a perfect setup for a MITM or a perfect target for a nation-state's secret service.
I get what you’re saying, but Cloudflare isn’t trying to keep their methods a secret. They’ve openly written before about the key takeaway: how phishing-resistant MFA (particularly security keys) have saved them in the past. Everything else is just product documentation that’s online to read.
It's worse. You can't just start Mitm'ing regular encrypted internet traffic without compromised infrastructure. With Cloudflare everything is already in place.
I think there was some rumors that they are - or are planing - to offer certificates signed by a private Cloudflare CA exactly for the purpose of encrypting the traffic to the backend.
"With CloudFlare being in control of the DNS and having a wildcard certificate
without the domain owner's knowledge would give CloudFlare the possibility to
run a MITM on many, many domains without anybody noticing as the certificates
are valid and issued by a trusted CA"
This is how the system works when it comes to domain validated SSL certs. Anybody who controls the domain's DNS, can get a trusted SSL certificate for the domain from certificate vendor. As long as the DNS is controlled by third party, revoking the existing certs does not make a big difference, since if they want to do MITM, they can just get new certificates at any point.
It can be less conspiratorial than that. It is a legal and diplomatic challenge for the US to get permission or to install infrastructure to monitor traffic in foreign countries. It is much easier for Cloudflare to drop an ingress server there, and they decrypt all TLS traffic that lands on their systems before possibly re-encrypting it and forwarding it over their private network.
Cloudflare is a US company and subject to US coercion. It would be trivial for the US to force Cloudflare to give them access to that data, and with Cloudflare currently decrypting ~10% of all Internet traffic, why wouldn't they?
How about the fact that Cloudflare-issued certificates are for dozens of domains? If the US wants to snoop on foreign domain X, a US order for US domain Y, also on the same cert, would give them the private key.
It's not possible to detect abuse in this system. It requires that we trust the state to not abuse their power, and we've seen them lie about that already.
The mere fact that the Cloudflare system _can_ be abused is, in my opinion, enough reason to go nowhere near it for anything.
It's not like that'd be anything new... The NSA has been known to do this with other major tech companies (google/msft), wouldn't be a stretch to assume they did it at the CDN level.
Either way if you have full SSL (not flexible) on cloudflare, cloudflare receives encrypted data from your server anyway, which wouldn't let the gov't see your data. They'd only be able to decrypt Flexible SSL.
Keep in mind that Cloudflare is US company. US government is infamous for secret subpoena and gag orders toward the US companies. Also US government is infamous for serious and illegal spying. They also holding known vulnerabilities information from public for greater good(for them).
As I already said in the very comment you're replying to, and as vertex-four pointed out again, it is cross-referenced.
And several CAs are known to have signed fraudulent SSL certificates. I suspect all of them actually have, but not all have been publicized. If you think this makes CloudFlare less trustworthy than them, I really don't know what to say other than you're crazy.
I've intentionally avoided using Cloudflare's services when I can get away with it. I am afraid of what we are giving away to entities like this in the region of security. One gaping MITM vector.
reply