[lllorddino]

I use Cloudflare because I host my static website on Github. The flexible ssl mode is good enough because there's no user data being passed around only articles of mine.

I've used the full ssl mode on self hosted servers and can't see what the dilemma is besides you being paranoid that Cloudflare will tamper with data passing through them. Evidence?

[joepie91_]

> there's no user data being passed around only articles of mine

That's not quite true. The sensitive data that is getting passed around in this case isn't your articles, but who is reading them.

> besides you being paranoid that Cloudflare will tamper with data passing through them. Evidence?

Why would this require evidence? It's a threat, plain and simple. Threat modeling isn't based on evidence, it's based on assuming the worst-case realistic scenario, because overestimating is less harmful than underestimating.

[lorenzhs]

GitHub pages does support SSL now, so you can use "Full" SSL mode (not "Full (strict)") with GitHub pages now. We do this for glowing-bear.org, which is just a bunch of static files too.

[joepie91_]

Then why would you use CloudFlare at all? You already have TLS.

[lorenzhs]

We want to use a custom domain, but TLS with custom domains isn't possible with github pages. https://glowing-bear.github.io/glowing-bear/ isn't exactly nice to type.

[Sir_Substance]

>and can't see what the dilemma is besides you being paranoid that Cloudflare will tamper with data passing through them. Evidence?

Why would you sit and wait for something to go wrong, when you could close a potential security problem now?