[apeace]

Title is clickbait.

The only important/interesting quote from the article:

> That particular customer had set up their configuration in such a way that the connection from Cloudflare back to the customers origin was not passed over an encrypted link. Clouldflare has the ability to pass that over an encrypted link. We don’t have any idea why this particular customer chose to do that, but that’s the customers decision.

[gkop]

And it's Cloudflare's decision to expose the endpoint as HTTPS, suggesting to visitors that it's a secure endpoint when Cloudflare knows that it is not.

[johansch]

It's each website's decision to use (or not use) Cloudflare. It's thus also by extension each website's decision to expose the site over HTTPS.

[gkop]

For sure. From the perspective of a visitor to the site, you see the padlock, it should be secure. Cloudflare makes it extremely easy to disguise an insecure endpoint as a secure one. In fact, Cloudflare does this for free! It harms visitors.

[rakoo]

... And it's the customer's decision to leave the cloudflare->upstream link in the clear. Just like it was Google's decision to add and remove SSL between the frontend server and the backends.

Cloudflare is part of the customer's website, it's not some random third-party that happens to be there on the path to the HTTP client.

[pvk84]

Not really. He did agree to their traffic being intercepted as a plausible reason as to how this can be explained.

> MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?

> Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.

[aravindet]

Not at all.

The background to this is that when a security researcher discovered that CloudFlares upstream connections are being tampered with, Airtel issued a denial. Matthew Prince's answers here contradict Airtel's statement.