| The headline provided is hardly a fair description of the content of the article. Matthew Prince, CEO of Cloudflare, just states the technical facts of how a https->http proxy works in the context of present day surveillance. One might argue that Cloudflare’s UI should be a bit more forthcoming and warn customers against blindly turning on what they call "Flexible SSL", which is the issue here. I’m of the opinion that this behavior creates a false sense of security for end users. A few days ago, I made this humble argument as a reply to John Graham-Cumming, @jgrahamc, an industry rockstar who works at Cloudflare.
https://news.ycombinator.com/item?id=12094057 Flexible SSL is Cloudflare’s term for enabling SSL from the proxy servers to the client, when no encryption is present in the connection back to the origin server. This can protect against things like ISP level snooping, or code insertion and curious local network admins. But it undermines the perceived benefits of https, without the end user knowing. I personally choose to never activate Cloudflare's SSL without origin SSL, for the reason I stated above: regular people trust that "green lock" in their browser. But then, there are those who argue that any SSL use through something like Cloudflare muddies the water, as a service like this, acts as a Man in the Middle out of necessity. Furthermore, CDN providers like Cloudflare are by their very nature entrusted with a lot of data which they could mine for nefarious purposes, or leak to local authorities. Another black box to trust, sadly. This matters for a lot more people than one might assume. One of the central points of CDNs is of course that they try to find the closest/fastest Point of Precence/data center. And now, unfortunatelty, my residential ISP here in Helsinki, Finland (TeliaSonera) routes me to Cloudflare’s new Moscow PoP/data center most of the time. Previously, my Cloudflare traffic got routed to their Stockholm PoP, as is still the case with other local ISPs I use at work, on mobile etc. For TeliaSonera, Moscow just happens to be the best route at the moment. This, in turn, causes me to feel slightly more creeped out about potential Russian mass surveillance targeting than I did previously about the Swedes, Germans and other Western actors. Just my personal preference. Also, one would have to ask how Cloudflare will handle Russia’s new, totally batshit anti-crypto legislation ( https://www.theguardian.com/world/2016/jun/26/russia-passes-... ) In this case, I’m in luck, because CEO Matthew Prince recently said that Helsinki, Finland will get its own PoP "very soon" (https://blog.cloudflare.com/brussels/ ). But all of this if of course something to keep in mind for internet users, that their traffic might take unexpected routes, through areas with totally batshit laws. You can check which Cloudflare PoP you are served by currently through the url below. "Colo" marks the data center, named after the closest airport. https://www.cloudflare.com/cdn-cgi/trace With all this said, I’m still loyal user and customer of Cloudflare’s. Despite the inherent problems, and the ongoing issues Tor user face. I would go as far as to say that Cloudflare is something of a dream machine for someone like me who supports a bunch of websites, varying from small to quite heavy on traffic, while still having other work to attend to. Combining Cloudflare and basic disk based caching found in CMSs, you really can do things like viral web content very cost efficiently. And you get a little help against automated CMS vulnerabilities without paying for their full DDoS protection. |