|
|
|
|
|
|
by zaroth
3188 days ago
|
|
|
I assume that's the point </s> With Anycast I don't think you have the choice of not georeplicating the STEK. And latency is one of their biggest selling points. So you could say they are trying to make the best of a bad situation. It is absolutely bizarre that the STEK-encrypted session key is not itself sent inside the session encrypted channel. |
|
|
This is a choice Cloud Flare is making in favor of performance, and it seems sort of risky with respect to a well-funded global adversary. This makes persistent access to any single endpoint server incredibly valuable.
But maybe regional STEKs are impractical from a performance perspective. I assume Cloud Flare has performance measurements to justify this choice. I'd be interested to read a blog post about it.