[neuland]

Genuinely asking: isn't it true that Cloudflare gets to see the plaintext traffic of sites that it proxies?

Even if Cloudflare is a big champion of better encryption and is currently not doing anything shady with this ability, it's a concerning power for one organization to have.

(Of course, if Cloudflare doesn't see the plaintext, then disregard)

[zackbloom]

Isn't that true of essentially any IaaS provider? Heroku or AWS could access anything running on your machine just by instrumenting their virtualization system if they cared to.

Part of the move to the cloud was the decision that well organized companies with large security teams can do a better job protecting internet resources than the vast majority of individuals. Cloudflare is just that, for cache/firewall/etc. appliances, I don't see the difference.

[neuland]

That's a really good point. Unless you're using plain VM's, you're either giving your SSL keys to the provider or having them setup SSL for you.

Didn't really think about how many services do this: AWS' ELB, any serverless service, Heroku and other PaaS services, etc.

[kej]

>Unless you're using plain VM

Even a plain VM is easily observable for whoever is hosting it. At the end of the day you have to either trust your service providers or do it yourself, whether that's securing your network infrastructure or emptying the trash can next to your desk.

[neuland]

That's absolutely true. Just not something I think of regularly, because I'm on all private infrastructure.

[ilovecars2]

I hope this doesn’t sound rude, but the number of people who mention Cloudflare as some kind of MITM threat and then also use a cloud provider with elastic load balancer and god knows what else at the same time is staggering - and just plain frustrating.

[neuland]

I'm personally not offended. All my stuff is on a private, on-prem OpenStack. So, I'm not very hip to the public offerings and what trust they entail.

[bastawhiz]

It does with its free offering. It has a paid version that does not MITM the connection, IIRC.