[neuland]

That's a really good point. Unless you're using plain VM's, you're either giving your SSL keys to the provider or having them setup SSL for you.

Didn't really think about how many services do this: AWS' ELB, any serverless service, Heroku and other PaaS services, etc.

[kej]

>Unless you're using plain VM

Even a plain VM is easily observable for whoever is hosting it. At the end of the day you have to either trust your service providers or do it yourself, whether that's securing your network infrastructure or emptying the trash can next to your desk.

[neuland]

That's absolutely true. Just not something I think of regularly, because I'm on all private infrastructure.

[ilovecars2]

I hope this doesn’t sound rude, but the number of people who mention Cloudflare as some kind of MITM threat and then also use a cloud provider with elastic load balancer and god knows what else at the same time is staggering - and just plain frustrating.

[neuland]

I'm personally not offended. All my stuff is on a private, on-prem OpenStack. So, I'm not very hip to the public offerings and what trust they entail.