[auslander]

> doing exactly what the company that's using them asked them to do

But how do I, website user, can know it? Given how many sites are served by CF, my private, decrypted, data can be aggregated and I would have no clue.

For ISPs use VPN. And I doubt (seriously) AWS (Azure) has means to do MITM, reading private keys from virtual machines? cmon.

Banking is a real bitch, agree :)

[samb1729]

Personally I trust that GDPR and its potentially enormous fines provide sufficient economic incentive for these big cloud companies to do the right thing.

That is to say I now believe that not only are Google, Cloudflare, Amazon not proactively sniffing traffic, but also that they'll have invested a massive amount of money making sure it's really hard to do undetected.

Of course I also fully expect that any one of them would give me up to law enforcement iff compelled by a court.

[gruez]

>And I doubt (seriously) AWS (Azure) has means to do MITM, reading private keys from virtual machines? cmon.

that's only if the website(s) are only using their IaaS offerings (which I doubt because they're crazy expensive compared to DO or vultr) and not their PaaS offerings. With PaaS (think heroku), they terminate the SSL and control the software for the http server, not you.

[sciurus]

Even the IaaS offerings have widely-used load balancing services that terminate SSL.

https://aws.amazon.com/elasticloadbalancing/

https://cloud.google.com/load-balancing/

https://azure.microsoft.com/en-us/services/application-gatew...

[auslander]

Today, data is the new oil. If you have a legal tap to people's data - you're valued hundreds of billions.

Google and Facebook have legal taps, users willingly provide their chats, emails, links, likes, photos, connections, locations, because its great service and its free. Both are Ad companies by main revenue, and its vital for them to use people's data.

AWS, Azure, Apple are not Ad companies, their main revenue is paid infrastructure, paid software and paid hardware. Their customers are not users, but companies. Reputation risks of openly using the data tap themselves will ruin existing revenue. What companies doing with users data is not their concern. Apple is an exception, with closed ecosystem, strong privacy and security and main income from hardware.

Cloudflare is something in between. They provide reverse proxy services, where your little site sits behind huge wall, for free. Income comes from paid WAF security features and ability to upload to CF your own SSL certs. In any case, you have to allow MITM of people's data.

Incentive for CF to use user's decrypted data is huge - it may shoot it up to ranks of Google and Facebook, to $100x Billions. So I have my doubts if that data is not being harvested.

I think I've said too much already, shutting up :)

[Operyl]

We've told you several times how to know it as a user. You just conveniently are skipping over it..

[auslander]

You posted link to source for Claire after making this comment. I said thanks above.

[detaro]

How many people using AWS, GCP or Azure are terminating TLS on their instances, instead of on the offered load-balancing services? How many services run (partially) not in VMs, but on PaaS (e.g. App Engine), load data directly from storage services (e.g. Firebase or S3), ...