[auslander]

> Cloudflare proxies about 10% of the Internet

... and strips SSL off on their side, so 10% of internet is, in fact, MITMed.

[ownagefool]

Be fair, this is configurable. So only 9.9% of the internet is probably MITMable.

(:

[auslander]

What is configurable, apart from not using CF?

[tialaramex]

CloudFlare's customers can choose whether the backhaul, between CloudFlare and their own web servers, is HTTP, HTTPS with a CloudFlare issued private certicate, or HTTPS using publicly trusted certs from the Web PKI.

If you choose either of the latter two options, bad guys can't MITM you, the middle option has the benefit that they can't even MITM you by subverting a public CA (since only CloudFlare's own certs are trusted) the latter option has the benefit that you can "just" switch off CloudFlare and your site now works as an ordinary HTTPS site with no changes, if you ever want to do that.

[auslander]

In all those options, CF still terminates (strips) SSL from user traffic to plaintext, on their platform, hence MITM by Cloudflare.

[detaro]

And other large parts of the internet are "MITMed" by AWS, Heroku, Microsoft Azure or other hosting companies then. For some reason people don't make the same argument in every thread about AWS though.

[auslander]

Well, AWS does not mess with html code, like this:

https://stackoverflow.com/questions/22775065/cloudflare-add-...

It's just my gut feeling, that CF might abuse its unique position, having access to large part of internet traffic in plaintext. What other CDN gives free services? Hint, why Google Analytics is free?

[gsich]

Is Cloudflare a hosting company?

[gsich]

Defaults matter. So you are probably right.

[seabee]

The majority of the Internet is MITMed nowadays.