[nullc]

> that's a pretty over the top accusation

I don't think the poster needed to allege that cloudflare offers free reverse-proxy services for diabolocal ends. The fact remains that they are a vulnerability so perfectly constructed that you couldn't do better intentionally.

Any major intelligence agency that isn't (/hasn't been) investing heavily in infiltrating cloudflare is incompetent.

[snowwrestler]

How is Cloudflare any different from a cloud service provider like AWS, Azure, Google Cloud, Linode, Digital Ocean, etc?

Those are also 3rd party companies who terminate TLS sessions on your behalf and thus have access to your private keys. Seems like they could secretly decrypt and copy your traffic at least as easily as Cloudflare could. Even leased managed hardware requires you to trust the company running the hardware for you.

You have to go all the way to installing and running your own hardware in a locked cage at a data center to even theoretically exclude all 3rd party access to your private TLS keys.

[bradknowles]

In this regard, don't compare them to AWS, Azure, Google Cloud, etc....

Cloudflare is a CDN, so compare them to Fastly, Akamai, and all the various other CDNs listed at https://en.wikipedia.org/wiki/Content_delivery_network

And yes, intelligence agencies would be incompetent if they haven't already implemented methods of penetrating CDN providers, or working on doing so. All of them, not just CloudFlare.

[snowwrestler]

Why would penetrating a CDN company be worse than penetrating a cloud hosting provider, when it comes to decrypting TLS traffic?

[nullc]

Among other things, it's much harder to get caught in interception on an MITM box. The user never has any kind of real visibility into system. One can also easily force users onto CDN/mitigation services with a simple DOS attack, it's a lot harder to get a target onto particular hosting.