| you're talking about "piecewise end-to-end". the "end"s are the _browser_ and the _origin_, and if there isn't a single secure channel that goes all the way between them, that's not "end to end". I mean take the "piecewise" argument to its natural conclusion. If the reason it's okay for you to be in the middle is that you're going to ensure that your request to origin is also encrypted, why should you be the only party in between that can decrypt the contents of the connection? Why not let the ISP also decrypt the contents? What about the layer 3 interconnect providers? How about your cable modem and your router (they're _probably_ patched 'enough' that it's safe to let them see your plaintext). I'm harping because misuse of the term "end to end" is _actually dangerous_ to real people. All of this is to say nothing of the fact that when you allow "middle-boxes", the client no longer has control over the ciphers that are used for the end-to-end connection, so they lose control over perfect forward secrecy. |
> but this is what cloudflare does!
yes, and it already caused one of the worst breaches in the short history of the internet https://news.ycombinator.com/item?id=13718752