The biggest MITMer should complain about another service being an MITM? How much has Google now routed to go through themselves or be checked by them prior to serving your destination?
Bear in mind Google doesn't have a warrant canary because it is served literally hundreds or thousands of warrants per year, to the tune it's just called a transparency report to count them.
By MITMing traffic between you and the host. Maybe Firefox should display a warning when it detects intermediaries that could have decrypted the traffic between the host and you?
The owner of the domain has to choose to integrate a CDN. They implicitly trust the vendor who runs the CDN just like they implicitly trust the cloud provider that asserts their VPC between their server that terminates TLS and any API servers behind that which don’t use encryption for data in transit.
3rd party could mean a DBA, IT consultant, AWS support tech, CDN support tech, MSSP employee, cloud platform, etc. those all come with different levels of risk, different contract terms, etc.
I’m trying to say that just saying the TLS connection is terminated by a vendor, who then creates another to the origin server doesn’t tell you anything valuable from a security / risk standpoint. The CDN-fronted connection that shows the warning may be highly secure while a self-managed reverse proxy that terminates the TLS connection to another serve owned+managed by the same person/org might be completely insecure. The warning is not a useful signal.
I guess you like those cookie warnings that pollute the Internet these days? Because this would be cookie warnings all over again. Any site that's reasonably popular uses a CDN to increase scalability, improve performance, and add reliability. Half the Internet would need a new pop-up warning that a CDN is in use. The last thing we need is yet another pop-up when a page loads....
It doesn't need to be a pop up. Just behave like a HTTP site ("not secure" warning) when you could be MITM'd between yourself and the entity you think you are communicating with.
If it turned out "End to end" encrypted chat went through a third party that even transiently had access to the plaintext version of the chat (like how Cloudflare works) you'd be apoplectic.
It's impossible to know if a third party had access to the plain text. Hell even Cloudflare can be setup with actual end to end encryption where they can never see the contexts of the traffic. Most users don't want that as they want CDN features that require unencoding the data.
Do you want a similar warning on every site that the server might be compromised? Because I don't think that risk is smaller than the CloudFlare MITM risk.
I want a similar warning on any provider that is known to routinely MITM and send data unencrypted across the Internet. As far as I know that would only be sites hosted by Cloudflare and sites using certificates issued by the government of Kazakhstan. There's a difference between screwing up (and I wouldn't be against holding companies liable for that) and wilfully setting up a https:// URL that sends your requests unencrypted over the public Internet.
Bear in mind Google doesn't have a warrant canary because it is served literally hundreds or thousands of warrants per year, to the tune it's just called a transparency report to count them.