[judge2020]

Same for Akamai, Cloudfront, Fastly, etc. Pretty much every business that wants to offload DDOS protection, caching,and some level of frontline security uses a proxying CDN.

An alternative is to keep all of your CDN assets on a CDN bucket on its own hostname, with your main secret-containing business apps on your own servers, but it costs a lot to manage this level of separation and the payoff is only protection against the theoretical attack of "NSA can't attack our users/spy on them". If the NSA ever did do this on a large enough scale or to target a particularly notable person, it's very unlikely it would be kept a secret for long, and the end-business that used Cloudflare et al. wouldn't be implicated whatsoever since every business uses one of the big CDN providers.

[bomewish]

They kept the other spying secret for a long time and it was only due to pretty heroic actions by one person that it got exposed. So I duno.

[bejk22]

That makes using https instead of http a lot less relevant.

[judge2020]

https is important for preventing spying by anyone else in between you and the server. ISPs, coffee shop owners, schools, etc used to spy on http traffic to see what people were doing/searching for, and ISPs like xFinity injected code into non-https pages to show "important messages" to users, e.g. going over your bandwidth limit[0].

The only weak link now is Cloudflare, which is still "less secure than a direct connection" (with respect to government spying, bugs[0], hackers, etc) but the threat level is drastically reduced.

0: https://blog.ryankearney.com/2013/01/comcast-caught-intercep...

1: https://news.ycombinator.com/item?id=13766339

[xk_id]

Is there a way to know when the encrypted content i send to a site is also being provided to Cloudflare?

[tcmb]

Isn't the SSL certificate being issued by Cloudflare a giveaway?

I'm guessing it's a sufficient condition, bit not a necessary one. I.e, a could be using Cloudflare's WAF with a SSL cert issued by somebody else.

[judge2020]

Cloudflare can issue from Google Trust Services/Digicert with ACM[0] and often does even without ACM (although maybe only for Business/Enterprise domains).

0: https://developers.cloudflare.com/ssl/edge-certificates/adva...

[viraptor]

Check the whois entry for the IPs that domain resolves to. If they belong to CloudFlare, they can see the plaintext traffic. Same for Akamai, Cloudfront and others.

[judge2020]

https://judge.sh/cdn-cgi/trace

https://news.ycombinator.com/cdn-cgi/trace

Every Cloudflare site will respond to this URI.

[tick_tock_tick]

No, just like there is no way to know if a site not fronted by cloudflare decided to send all traffic their after.

[EasyMark]

I too inject porn images, inverted images, backwards texst, etc in http back in the day for people piggybacking (without permission) off my wifi.

[cheekibreeki2]

All of the modern http performabce optimizations require https.

[anonym29]

Hardly! Nobody is forcing you to consent to MITM, you freely choose it every time you voluntarily use a website that utilizes one.

[anonym29]

To downvoters: please don't shoot the messenger. I'm not happy about the existence of Cloudflare (or their competitors who do the same thing) either.

That said, the choice is yours whether or not to use sites that utilize such untrustworthy MITM providers, like Cloudflare. There are even browser plugins that can automatically block connections to such untrustworthy entities.

This isn't an endorsement, and you should always review the source code of any browser extensions you're utilizing due to the risks extensions themselves can pose, but I personally use one called Cloud Firewall and it works great. (https://addons.mozilla.org/en-US/firefox/addon/cloud-firewal...)

[Dylan16807]

An extension that tries to to block cloudflare is getting closer to making your original statement true, but it's still not true.

There aren't obvious signs up front that a site is using cloudflare. Failure to spend time investigating is not "freely choosing it".

[anonym29]

>There aren't obvious signs up front that a site is using cloudflare.

You're joking, right?

It takes 2 seconds to click the padlock in your browser, click through once more, and see "Verified by: Cloudflare, Inc". You don't even need to view the certificate.

If 2 seconds and 2 clicks is too much time and effort, it's obviously not actually that important to the user in question.

[Dylan16807]

https://www.cloudflare.com/ssl/keyless-ssl/

https://developers.cloudflare.com/ssl/edge-certificates/cust...

It's not always that simple.