[judge2020]

https is important for preventing spying by anyone else in between you and the server. ISPs, coffee shop owners, schools, etc used to spy on http traffic to see what people were doing/searching for, and ISPs like xFinity injected code into non-https pages to show "important messages" to users, e.g. going over your bandwidth limit[0].

The only weak link now is Cloudflare, which is still "less secure than a direct connection" (with respect to government spying, bugs[0], hackers, etc) but the threat level is drastically reduced.

0: https://blog.ryankearney.com/2013/01/comcast-caught-intercep...

1: https://news.ycombinator.com/item?id=13766339

[xk_id]

Is there a way to know when the encrypted content i send to a site is also being provided to Cloudflare?

[tcmb]

Isn't the SSL certificate being issued by Cloudflare a giveaway?

I'm guessing it's a sufficient condition, bit not a necessary one. I.e, a could be using Cloudflare's WAF with a SSL cert issued by somebody else.

[judge2020]

Cloudflare can issue from Google Trust Services/Digicert with ACM[0] and often does even without ACM (although maybe only for Business/Enterprise domains).

0: https://developers.cloudflare.com/ssl/edge-certificates/adva...

[viraptor]

Check the whois entry for the IPs that domain resolves to. If they belong to CloudFlare, they can see the plaintext traffic. Same for Akamai, Cloudfront and others.

[judge2020]

https://judge.sh/cdn-cgi/trace

https://news.ycombinator.com/cdn-cgi/trace

Every Cloudflare site will respond to this URI.

[tick_tock_tick]

No, just like there is no way to know if a site not fronted by cloudflare decided to send all traffic their after.

[EasyMark]

I too inject porn images, inverted images, backwards texst, etc in http back in the day for people piggybacking (without permission) off my wifi.