Hacker News new | ask | show | jobs
by xk_id 893 days ago
Is there a way to know when the encrypted content i send to a site is also being provided to Cloudflare?
4 comments
tcmb 893 days ago
Isn't the SSL certificate being issued by Cloudflare a giveaway?

I'm guessing it's a sufficient condition, bit not a necessary one. I.e, a could be using Cloudflare's WAF with a SSL cert issued by somebody else.

link
judge2020 892 days ago
Cloudflare can issue from Google Trust Services/Digicert with ACM[0] and often does even without ACM (although maybe only for Business/Enterprise domains).

0: https://developers.cloudflare.com/ssl/edge-certificates/adva...

link
viraptor 893 days ago
Check the whois entry for the IPs that domain resolves to. If they belong to CloudFlare, they can see the plaintext traffic. Same for Akamai, Cloudfront and others.
link
judge2020 893 days ago
https://judge.sh/cdn-cgi/trace

https://news.ycombinator.com/cdn-cgi/trace

Every Cloudflare site will respond to this URI.

link
tick_tock_tick 893 days ago
No, just like there is no way to know if a site not fronted by cloudflare decided to send all traffic their after.
link