[LoganDark]

They don't see the traffic unless they analyze the memory of your running server, because the SSL termination happens inside the server. Encrypted traffic passes through their network, which they don't have the keys for. Cloudflare, on the other paw, literally offers to do the SSL termination for you, as in they hold the private keys and perform the decryption on their servers that they control. Then they pass the decrypted traffic through their network in order to do things like "optimize" your images, or inject JavaScript into your pages. Website owners consent to this, but I guess the question here is whether users should need to consent to this website's traffic being handled in decrypted form by Cloudflare before that is actually done.

[viraptor]

They can see the traffic if you're using one of their load balancers. And even if not, snooping on VMs is pretty trivial. For example this project https://github.com/KVM-VMI/kvm-vmi makes it easy to look at memory / processes on a VM.

[LoganDark]

> They can see the traffic if you're using one of their load balancers.

Only if you let them manage the SSL connection. Load balancers can easily relay individual TCP connections that are encrypted - load balancing doesn't require decryption.

> And even if not, snooping on VMs is pretty trivial.

They'd have to go out of their way to do this, and this would probably be the end of them if it were ever found out. So it's safe to assume any provider who wants to continue existing will not be doing this.

[viraptor]

It's not that hard for VMI and harder than you think for network.

I did work for a public cloud and we did think of VMI for diagnostics and malware checks. Once deployed and automated, it would be trivial to reuse for other purposes. I don't expect public cloud to use that daily, but I'd be surprised if they didn't have the process ready.

On the other hand, you want to process the LB traffic as fast as you can and any monitoring/reporting delay would have bad effects. Reconfiguring the filters / sinks at runtime takes effort too.

With experience in both areas, I can tell you they're comparable overall. You have to go out of your way to do it, but it's not too far.