Not an attack but certainly a person in the middle.

IAAL and advise on data protection and privacy.

Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.

My impression is that a lot of people use these services without really understanding the implications.

For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.

Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.

That said, I routinely use Cloudflare for my personal projects.

And AWS has control of all of your servers and everything stored on them. If it's part of your systems architecture and how it's intended to work it isn't being attacked.

>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.

That doesn't mean they are an attack. That is just how a CDN works.

Does CloudFlare proxy your website without your permission?

You're being needlessly pedantic. It might not be an attack in the usual sense, but it's a MITM "access point" and agencies like CIA/NSA/FBI would definitely have that kind of access. This access transforms Cloudflare's role into a de facto MITM "attack" on their customers and end users who didn't intend to share unencrypted data with 3-letter agencies.

I don’t think I’m being pedantic. In practical, the parent comment’s description is not that of MITM attack, but how a proxy works. Proxy is everywhere, useful, and voluntary.

I just don’t understand how a voluntary use of proxy can be called MITM attack.

I’m not saying I like the fact that CF is part of so much of the Internet, or that CF isn’t on some level a security risk. But that has nothing to do with being an MITM attack.

It doesn't, but it does proxy my connections to several websites without my me having a chance to say no - in fact, without even telling me.

It’s always the website’s choice what infrastructure is used to serve the website, including whether a proxy is used. You don’t have a chance to say no if the website owner wants a proxy in front of their site. The web owner has a say in how they want their server to be connected.

In the same way, you can use a proxy to access sites, and the server cannot bypass that, either.

I know. I understand the tech and the business decisions behind all of this. I understand the value of a CDN.

It's still a MitM. It's a centralised entity that sees a huge share of the global Internet's traffic, unencrypted. I doubt most people are aware of that.

Someone in another comment mentioned AWS is one as well, and they're right. AWS, GCP and Azure all have TLS-terminating gateways of some kind.

Take Cloudflare, AWS, GCP and Azure, all USA companies bound by the CLOUD act, and nearly all Internet traffic is immediately accessible by US authorities, unencrypted.

Makes the whole "think of the children" rhetoric being spun to pass anti-E2EE laws tame in comparison.