Same for Akamai, Cloudfront, Fastly, etc. Pretty much every business that wants to offload DDOS protection, caching,and some level of frontline security uses a proxying CDN.
An alternative is to keep all of your CDN assets on a CDN bucket on its own hostname, with your main secret-containing business apps on your own servers, but it costs a lot to manage this level of separation and the payoff is only protection against the theoretical attack of "NSA can't attack our users/spy on them". If the NSA ever did do this on a large enough scale or to target a particularly notable person, it's very unlikely it would be kept a secret for long, and the end-business that used Cloudflare et al. wouldn't be implicated whatsoever since every business uses one of the big CDN providers.
https is important for preventing spying by anyone else in between you and the server. ISPs, coffee shop owners, schools, etc used to spy on http traffic to see what people were doing/searching for, and ISPs like xFinity injected code into non-https pages to show "important messages" to users, e.g. going over your bandwidth limit[0].
The only weak link now is Cloudflare, which is still "less secure than a direct connection" (with respect to government spying, bugs[0], hackers, etc) but the threat level is drastically reduced.
Cloudflare can issue from Google Trust Services/Digicert with ACM[0] and often does even without ACM (although maybe only for Business/Enterprise domains).
Check the whois entry for the IPs that domain resolves to. If they belong to CloudFlare, they can see the plaintext traffic. Same for Akamai, Cloudfront and others.
To downvoters: please don't shoot the messenger. I'm not happy about the existence of Cloudflare (or their competitors who do the same thing) either.
That said, the choice is yours whether or not to use sites that utilize such untrustworthy MITM providers, like Cloudflare. There are even browser plugins that can automatically block connections to such untrustworthy entities.
This isn't an endorsement, and you should always review the source code of any browser extensions you're utilizing due to the risks extensions themselves can pose, but I personally use one called Cloud Firewall and it works great. (https://addons.mozilla.org/en-US/firefox/addon/cloud-firewal...)
>There aren't obvious signs up front that a site is using cloudflare.
You're joking, right?
It takes 2 seconds to click the padlock in your browser, click through once more, and see "Verified by: Cloudflare, Inc". You don't even need to view the certificate.
If 2 seconds and 2 clicks is too much time and effort, it's obviously not actually that important to the user in question.
It’s a CDN that caches content and it’s able to inject “are you human?” verification pages, it can rewrite content on demand (e.g. serve optimized images / html / JavaScript). It seems obvious to me that they have access and ability to modify all cleartext content in-flight.
It's a TLS termination proxy that decrypt and re-encrypt your TLS packet. Technically Cloudflare can read anything unless you add your own crypt layer on top of TLS.
Yes that's how Cloudfare works. The TLS certificate for basically any website using Cloudflare "ends" at Cloudflare's servers. It's then either forwarded on to the actual servers in cleartext or re-encrypted with an internal company certificate (maybe signed internally as well) to pass the connection on to the actual servers. It was the easy way many companies who didn't have the expertise to do their own certificate management moved from the http world to the https world. They just handed it off to cloudflare and kept their servers running http.
F5 Networks, my former employer, sells something similar, but it's a box (or virtual appliance) you put in your own data centers somewhere that dead-ends the connection instead.
It's entirely possible to have a proper SSL connection to a bogus hostname, that is showing the correct website and even interacts correctly.
Bogus MITM decrypts the traffic, logs it, then forwards the traffic once again encrypted to the destination server. Then does the reverse for the resonse.
"Look for the padlock" is only useful if the actual hostname is correct in the browser.
If I hosted news.ycombnator.com using this and you didn't notice that I could be proxying just like that. It's possible cloudflare has protections against this in place but doesn't every website on earth?
If cloudflare have thr certificate’s private key and are advertising the A record they have access to everything you send, from emails to credit card numbers.
Can you explain what you mean a bit more? My connection to eg my bank isn't decryptable by anybody but me and my bank (and their CDN which is serving their certificate). That is, eg, Verisign has root CA keys to sign the cert, and they could give me a cert that says they're my bank and I could make a new connection that they could decrypt, but the original connection to my bank can't be decrypted by their keys.
