Cloudflare don’t hoat sites, but they do end up being a ‘man in the middle’ attack on any site they proxy for, regardless of where that site is nominally hosted. That ends up exposing all traffic on those sites to a US corporation, and ultimately the US government. Considering that Cloudflare proxy somewhere between 19% and 40% of all websites, I think that’s pretty alarming.
I don’t get the ‘man in the middle’ part. Is the ssl key for the encrypted https connection not from LW, but from cloudflare?
It’s still problematic that they have metadata of the connections.
But isn’t for https the traffic supposed to be e2e encrypted between the client web browser and the server hosting the web page with the same cert? Does cloudflare decrypt and then re-encrypt the traffic data?
Thank you. So that’s why you ‘see’ an US IP address while the physical server may be located anywhere, e.g. in Germany.
By looking at their Wikipedia, I’ve already found out that Cloudflare doesn’t do hosting.
Cloudflare don’t hoat sites, but they do end up being a ‘man in the middle’ attack on any site they proxy for, regardless of where that site is nominally hosted. That ends up exposing all traffic on those sites to a US corporation, and ultimately the US government. Considering that Cloudflare proxy somewhere between 19% and 40% of all websites, I think that’s pretty alarming.
It’s not an attack of you pay for it
I don’t get the ‘man in the middle’ part. Is the ssl key for the encrypted https connection not from LW, but from cloudflare?
It’s still problematic that they have metadata of the connections.
For cloudflare to encrypt the traffic they need the key.
But isn’t for https the traffic supposed to be e2e encrypted between the client web browser and the server hosting the web page with the same cert? Does cloudflare decrypt and then re-encrypt the traffic data?