adnan360Apr 18, 2022
I was accessing a website today and checking the #SSL/#TLS certificate, it turns out that it's from Amazon! That was a #FOSS project using a certificate from #GAFAM family.
Show threadadnan360Apr 18, 2022

We know that #cloudflare has access to everything the user does, #unencrypted, on a website. [https://serverfault.com/a/662951]

TLS/SSL can be #MITM attacked by powerful organizations to expose unencrypted content, including user passwords. [https://wiki.openrightsgroup.org/wiki/TLS_interception , https://www.makeuseof.com/tag/what-is-root-certificate/ , https://security.stackexchange.com/a/71261]

Does cloudflare know the decrypted content when using a https connection?

CloudFlare provides ssl support. However, if a visitor visits a website protected by CloudFlare, is CloudFlare able to know the plain data transfered during this visit? There are a few SSL options:

Server Fault
Show threadadnan360Apr 18, 2022

Do you want to use your own self-signed certificate to protect against it? Too bad.

Popular software are gradually breaking or stopping supporting this functionality in the name of security or complaining that it's too complex to maintain. This includes free and open source projects.

Those projects suggest using #letsencrypt instead, which being a western organization is not immune to coercion. So back to square one.

Show threadadnan360

If we can't trust cloudflare, how can we trust HTTPS? And if we can't trust HTTPS maybe it's time we start using something else? Perhaps .onion or .i2p services?

#hiddenservices #tor #i2p #i2pd #eepsites

Apr 18, 2022 at 10:24amWeb