The Hacker‘s ChoiceSep 26, 2023
CF is amassing a lot of power. With 30% of all Internet Traffic going through CF and them decrypting all HTTPS traffic at the Edge...and able to change any or all of it transparently. This extract from CF's blog reads like a Government/Thread Actor's dream come true....
Show threadDave Mc
@thc if they modify the continent and re-sign the HTTPS, will the certificate signature be for them rather than the source site?
Sep 26, 2023 at 3:26pmWeb
Show threadRiley S. FaelanSep 26, 2023

@guigsy Your question is misguided.

Despite the original architecture, most present-day SSL certificates used for HTTPS don't certify an entity but an endpoint.

@thc

Show threadMatt PalmerSep 26, 2023
@guigsy @thc they hold a certificate which says that they *are* the source site.
Show threadMike MyersSep 27, 2023
@womble you need to use one of their edge certs for them to intercept though. Unless I’m missing something? If you don’t use one you give up proxying and direct server requests but I think that’s pretty much it.
Show threadtא‎mášSep 27, 2023
@guigsy Yes, and a huge number of sites use CF for SSL termination like that
Show thread🐧DaveNull🐧 ☣️pResident Evil☣Sep 28, 2023

@guigsy When people use CDNs, they ususally don't encrypt their shit and trust a third party, the CDN itself, to do TLS encryption. Even if servers handle TLS, it's a separate connection anyway

Users never directly sent requests to the actual servers they want content from. They send requests to CDN servers, which request the content from, which then requests it from the "end" servers. CDNs are MITM-by-design.

Client <=Encrypted or plaintext=> CDN <=Separate connection=> Service servers

@thc