@pojntfx My memory is that this diagram was to show that TLS was not used internally within Google's environment, so even something like a SPAN port could be used to hoover plaintext. This is still an issue for many companies who deploy systems behind a load balancer/reverse proxy. Cloudflare's vulnerability is usually a tad different because the endpoint that people run should be protected with TLS, so the cloudflare reverse proxy would itself have to be popped. I don't know their architecture, and whether the plaintext crosses an internal network or the decryption and reencryption happen on the same device.