Cloudflare would need https keys so they could read all the content you worked so hard to encrypt. If I wanted to do bad shit I would apply at Cloudflare.
Comment on Why are anime catgirls blocking my access to the Linux kernel?
mobotsar@sh.itjust.works 2 weeks agoIs there a reason other than avoiding infrastructure centralization not to put a web server behind cloudflare?
bjoern_tantau@swg-empire.de 2 weeks ago
mobotsar@sh.itjust.works 2 weeks ago
Maybe I’m misunderstanding what “behind cloudflare” means in this context, but I have a couple of my sites proxied through cloudflare to prevent scrapers, and they definitely don’t have my keys.
starkzarn@infosec.pub 2 weeks ago
That’s because they just terminate TLS at their end. Your DNS record is “poisoned” by the orange cloud and their infrastructure answers for you. They happen to have a trusted root CA so they just present one of their own certificates with a SAN that matches your domain and your browser trusts it. Bingo, TLS termination at CF servers. They have it in cleartext then and just re-encrypt it with your origin server if you enforce TLS, but at that point it’s meaningless.
mobotsar@sh.itjust.works 2 weeks ago
Oh, I didn’t think about the fact that they’re a CA. That’s a good point; thanks for the info.
bjoern_tantau@swg-empire.de 2 weeks ago
Hmm, I should look up how that works.
poVoq@slrpnk.net 2 weeks ago
Yes, because Cloudflare routinely blocks entire IP ranges and puts people into endless captcha loops. And it snoops on all traffic and collects a lot of metadata about all your site visitors. And if you let them terminate TLS they will even analyse the passwords that people use to log into the services you run. It’s basically a huge survelliance dragnet and probably a front for the NSA.