Comment on Why are anime catgirls blocking my access to the Linux kernel?
bjoern_tantau@swg-empire.de 10 hours agoCloudflare would need https keys so they could read all the content you worked so hard to encrypt. If I wanted to do bad shit I would apply at Cloudflare.
mobotsar@sh.itjust.works 10 hours ago
Maybe I’m misunderstanding what “behind cloudflare” means in this context, but I have a couple of my sites proxied through cloudflare to prevent scrapers, and they definitely don’t have my keys.
starkzarn@infosec.pub 8 hours ago
That’s because they just terminate TLS at their end. Your DNS record is “poisoned” by the orange cloud and their infrastructure answers for you. They happen to have a trusted root CA so they just present one of their own certificates with a SAN that matches your domain and your browser trusts it. Bingo, TLS termination at CF servers. They have it in cleartext then and just re-encrypt it with your origin server if you enforce TLS, but at that point it’s meaningless.
mobotsar@sh.itjust.works 5 hours ago
Oh, I didn’t think about the fact that they’re a CA. That’s a good point; thanks for the info.
bjoern_tantau@swg-empire.de 9 hours ago
Hmm, I should look up how that works.