Hmm, I should look up how that works.
Comment on Why are anime catgirls blocking my access to the Linux kernel?
mobotsar@sh.itjust.works 5 hours agoMaybe I’m misunderstanding what “behind cloudflare” means in this context, but I have a couple of my sites proxied through cloudflare to prevent scrapers, and they definitely don’t have my keys.
bjoern_tantau@swg-empire.de 5 hours ago
starkzarn@infosec.pub 4 hours ago
That’s because they just terminate TLS at their end. Your DNS record is “poisoned” by the orange cloud and their infrastructure answers for you. They happen to have a trusted root CA so they just present one of their own certificates with a SAN that matches your domain and your browser trusts it. Bingo, TLS termination at CF servers. They have it in cleartext then and just re-encrypt it with your origin server if you enforce TLS, but at that point it’s meaningless.
mobotsar@sh.itjust.works 1 hour ago
Oh, I didn’t think about the fact that they’re a CA. That’s a good point; thanks for the info.