I understand the point of they being able to issue the certificate, but's not the main point. For DNS entries that are proxied to Cloudflare, you should see a Cloudflare certificate on your browser. When you ping your site using the domain, you should see the requests passing through Cloudflare, as it is a man-in-the-middle by definition, and should encrypt the browser connection to cloudflare, and the encrypt the connection from cloudflare to your server and back again, making them the only tool capable of mass breaking SSL encryption on the internet
If it’s issued by the DNS level that’s actually a bigger problem because DNSSEC adoption is worse than SSL adoption before free SSL.
Okay, I'm totally unfamiliar with it. I'm surprised you're not getting a Cloudflare certificate on your browser when accessing a DNS entry that is proxied through them
Let it sink that Cloudflare has access to unencrypted data from 10% of the internet, and that it was created after an acquisition by the Department of Homeland Security, making it the only tool capable of mass breaking SSL communications for the data acquired through traffic-sniffing such as NSA
All good. There we actually do use Full (strict) - I explicitly chose to use CloudFlare for that SSL as it’s more or less purely presentational and the data is not sensitive.
I’d rather not give public details about the nature of all our security measures, etc. but that is not the case for all our domains.
I’ll agree with you now that CloudFlare has the ability, for the most part, to break SSL on many websites. But even without them specifically, I believe there would still be that risk with services or organizations such as Let’s Encrypt so I think if this is something that matters to you, you should really consider your suppliers.
I don’t know how much of that is useful data - e.g. I don’t at all use CloudFlare or third party SSL for API domains for example.
Finally, I don’t believe there is enough evidence to suggest that CloudFlare was created or is/was owned by the DHS.
I understand the DHS claim might be weak, but the founder of Cloudflare, Matthew Prince, said to a BBC reporter that Cloudflare started after DHS got really interested in the data he had built up with the Honeypot project, and DHS acquired it for the price that Matthew asked: 20k.
Five years later Mr Prince was doing a Master of Business Administration (MBA) at Harvard Business School, and the project was far from his mind, when he got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks.
Mr Prince recalls: "They said 'do you have any idea how valuable the data you have is? Is there any way you would sell us that data?'.
"I added up the cost of running it, multiplied it by ten, and said 'how about $20,000 (£15,000)?'.
"It felt like a lot of money. That cheque showed up so fast."
Fast forward 1 and a half year from that call, and Cloudflare was a fully-fledged application integrated with tech giants such as Hostgator. They were tremendously efficient to develop the tool and commercialize it so fast. I think they got help.
All of those claims isolated don't tell much, but when you put everything together, a very clear picture appears. It's a picture that makes sense, based on observable facts, but yes, I'm fully aware it's a theory, that's one of the reasons why I asked those questions, to validate crucial aspects of this theory, such as the decryption power of Cloudflare.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
If it’s issued by the DNS level that’s actually a bigger problem because DNSSEC adoption is worse than SSL adoption before free SSL.
I understand the point of they being able to issue the certificate, but's not the main point. For DNS entries that are proxied to Cloudflare, you should see a Cloudflare certificate on your browser. When you ping your site using the domain, you should see the requests passing through Cloudflare, as it is a man-in-the-middle by definition, and should encrypt the browser connection to cloudflare, and the encrypt the connection from cloudflare to your server and back again, making them the only tool capable of mass breaking SSL encryption on the internet
Okay, I'm totally unfamiliar with it. I'm surprised you're not getting a Cloudflare certificate on your browser when accessing a DNS entry that is proxied through them
Take your company website for instance
dev-to-uploads.s3.amazonaws.com/up...
Sorry, I peeked your profile looking for this information
Let it sink that Cloudflare has access to unencrypted data from 10% of the internet, and that it was created after an acquisition by the Department of Homeland Security, making it the only tool capable of mass breaking SSL communications for the data acquired through traffic-sniffing such as NSA
All good. There we actually do use Full (strict) - I explicitly chose to use CloudFlare for that SSL as it’s more or less purely presentational and the data is not sensitive.
I’d rather not give public details about the nature of all our security measures, etc. but that is not the case for all our domains.
How did they got 10% of the internet? By making it free. Well, at this point just re-read the thread VERY carefully if you agree with my claim above
Actually putting this aside for a second - let’s consider Let’s Encrypt, who no doubt have far more control
So, what do you think, after all?
I’ll agree with you now that CloudFlare has the ability, for the most part, to break SSL on many websites. But even without them specifically, I believe there would still be that risk with services or organizations such as Let’s Encrypt so I think if this is something that matters to you, you should really consider your suppliers.
I don’t know how much of that is useful data - e.g. I don’t at all use CloudFlare or third party SSL for API domains for example.
Finally, I don’t believe there is enough evidence to suggest that CloudFlare was created or is/was owned by the DHS.
I understand the DHS claim might be weak, but the founder of Cloudflare, Matthew Prince, said to a BBC reporter that Cloudflare started after DHS got really interested in the data he had built up with the Honeypot project, and DHS acquired it for the price that Matthew asked: 20k.
Fast forward 1 and a half year from that call, and Cloudflare was a fully-fledged application integrated with tech giants such as Hostgator. They were tremendously efficient to develop the tool and commercialize it so fast. I think they got help.
All of those claims isolated don't tell much, but when you put everything together, a very clear picture appears. It's a picture that makes sense, based on observable facts, but yes, I'm fully aware it's a theory, that's one of the reasons why I asked those questions, to validate crucial aspects of this theory, such as the decryption power of Cloudflare.