undefined | Better HN

0 pointseli7y ago0 comments

It works perfectly well if your threat model is someone sniffing your wifi but not someone sniffing the backbone.

0 comments

Right. Doesn’t protect against the NSA but it protects against e.g. hackers snooping on unsecured WiFi or malicious actors creating a mitm WiFi access point to snoop on your traffic.

pbreit7y ago

Is there an attack vector on the Cloudflare to Server leg?

profmonocle7y ago

Sure. The intermediate network(s) could sniff the traffic (or the lines could physically be tapped). There could be a BGP hijack on the origin IP, or a DNS hijack if using a hostname as the origin.

But these types of attacks are a lot more advanced than a guy with a packet sniffer in a Starbucks, and will target different types of victims. I.E. if you run a small web forum, it's unlikely someone is going to perform a BGP attack to steal your users' passwords. And the types of ISPs between Cloudflare and AWS usually won't inject ads into HTTP traffic.

roywiggins7y ago

The NSA's MUSCULAR project was running physical taps on the fiber links that BigCorps were running between their own physical infrastructure. I'm sure they could find a way to get between CloudFlare the sites it terminates HTTPS for, if they really want to.

https://www.washingtonpost.com/world/national-security/nsa-i...

tyingq7y ago

Most likely would be a VPS or VLAN bug at a place like Digital Ocean, Linode, etc, that let you spy on neighbor VPS traffic. Not that it happens often, but there are historical bugs to escape VMs and/or containers. Once out, you could sniff traffic for the whole physical box.

Or a router/switch exploit. Create a monitor port and dump the traffic wherever you want.

j / k navigate · click thread line to collapse