undefined | Better HN

0 pointscharcircuit2y ago0 comments

Cloudflare is not a MitM attack. By that same logic AWS would be an even bigger MitM attack.

0 comments

What am I missing? They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.

james_in_the_uk2y ago

Not an attack but certainly a person in the middle.

IAAL and advise on data protection and privacy.

Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.

My impression is that a lot of people use these services without really understanding the implications.

For example, when you look at some of the risks that privacy laws are trying to protect against, especially access to data by foreign actors (including government agencies) without due process, use of these types of services changes the game.

Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.

That said, I routinely use Cloudflare for my personal projects.

charcircuitOP2y ago

And AWS has control of all of your servers and everything stored on them. If it's part of your systems architecture and how it's intended to work it isn't being attacked.

>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.

That doesn't mean they are an attack. That is just how a CDN works.

powersnail2y ago

Does CloudFlare proxy your website without your permission?

dns_snek2y ago

You're being needlessly pedantic. It might not be an attack in the usual sense, but it's a MITM "access point" and agencies like CIA/NSA/FBI would definitely have that kind of access. This access transforms Cloudflare's role into a de facto MITM "attack" on their customers and end users who didn't intend to share unencrypted data with 3-letter agencies.

1 more reply

cassianoleal2y ago

It doesn't, but it does proxy my connections to several websites without my me having a chance to say no - in fact, without even telling me.

1 more reply

udev40962y ago

That's a lie. Cloudflare decrypts HTTPS connections

hamandcheese2y ago

By that same logic, it would not be surprising to discover AWS working with the feds either.

adamgamble2y ago

You're right. That definitely wouldn't be surprising!

byndlimitsfy2y ago

This might be anticipated, it won't be a surprise.

Lammy2y ago

> By that same logic AWS would be an even bigger MitM attack.

Amazon HQ2, Arlington Virginia: https://en.wikipedia.org/wiki/Amazon_HQ2

pieter_mj2y ago

It's worse. You can't just start Mitm'ing regular encrypted internet traffic without compromised infrastructure. With Cloudflare everything is already in place.

j / k navigate · click thread line to collapse

0 comments

adamgamble2y ago

What am I missing? They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.

james_in_the_uk2y ago

Not an attack but certainly a person in the middle.

IAAL and advise on data protection and privacy.

Anecdotally I can tell you that the MitM aspect of Cloudflare and other similar providers is not well understood.

My impression is that a lot of people use these services without really understanding the implications.

Sometimes the benefits might outweigh the risks, but the decision to use these types of services should not be taken trivially.

That said, I routinely use Cloudflare for my personal projects.

charcircuitOP2y ago

And AWS has control of all of your servers and everything stored on them. If it's part of your systems architecture and how it's intended to work it isn't being attacked.

>They literally decrypt all the traffic to your website, do some stuff, then re-encrypt and send it on to your server.

That doesn't mean they are an attack. That is just how a CDN works.

powersnail2y ago

Does CloudFlare proxy your website without your permission?

dns_snek2y ago

1 more reply

cassianoleal2y ago

It doesn't, but it does proxy my connections to several websites without my me having a chance to say no - in fact, without even telling me.

1 more reply

udev40962y ago

That's a lie. Cloudflare decrypts HTTPS connections

hamandcheese2y ago

By that same logic, it would not be surprising to discover AWS working with the feds either.

adamgamble2y ago

You're right. That definitely wouldn't be surprising!

byndlimitsfy2y ago

This might be anticipated, it won't be a surprise.

Lammy2y ago

> By that same logic AWS would be an even bigger MitM attack.

Amazon HQ2, Arlington Virginia: https://en.wikipedia.org/wiki/Amazon_HQ2

pieter_mj2y ago

It's worse. You can't just start Mitm'ing regular encrypted internet traffic without compromised infrastructure. With Cloudflare everything is already in place.

j / k navigate · click thread line to collapse