Thread

This is one key reason why I consider self signed certificates superior to browsers with baked in trusts. There's literally no way that anyone can verify SSL certificates with their bank, online stores, etc.

Best to avoid Cloudflare. They are subverting the Internet under the guise of simplifying services for lazy devs.

If you pay enough you get keyless encryption with them, so they never see the inside. As much as I appreciate people bringing this important information to public scrutiny, it’s also important to be balanced and disclose it fully! 🐶🐾🫡 And I am not affiliated with them in any way, just a happy customer of some of their products. https://www.cloudflare.com/ssl/keyless-ssl/

And of course I was wrong in one assertion, edge can and does see the traffic unencrypted. 🐶🐾🤦‍♂️🤦‍♂️🤦‍♂️

My main concern overall is really the white washing of what security you are actually getting, and what you are not as a user. When people can’t understand easily, they may think they have privacy and live in a sane world… when… End to end used to mean best possible outcome (assuming the keys used were a sound curve) - and sadly today it’s entirely possible for ‘end to end’ to be something else entirely. The extent of the scam used to (and often still is,) be SSL Certificate providers attaching ‘$500,000 encryption insurance’ as part of their sold certificates. A bogus un-claimable feature used for marketing and to trick untechnical users into thinking they were highly secure and safe to use their credit card online (this is largely pre the HTTPS push). Cloudflare are certainly innovators - but in a very centralising way. Their business moat is tied to protecting and growing their centralised empire. Just like any other company, they can be coerced as a business to do a governments bidding. I’d almost go as far as marking websites or services that use Cloudflare as not a green lock or add a yellow spy glass - but really, browsers are too broken now, best to instead focus on their replacement.