• Neshura@bookwormstory.social
    link
    fedilink
    English
    arrow-up
    31
    ·
    4 months ago

    I’m sure this is definitely going to go how the regulator thinks it will go. What with Cloudflare being one of the driving factors behind e2e encrypting more and more of the HTTP stack, making it ever harder for ISPs and other 3rd parties to see inside the HTTP traffic.

    • 𝕸𝖔𝖘𝖘@infosec.pub
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      edit-2
      4 months ago

      While true, to accomplish this, cf becomes a MitM, effectively making seeing encrypted traffic obsolete, as all traffic goes through cf unencrypted, before being re-encapsulated by cf again.

      Edit, maybe I wasn’t clear. It isn’t a MitM attack, but it is a MitM (by design, it must be). In the wrong hands or the wrong management or under the wrong government, it could be the attacker, as it’s in the perfect position to do so, but I highly doubt it will be in the current environment.

      • Neshura@bookwormstory.social
        link
        fedilink
        English
        arrow-up
        6
        ·
        4 months ago

        I think you have the wrong idea about what I was referencing. I’m not talking about Cloudflare Tunnels but their Encrypted Client Hello. While Cloudflare could intercept the inital ClientHello the rest of the HTTP traffic still is encrypted between Client and Server not between Client and Cloudflare. In that sense they have not turned into more of a MitM than they (or any other DNS Nameserver) were already anyway. So unless governments decide to completely dismantle the trust chain the internet works on they won’t be forced to fuck with ECH for anti-piracy either.

        But ultimately anything going over a public DNS Server is susceptible to being compromised. We simply trust that the providers don’t.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        5
        ·
        4 months ago

        CF has multiple options, you can use them as just a load balancer/firewall while handling your own TLS cert. I think most let them hold the cert so they can get CF caching services though