Is it? I have never used Cloudflare so I don’t know their exact feature set, but most of Cloudflares useful features require them to be able to act as your website (to display a 5xx error when your server is down, the “checking your browser” message, caching, compression, etc.). Most people use Cloudflare for those features (and they use it for easy https, which is kinda stupid since client<->cloudflare will be encrypted, but cloudflare<->server likely still goes through the internet over plain http).
Meta analysis of encrypted traffic is more powerful than you think. By analyzing things like the length and timing of requests and responses, researchers have been able to determine what search term a user typed (through the auto-completion suggestions being sent back), what images and videos are being viewed, which threads on a forum they accessed, among other things, without ever decrypting the HTTPS data.
Just wanna add that it’s impossible for them to have your encrypted messages if you use an HTTPS certificate from another CA.
Is it? I have never used Cloudflare so I don’t know their exact feature set, but most of Cloudflares useful features require them to be able to act as your website (to display a 5xx error when your server is down, the “checking your browser” message, caching, compression, etc.). Most people use Cloudflare for those features (and they use it for easy https, which is kinda stupid since client<->cloudflare will be encrypted, but cloudflare<->server likely still goes through the internet over plain http).
Meta analysis of encrypted traffic is more powerful than you think. By analyzing things like the length and timing of requests and responses, researchers have been able to determine what search term a user typed (through the auto-completion suggestions being sent back), what images and videos are being viewed, which threads on a forum they accessed, among other things, without ever decrypting the HTTPS data.