How so? If I'm hosting a server somewhere and clients directly connect to my server to establish a TLS connection, failing any vulnerabilities in the implementation, there's no MITM happening and the provider can't see the plaintext traffic. (Of course, since the server needs the certificate, the provider could in theory extract that certificate and establish a MITM proxy, but this isn't by design.)
Any VPS or virtual server cloud provider can potentially see the plaintext traffic - it's in plain text of the memory of their hardware and they could be looking at it. They technically could be scraping your SSL keys from memory, or scraping your SSL private key from disk (if unencrypted storage) and then decrypting a mirror of the network traffic elsewhere. That wouldn't be MITM but you are only protected from it if you are hosting your own physical server somewhere.
"End to end security" mentioned above is limited security when "your" endpoint is owned by and controlled by someone else.
Here’s an example of MITM by interception of automated certificate renewal downstream of a VPS hosted at Hetzner. The presumption is that it was a lawful intercept installed within Hetzner or one of their internet providers. https://news.ycombinator.com/item?id=37955264
How so? If I'm hosting a server somewhere and clients directly connect to my server to establish a TLS connection, failing any vulnerabilities in the implementation, there's no MITM happening and the provider can't see the plaintext traffic. (Of course, since the server needs the certificate, the provider could in theory extract that certificate and establish a MITM proxy, but this isn't by design.)
Any VPS or virtual server cloud provider can potentially see the plaintext traffic - it's in plain text of the memory of their hardware and they could be looking at it. They technically could be scraping your SSL keys from memory, or scraping your SSL private key from disk (if unencrypted storage) and then decrypting a mirror of the network traffic elsewhere. That wouldn't be MITM but you are only protected from it if you are hosting your own physical server somewhere.
"End to end security" mentioned above is limited security when "your" endpoint is owned by and controlled by someone else.
Here’s an example of MITM by interception of automated certificate renewal downstream of a VPS hosted at Hetzner. The presumption is that it was a lawful intercept installed within Hetzner or one of their internet providers. https://news.ycombinator.com/item?id=37955264