While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
There was a guy, Snowden or something, who got some first party reports. They stated that no magical quantum crypto breaking happened at global scale, keys were simply stolen, or backdoors were used to access clear text on sender or receiver.
Ephemeral keys (not stored for possible future leakage) quickly became the default, and assumptions about global data gathering changed. Then, all of a sudden, “free” service appears that makes all of TLS improvements, bug and small, practical and theoretical, useless. What a coincidence!
For some reason, you assume that people who have been stealing everything they can (because doing crime for the Big Guy is not a crime) consider this specific company untouchable. This is impossible. Every country in the world wants to have its spying capacity at maximum (following the shameless example), and to flex muscles at American services doing the same. The reason we only read about clashes over movie piracy and other petty stuff is because more serious matters have been discussed and dealt with.
Facebook offers “free” hosting and other services for individuals (social networks are poor walled versions of the Web). Cloudflare offers “free” CDN and other services for website owners. Actual business model is the same, lies are still lies.
Hyperbole is my middle name, but I just find it repulsive that CloudFlare breaks the chain of trust, and somehow everybody is just okay with that. I'm not saying it makes HTTPS pointless, but we've moved from end-to-end encryption to trust-me-bro. Is CloudFlare malicious? Probably not - at least not right now. But I think my browser should warn me that my connection is not E2E secure, because it's not.
All cloud services are in a similar position; they hold the private TLS keys and could reveal them in response to legal process, allowing active MITM (perfect forward secrecy prevents passive data theft without more intrusive realtime access to VM RAM).
Only a very specific configuration of "Confidential Computing" (based on AMD SEV or Intel TDX) where boot attestation is checked remotely before private keys are sent from an on-premise store (or a fully trusted hosted HSM) to the remote VM could prevent a cloud provider from intercepting private key material, and only then as far as boot attestation and SEV/TDX is trusted.
While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
There was a guy, Snowden or something, who got some first party reports. They stated that no magical quantum crypto breaking happened at global scale, keys were simply stolen, or backdoors were used to access clear text on sender or receiver.
Ephemeral keys (not stored for possible future leakage) quickly became the default, and assumptions about global data gathering changed. Then, all of a sudden, “free” service appears that makes all of TLS improvements, bug and small, practical and theoretical, useless. What a coincidence!
For some reason, you assume that people who have been stealing everything they can (because doing crime for the Big Guy is not a crime) consider this specific company untouchable. This is impossible. Every country in the world wants to have its spying capacity at maximum (following the shameless example), and to flex muscles at American services doing the same. The reason we only read about clashes over movie piracy and other petty stuff is because more serious matters have been discussed and dealt with.
Facebook offers “free” hosting and other services for individuals (social networks are poor walled versions of the Web). Cloudflare offers “free” CDN and other services for website owners. Actual business model is the same, lies are still lies.
Hyperbole is my middle name, but I just find it repulsive that CloudFlare breaks the chain of trust, and somehow everybody is just okay with that. I'm not saying it makes HTTPS pointless, but we've moved from end-to-end encryption to trust-me-bro. Is CloudFlare malicious? Probably not - at least not right now. But I think my browser should warn me that my connection is not E2E secure, because it's not.
All cloud services are in a similar position; they hold the private TLS keys and could reveal them in response to legal process, allowing active MITM (perfect forward secrecy prevents passive data theft without more intrusive realtime access to VM RAM).
Only a very specific configuration of "Confidential Computing" (based on AMD SEV or Intel TDX) where boot attestation is checked remotely before private keys are sent from an on-premise store (or a fully trusted hosted HSM) to the remote VM could prevent a cloud provider from intercepting private key material, and only then as far as boot attestation and SEV/TDX is trusted.
The one advantage for the little guy is that Cloudflare is a single surface attack vector.
If it comes to light they've been doing something actionable with your data, you have a target for revenge. (As in a lawsuit, not violence)