• @markstos
    link
    136 months ago

    One of the services they provide is free SSL certificates. As part of that, they have the private key to decrypt the traffic. They aren’t trying to hide that— this is true of any service that hosts the SSL cert for your site.

    • @[email protected]
      link
      fedilink
      26 months ago

      Does that mean it wouldn’t be an issue if you bring an SSL cert from say ZeroSSL but use Cloudflare for DNS, caching, DDoS protection etc?

      • @SirQuackTheDuck
        link
        46 months ago

        For DNS and DDoS protection that wouldn’t directly be an issue.

        For caching it would be breaking. You cannot cache what you cannot read (encrypted traffic can only be cached by the decrypting party).

      • @markstos
        link
        36 months ago

        It’s not who issues the cert that matters, it is who hosts it. Hosting it includes having the private key. You always have to trust your website host, full stop.

      • @markstos
        link
        36 months ago

        With what? HTTPS has to terminate the encryption somewhere and that place has to have the private key to do so.

        CloudFlare is providing the same service here as all other hosts of HTTPS websites do.

        • @[email protected]
          link
          fedilink
          0
          edit-2
          6 months ago

          Well, depends. If it’s hosted on AWS and HTTPS terminates there like it’s supposed to, Amazon could look inside, but a human being would have to personally hack your container and extract the data, so that’s a bit better. If it’s something more like Wix, though, sure. (Is Wix still a thing?)

          • @markstos
            link
            36 months ago

            If you use the AWS load balancer product or their certificates, they have access to the private key, regardless of whether you forward traffic from the LB to the container over HTTPS or not.

            If you terminate the SSL with your own certificate yourself, Amazon still installs the SSM agent by default on Linux boxes. That runs as root and they control it.

            If you disable the SSM agent and terminate SSL within Linux boxes you control at AWS, then I don’t think they can access inside your host as long as you are using encrypted EBS volumes encrypted with your key.

            • @[email protected]
              link
              fedilink
              16 months ago

              Obviously, I’ve never actually done this. Good to know.

              I’m starting to worry that HTTPS is entirely fake - in the sense that it’s purely decorative encryption that protects an insignificant part of the transaction. Like, maybe by design. The NSA’s been doing something all these years.

              • @markstos
                link
                16 months ago

                HTTPS is real and tested.

                • @[email protected]
                  link
                  fedilink
                  16 months ago

                  When used as intended, yes. What I mean is that in practice it may have been weakened, by promotion of services that use it in ways far from best security practices.