Cloudflare is a “potential” MITM: they claim not to read the traffic… but as a TLS terminator, they get the ability to read it without anyone’s knowledge.
Yes, and this is also true for AWS ALBs and any other hosted reverse-proxies that do SSL offloading/ termination. Hell, it’s even worse for AWS in general, since they also have potential access to your databases and instances, nevermind SecretsManager info that you just directly give them. It’s just such a weird thing to specifically only harp on Cloudflare like that site is.
Besides, the only real threat actor I can see them being worried about with CF is the USFG, since they’re the only ones I could see being able to compel CF to break their customer contracts like this. And if the USFG is your presumed threat actor, and you’re in the US, you’re not going to “out-security” them by avoiding Cloudflare.
Yes, and this is also true for AWS ALBs and any other hosted reverse-proxies that do SSL offloading/ termination. Hell, it’s even worse for AWS in general, since they also have potential access to your databases and instances, nevermind SecretsManager info that you just directly give them. It’s just such a weird thing to specifically only harp on Cloudflare like that site is.
Besides, the only real threat actor I can see them being worried about with CF is the USFG, since they’re the only ones I could see being able to compel CF to break their customer contracts like this. And if the USFG is your presumed threat actor, and you’re in the US, you’re not going to “out-security” them by avoiding Cloudflare.