Probably similar issues with other reverse proxy services. It gives users the impression that the connection to the site is secure when only the first hop is secure.
It's part of their business model for sites to use it for TLS without actually setting up TLS on their servers.
Conversation
One more reason why browsers moving to marking insecure connections as insecure rather than marking seemingly secure connections as secure is a nice change. Especially now that TLS *for the first hop* is the norm (not convinced the situation is as good as it appears due to this).
1
I get what you're saying, but nope! "the first hop" would be between your device & the local network router.
Encryption exists between your device & the IP address of the destination as resolved by DNS. How the "internal" network is configured from that point on is out of scope.
1
I'm clearly not talking about packet routing but rather load balancers / reverse proxies terminating TLS connections. I'm not talking about it as the first hop in a packet routing context. I also don't need someone to repeat what I wrote to me as if they're explaining something.
1
> Encryption exists between your device & the IP address of the destination as resolved by DNS.
TLS is an application layer protocol. The encryption is between an application and a server terminating the connection. It doesn't have to terminate at the initial resolved host.
1
Cloudflare terminates the TLS connection so that they can cache and modify headers / data as it passes through.
The whole point of my tweets was that this TLS connection is often only a first hop to a load balancer / reverse proxy sending the traffic over the internet again.
1
And the point of my tweet was to highlight that as a sweeping generalisation with virtually zero basis in fact - just having a pop at cloudflare because that seems to be what people do these days.
1
It's completely based in fact, is not a generalization and you went out of the way to misinterpret what I said and then explain what I wrote (incorrectly) to me.
TLS is an application layer protocol. I'm not talking about TCP/IP routing. Is your intent just to cause disruption?
2
I'm not talking about routing ether & you know it. You're just highlighting it to try and draw focus away from your veiled attempt at cloudflare bashing.
If you're not spreading FUD & it's all based in facts, then why are you "curious about statistics"?
1
I replied to this thread to add another caveat about TLS termination at reverse proxies / load balancers. What I wrote is relevant the initial tweet and accurate.
I think multiple people reading this would be similarly curious about configuration of CF origin server connections.
1
twitter.com/DanielMicay/st
As someone that is passionate about privacy/security and works on it full-time including auditing/hardening TLS implementations and configurations... why wouldn't I be curious about that? I really don't understand how what I said offended you so much.
Quote Tweet
Replying to @shanselman and @estark37
It also only covers the first hop of the connection. For example, many sites use Cloudflare without authenticated encryption from Cloudflare to their origin server. I'm curious about the statics on origin server encryption. How many sites use their Strict SSL configuration?
Yep. The first reply was fine. They would indeed be interesting stats.
It was the rest of the thread where you decended into FUD by implying that it's an almost universal setup and that most people are doing it the insecure way - without actually having those stats.
1
I didn't spread any FUD.
The default Cloudflare TLS mode is Full. Full does not provide authenticated encryption. It's insecure. I think that's a misleading name and a bad default.
No stats required to know that it's insecure by default and has to be configured to be secure.
1
1
Show replies