I get what you're saying, but nope! "the first hop" would be between your device & the local network router.
Encryption exists between your device & the IP address of the destination as resolved by DNS. How the "internal" network is configured from that point on is out of scope.
Conversation
I'm clearly not talking about packet routing but rather load balancers / reverse proxies terminating TLS connections. I'm not talking about it as the first hop in a packet routing context. I also don't need someone to repeat what I wrote to me as if they're explaining something.
1
> Encryption exists between your device & the IP address of the destination as resolved by DNS.
TLS is an application layer protocol. The encryption is between an application and a server terminating the connection. It doesn't have to terminate at the initial resolved host.
1
Cloudflare terminates the TLS connection so that they can cache and modify headers / data as it passes through.
The whole point of my tweets was that this TLS connection is often only a first hop to a load balancer / reverse proxy sending the traffic over the internet again.
1
And the point of my tweet was to highlight that as a sweeping generalisation with virtually zero basis in fact - just having a pop at cloudflare because that seems to be what people do these days.
1
It's completely based in fact, is not a generalization and you went out of the way to misinterpret what I said and then explain what I wrote (incorrectly) to me.
TLS is an application layer protocol. I'm not talking about TCP/IP routing. Is your intent just to cause disruption?
2
I'm not talking about routing ether & you know it. You're just highlighting it to try and draw focus away from your veiled attempt at cloudflare bashing.
If you're not spreading FUD & it's all based in facts, then why are you "curious about statistics"?
1
I replied to this thread to add another caveat about TLS termination at reverse proxies / load balancers. What I wrote is relevant the initial tweet and accurate.
I think multiple people reading this would be similarly curious about configuration of CF origin server connections.
1
twitter.com/DanielMicay/st
As someone that is passionate about privacy/security and works on it full-time including auditing/hardening TLS implementations and configurations... why wouldn't I be curious about that? I really don't understand how what I said offended you so much.
Quote Tweet
Replying to @shanselman and @estark37
It also only covers the first hop of the connection. For example, many sites use Cloudflare without authenticated encryption from Cloudflare to their origin server. I'm curious about the statics on origin server encryption. How many sites use their Strict SSL configuration?
1
Yep. The first reply was fine. They would indeed be interesting stats.
It was the rest of the thread where you decended into FUD by implying that it's an almost universal setup and that most people are doing it the insecure way - without actually having those stats.
1
I didn't spread any FUD.
The default Cloudflare TLS mode is Full. Full does not provide authenticated encryption. It's insecure. I think that's a misleading name and a bad default.
No stats required to know that it's insecure by default and has to be configured to be secure.
Cloudflare marks Flexible and above as secure. Flexible and Full are not secure. Only Full (strict) is secure. They could surface this via a header, but they don't. They don't convey the importance of using Full (strict), and it has to be explicitly configured. Not the default.
1
1
I brought up Cloudflare as an example because it's an extremely broadly used reverse proxy sending traffic over the internet to the origin server. It's not simply sending traffic over a 'trusted' internal network - which is a bad idea, but is a topic for another time and thread.
1