You see the problem. Yes, cloudflare decrypt the request from the browser, inspect it, then reencrypt it and send it to the host server. Then they take the response, decrypt that, inspect it, reencrypt it and send it to the browser.
Basically there are two TLS flows, one from the browser to cloudflare, and one from clourflare to the host server. Between those, on the cloudflare system, both the traffic and response are in plain text. That includes usernames, passwords (for HTTP basic auth anyway) and any sensitive data you send or receive.
Given that they front sonewhere between 19 and 40% of all websites, d£pending on whose stats you trust, that should be pretty alarming.
You see the problem. Yes, cloudflare decrypt the request from the browser, inspect it, then reencrypt it and send it to the host server. Then they take the response, decrypt that, inspect it, reencrypt it and send it to the browser.
Basically there are two TLS flows, one from the browser to cloudflare, and one from clourflare to the host server. Between those, on the cloudflare system, both the traffic and response are in plain text. That includes usernames, passwords (for HTTP basic auth anyway) and any sensitive data you send or receive.
Given that they front sonewhere between 19 and 40% of all websites, d£pending on whose stats you trust, that should be pretty alarming.
Thank you. I didn’t know that.