-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[concept question] proxied host vs. 3rd party content #15
Comments
Sure, waiting for @nym-zone. For the 3rd option I would reckon that any 3rd part content would be fetched by the browser through the initial non-proxied (true) TLS connection, but then I my understanding might be wrong |
To clear up some confusion, first I must clarify the term “MITM”. Here is an ordinary TLS session, with everything working properly:
A “Man-in-the-Middle” (MITM) interposes himself and forms two different encryption sessions: One to you, and one to
There exist ready-made hacker tools such as There are some ignorant people who set up TLS with self-signed certificates, claiming that any encryption is none at all. This is not true. When you have an encrypted TLS session, you know that you have a secure connection to somebody. But, who is that somebody? Is it the server with which you believe you are communicating? Or is it a MITM, pretending to be that server? Certificates do stop amateur MITM attacks. But Cloudflare are the MITM professionals; they interpose themselves into a connection using a proper, “legitimate”
Now, examine one of Cloudflare’s own diagrams of how their system works. Look carefully to the boxes which say “Session key”, because that’s what you care about as a user: Who has the session key. For their enterprise customers, Cloudflare also has an option they call “Keyless SSL” in marketspeak. But that name is a lie, or rather, a half-truth. With “Keyless SSL”, Cloudflare does not get the server’s long-term asymmetric private key; the endpoint holds the private key, and provides in real time the digital signatures “authenticating” Cloudflare’s impersonation of them. However, Cloudflare still gets each and every session key—and that’s the part used for actual encryption and decryption of your session! Look again at who holds the “Session key”: To better understand this, think in terms of connections and endpoints. TLS by design provides end-to-end encryption of a connection between one endpoint (you) and another endpoint ( Transport Layer Security (TLS) is a pseudo-transport-layer protocol (although technically, it operates on the application layer of the network stack—below the actual application). Whether you are connecting to a “first-party” or “third-party” server is a higher-level application-layer matter, irrelevant to TLS. If This means that Cloudflare will be able to see what first-party site and pages you are visiting, via the HTTP “Mixed content” with plain-HTTP embeds in an HTTPS site is bad for the same reasons; and it thus provides here an instructive analogy. In both cases, you are relying on a “secure” connection to the “first-party” site while that security can be partly or totally compromised by the unsecure “third-party” content. I hope this answers your questions. |
Not sure whether I fully grasp the concept of the extention and thus the question. To my humble understanding there could be the following scenarios, and please correct where I am wrong:
Does this extention make a distinction between the 3, considering the 3rd option may not constitute a MitM, at least to my understanding. Or is there no such distinction and either way such sitea are flagged regardless as MitM?
The text was updated successfully, but these errors were encountered: