Cloudflare pours cold water on ‘BGP weirdness preceded US attack on Venezuela’ theory Cloudflare has poured cold water on a theory that the USA’s incursion into Venezuela coincided with a cyberattack on telecoms infrastructure. The theory came from red team engineer Graham Helton who, on his personal blog noted that President Trump said the USA used “certain expertise” to turn off lights in the Venezuelan city …
Worth considering that when using CF to proxy your service, SSL is not end to end, even using their strict SSL / TLS mode - data is encrypted using their cert - routed to CF -> DECRYPTED -> re-encrypted using origin server cert - routed to origin server.
You may well have your own thoughts about what happens with the decrypted data on Cloudflare's servers.
Anonymous coward because reasons.
You can take off your tinfoil hat. Every cloud DDoS service does exactly the same thing: Zscaler, Netskope, Cisco, Fortinet, Palo Alto Networks, Check Point, Imperva, etc.
If you know of a way to examine the contents of a https connection without terminating the tls connection, examining it, and re-encrypting it, I'm sure any or all of those companies would pay to license your process.
The fact that their functionality is impossible to achieve any other way does not invalidate the potential for mischief by these providers, especially given the fact that they are subject to what is left of US laws.
That doesn't mean they actually do this, that's why it's called potential :).
If you know of a way to examine the contents of a https connection without terminating the tls connection, examining it, and re-encrypting it, I'm sure any or all of those companies would pay to license your process
Or put it back on. So El Reg is 104.18.4.143 which is-
route: 104.18.0.0/20
descr: Cloudflare, Inc.
descr: 101 Townsend Street, San Francisco, California 94107, US
origin: AS13335
mnt-by: MNT-CLOUD14
So https & tls connections are between you and Cloudflare, who terminate the connecton and can this inspect the packets..
BGP OTC (RFC 9234) is a nice feature, but I've had no traction when asking the major non-Chinese vendors if they plan to support it anytime soon; it's either "Not currently on the roadmap" or "We'll see if there's more customer requests for it before we do anything". The one that I really want to see prioritized, though - and it's also mentioned pretty prominently in the Cloudflare blog post - is ASPA, AS_PATH Authorization; which is like "RPKI but for AS_PATHs". Push your vendors for this one whenever you can. And check this presentation if you're interested in learning more: https://ripe91.ripe.net/programme/meeting-plan/sessions/30/VZNKWV/
Anonymous so as not to dox my nick here to my colleagues. :-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
