Hello, I am no security expert, but I fail to see to how encrypting traffic between one's browser and CDN servers could possible decrease security. A website using a CDN already trusts it, no matter what protocol is used. HTTPS can't make the situation any worse than it already is.
Best regards, Maxim Nazarenko On 4 December 2014 at 23:29, John Nagle <[email protected]> wrote: > "HTTPS Everywhere" forces some changes in the way the Web works that > reduce security. It creates the illusion of security, not the reality. > While it seems a good concept, there's a dark side. > > Here's the problem. If everything is encrypted end to end, caching > by ISPs and content delivery networks won't work. Those services > are needed to make high-traffic sites work effectively. > For those services to continue to work, they have to break the security, > act as a man-in-the middle, decrypt the content, cache it, and use > deceptive SSL certificates to re-encrypt it. That's what they're doing. > > The largest content delivery networks which act as a > man-in-the-middle are Cloudflare, Incapsula, and Edgecast. Security > from browser to site ends at the CDN's servers. Data is in > the clear at the CDN, and may be in the clear between the CDN > and the host server, even if the connection from user to CDN > is encrypted. Cloudflare calls this "Flexible SSL". > > We have a white paper on this, "Who am I Talking To? > Ambiguities in secure certificates for web commerce": > > http://john-nagle.github.io/certscan/whoamitalkingto04.pdf > > This has names and numbers for MITM sites, obtained from a scan > of all SSL certificates on the Web. > > Cloudflare alone has over 36,000 domains for which Cloudflare > holds the SSL keys. This centralizes interception and makes it > easier. Cloudflare, Inc. is fighting Government gag orders, and > their CEO is angry about it. > (http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/12/cloudflare-ceo-says-insane-nsa-gag-order-is-costing-u-s-tech-firms-customers/) > So we have to assume they're being forced to help with interception. > > As with most security theater, overdoing security leads to > workarounds which, in the end, result in less security. > > John Nagle > SiteTruth > > _______________________________________________ > HTTPS-Everywhere mailing list > [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
