Cloudflare’s “Keyless SSL” Feature violates trust and privacy.

SSL exists to ensure Privacy and Trust

SSL serves two purposes. Privacy and Trust. Both purposes are equal. Privacy means it encrypts your traffic, this ensures that packet sniffers on a public network can’t view your credit card number when you purchase something on Amazon. Trust means when you visit Amazon.com, you know that the responding server is actually Amazon.com

Without both Privacy and Trust, SSL is useless.

If you compromise either privacy or trust, the SSL certificate becomes completely worthless. Now your activities are at risk of being compromised, which is precisely what SSL exists to protect against.

KeyLess SSL violates both Privacy and Trust.

Cloudflare’s new feature “Keyless SSL” violates both privacy and trust. This dubious service operates by decrypting 100% of your web traffic between the server and Cloudflare’s network. That means Cloudflare can view your credit card numbers. All that is required is a Cloudflare employee to hide malicious code in their traffic inspection function and they could steal thousands or millions of credit card numbers in an hour.

Browsers should Declare all Cloudflare traffic “Insecure”.

The solution is simple. If SSL traffic comes from Cloudflare, one must assume that it has been decrypted and inspected during transit. This means it is not secure. Web Browsers need to declare this to the user. Traffic that comes from Cloudflare websites should be flagged as insecure, regardless of the SSL status.

Please share!

There are no comments

Your email address will not be published. Required fields are marked *