CloudFlare, SSL and unhealthy security absolutism

Let’s start with a quick quiz:
Take a look at haveibeenpwned.com (HIBP) and tell me where the traffic is encrypted between:

You see HTTPS which is good so you know it’s doing crypto things in your browser, but where’s the other end of the encryption? I mean at what point is the traffic decrypted? Many people would say it’s at the web server but it’s not, it’s upstream of there at Microsoft’s appliances that sits in front of the web application PaaS offering. You might see a padlock, but your traffic is not encrypted all the way to the server.
But it’s not just HIBP and it’s not just Microsoft either, many of the websites you visit every day will show you a padlock and not encrypt every segment of the network. For example, there may be unencrypted segments where caching appliances are involved or where security devices are inspecting traffic. That may


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/xxP-1HFXUYs/

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: