

On superfish and cloudflare - xai3luGi
http://dustri.org/b/on-superfish-and-cloudflare.html

======
ceejayoz
> advertising SSL MITM as a service, for free

A service you can choose to use. Lenovo was installing malware without the
knowledge of their users.

> doing MITM on a much larger scale that superfish will ever do

Again, optional, and for reasons beneficial to those utilizing the service.

> managed by people who's previous business was the project honeypot

This is oddly presented as a negative.

> monitoring and modifying traffic of websites it protects

As requested by the owner of the website. Adding the site's GA code without
having to install it on the site itself is hardly the same as serving malware.

> apparently hosting several ISIS websites, while being an US-based company.
> How many other ones could afford that?

Fundamentalist propaganda shows up on plenty of sites like YouTube.
CloudFlare's pro-free-speech attitude is pretty clear and results in things
akin to KKK marches being allowed in the US despite the ugliness of their
beliefs.

> controling several high-profile foreign websites

/me clutches pearls

~~~
jrs235
> A service you can choose to use. Lenovo was installing malware without the
> knowledge of their users.

As a site owner true. As a site visitor it gets a little more complicated and
murky.

~~~
rakoo
As a site visitor Cloudflare's certificate is the certificate you want,
because that's the certificate the site owner has chosen to give you.

Cloudflare is _not_ in the middle, it is is _part_ of the server. We just have
to adjust the notion that a server, from the protocol POV, is not a single
machine with a single process httpd daemon anymore.

------
Tobani
Except cloudflare doesnt give away a private key that can allow any arbitrary
person to do this for any arbitrary site with little effort on affected
machines.

~~~
geoah
Exactly what I came here to say.

------
bauer
This article is terrible. Just a bunch of ranting with no citations to the
points the author brings up.

------
bradleyland
This article misses the point entirely. Anyone running a load balancer in
their production environment is "MITM" their SSL. The difference between
CloudFare and Superfish is that A) as the site operator, I'm electing (opt-in)
to use CloudFares service, and B) and configuring CloudFare to use SSL is
something that is very apparent during the setup process. There's a huge green
button.

In the case of Superfish, the software is opt- _out_. It comes pre-installed,
and there's no giant green button that says "enable SSL through this service".

The two couldn't be more different.

------
pXMzR2A
Too superficial of an analysis to be taken seriously. There is a reason
children are taught how to write an article with a proper introduction
(introduce the problem and provide a map of the article body), body (explain
the problem, provide proof and/or proof of concept plus examples, and propose
solution if possible), and conclusion (summarize arguments) sections.

------
scosman
Link to the tech they are complaining about, since the article doesn't even
include it. [https://www.cloudflare.com/keyless-
ssl](https://www.cloudflare.com/keyless-ssl)

------
natvert
What was the CA thinking when they said, "Sure we'll give you a wildcard cert
for any domain!"

I've un-trusted their cert...
[http://nathan.vertile.com/blog/2015/02/20/untrust-
cloudflare...](http://nathan.vertile.com/blog/2015/02/20/untrust-cloudflare-
mitm/)

~~~
ceejayoz
CloudFlare doesn't have the ability to provision a certificate for any domain.
They'd have to demonstrate control - usually with a
webmasteer/hostmaster@example.com style email address or a DNS record. Easy
for them to do for domains they host, not something they can do for
Google.com.

------
ikeboy
To everyone complaining about the writing; yes, they need writing lessons, but
it's not like you don't know what they mean. I'd like to see responses to the
points they raise, rather than criticism of the style. It's a rant, with some
value in it.

