
Three layers of encryption keeps you safe when SSL/TLS fails - marksamman
https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/
======
hlandau
This is simply not true. If TLS fails, the vehicle used for code delivery has
been compromised and can be used to deliver compromised code. Everything
written in the article is only true if you assume that the code is delivered
with its integrity in tact, which on the web is a property that can only be
guaranteed by TLS.

~~~
ubernostrum
The article wasn't about delivering software updates. 1Password provides
syncing of password vaults and online access, and this article explains how
they do not rely solely on SSL/TLS to secure that data in-flight, and thus the
Cloudflare issue could not have exposed such data in a usable way to third
parties.

------
dmytrish
The takeaway from the Cloudflare story seems to be: don't rely on TLS
encryption for critical data, since it may be compromised by third-party
actions and may be completely compromised in the future.

~~~
tialaramex
Huh?

Cloudflare's screw-up had no impact on third parties. What it did was cause
havoc for Cloudflare's own _customers_ who had agreed Cloudflare could
purposefully MITM them.

For it to function at all, Cloudflare undoes all the TLS encryption, signing
up for Cloudflare means saying "Yeah, Cloudflare now has total control of my
web site, I don't care, I'm sure these people I've never met are competent and
will protect my site and its users". I guess that's OK if you're running a
blog about your cat ? But millions of people decided it sounded pretty good
for their business or private data. -shrug-

