> On the other side (first mile), the CDN then connects via a second SSL certificate (say, origin-www.destination.com) to the origin's datacenter(s) to retrieve the necessary data.
Perhaps. Not all CDNs require TLS to be used to connect to backends when the frontend is encrypted. This is completely obscured from the requesting client, and is a breach of user trust in my opinion.
> PS, most origin-www.destination.com origins are extremely vulnerable to DDoS since, at that hostname, there is no CDN to protect them.
This is a big problem that is rarely addressed until it bites you. When you're accustomed to a >90% hit rate and all of the nastiness of the Internet being handled upstream, you aren't going to be prepared for even a slight uptick in origin traffic.
I saw one place whose site was served via Akamai DSA (http acceleration service), and routinely served >5Gbps. The origin consisted of two machines behind a Cisco ASA with a 100Mbit Ethernet port.
Perhaps. Not all CDNs require TLS to be used to connect to backends when the frontend is encrypted. This is completely obscured from the requesting client, and is a breach of user trust in my opinion.
> PS, most origin-www.destination.com origins are extremely vulnerable to DDoS since, at that hostname, there is no CDN to protect them.
This is a big problem that is rarely addressed until it bites you. When you're accustomed to a >90% hit rate and all of the nastiness of the Internet being handled upstream, you aren't going to be prepared for even a slight uptick in origin traffic.
I saw one place whose site was served via Akamai DSA (http acceleration service), and routinely served >5Gbps. The origin consisted of two machines behind a Cisco ASA with a 100Mbit Ethernet port.