2 min read

Understanding TLS, MITM and Privacy Policies

The Premise

TLS uses public-key cryptography to securely share a symmetric key which is used to encrypt data, from end to to end. For example, when you visit a website and see the secure https/lock, you can be certain that you are only communicating with said website.

The Reality

The truth is, many websites use decrypting reverse proxy solutions. Yes, you read that right - even with end-to-end encryption, your data may not be as private as you think. For example, Cloudflare's default setup decrypts all encrypted data when it reaches Cloudflare and then re-encrypts it before reaching the target server, even in an 'end to end encrypted' topology.

What Does This Mean

This means that companies, like Cloudflare, must be trusted not to look at sensitive and, perhaps quite often, confidential data.

Cloudflare has been reported to have 3682 employees, with 2090 international according to Statista. Do you actually know any of these people, and further, trust them with some of your most important secrets?

For example, although most websites and services are wise to store hashes of passwords rather than the passwords themselves, they likely still receive the password plaintext before hashing it. This password is also visible, in plaintext, by Cloudflare before making it to the end server.

Does This Matter to Me?

We've noticed sites like 4chan and OkCupid using Cloudflare without mentioning it in their privacy policies, making their privacy policies quite misleading to say the least. We even noticed the most popular "privacy" service, NordVPN, uses Cloudflare.

It's clear that some companies don't prioritize privacy when it comes to data security.

But the Employees of these Companies Operate at Higher Standards... right?

We reviewed some of the comments on a Hacker News post. To our dismay, it appears that many engineers don't actually care about the security of data but instead are worried about making sure they aren't liable when the data leaks.

I wouldn't trust any of these people with anything that mattered to me.

Doesn't IPv6rs Provide a Reverse Proxy?

IPv6rs provides a reverse proxy, but it is quite different from Cloudflare or any other reverse proxy provider. IPv6rs takes advantage of Server Name Indication (SNI) wherein the target destination hostname is cleartext and, thus, is able to forward the TLS traffic to its intended destination without any decryption of any kind. Even when traffic passes through our reverse proxy, it remains encrypted until it reaches the target destination. We can't decrypt the traffic even if we wanted to.

Stay safe out there, and always self host when there's an option! You can start self hosting easily with an externally reachable IP using our service, IPv6rs. 😀