> advertising SSL MITM as a service, for free<p>A service you can choose to use. Lenovo was installing malware without the knowledge of their users.<p>> doing MITM on a much larger scale that superfish will ever do<p>Again, optional, and for reasons beneficial to those utilizing the service.<p>> managed by people who's previous business was the project honeypot<p>This is oddly presented as a negative.<p>> monitoring and modifying traffic of websites it protects<p>As requested by the owner of the website. Adding the site's GA code without having to install it on the site itself is hardly the same as serving malware.<p>> apparently hosting several ISIS websites, while being an US-based company. How many other ones could afford that?<p>Fundamentalist propaganda shows up on plenty of sites like YouTube. CloudFlare's pro-free-speech attitude is pretty clear and results in things akin to KKK marches being allowed in the US despite the ugliness of their beliefs.<p>> controling several high-profile foreign websites<p>/me clutches pearls
Except cloudflare doesnt give away a private key that can allow any arbitrary person to do this for any arbitrary site with little effort on affected machines.
This article misses the point entirely. Anyone running a load balancer in their production environment is "MITM" their SSL. The difference between CloudFare and Superfish is that A) as the site operator, I'm electing (opt-in) to use CloudFares service, and B) and configuring CloudFare to use SSL is something that is very apparent during the setup process. There's a huge green button.<p>In the case of Superfish, the software is opt-<i>out</i>. It comes pre-installed, and there's no giant green button that says "enable SSL through this service".<p>The two couldn't be more different.
Too superficial of an analysis to be taken seriously. There is a reason children are taught how to write an article with a proper introduction (introduce the problem and provide a map of the article body), body (explain the problem, provide proof and/or proof of concept plus examples, and propose solution if possible), and conclusion (summarize arguments) sections.
Link to the tech they are complaining about, since the article doesn't even include it. <a href="https://www.cloudflare.com/keyless-ssl" rel="nofollow">https://www.cloudflare.com/keyless-ssl</a>
What was the CA thinking when they said, "Sure we'll give you a wildcard cert for any domain!"<p>I've un-trusted their cert... <a href="http://nathan.vertile.com/blog/2015/02/20/untrust-cloudflare-mitm/" rel="nofollow">http://nathan.vertile.com/blog/2015/02/20/untrust-cloudflare...</a>
To everyone complaining about the writing; yes, they need writing lessons, but it's not like you don't know what they mean. I'd like to see responses to the points they raise, rather than criticism of the style. It's a rant, with some value in it.