I’ve been reading this about Cloudflare and realized they require any site using their services to install their certificate to then proceed to fully sniff and analyze, and sometimes even modify https traffic. This is something I didn’t realize before. Here are the relevant screenshots:
Yes indeed.
Ever try visiting an overloaded HTTPS site and get an HTTP 524 error page? Cloudflare’s ability to insert those pages in place of the expected response makes it clear that your “secure” connection only reaches as far as Cloudflare, who can read and modify everything you send to and receive from the site you’re visiting.
Given how much of the web runs behind Cloudflare, along with their position as the early default DNS-over-HTTPS provider in browsers, they are a massive man-in-the-middle constantly watching and capable of modifying much of our web activity.