A service you can choose to use. Lenovo was installing malware without the knowledge of their users.
> doing MITM on a much larger scale that superfish will ever do
Again, optional, and for reasons beneficial to those utilizing the service.
> managed by people who's previous business was the project honeypot
This is oddly presented as a negative.
> monitoring and modifying traffic of websites it protects
As requested by the owner of the website. Adding the site's GA code without having to install it on the site itself is hardly the same as serving malware.
> apparently hosting several ISIS websites, while being an US-based company. How many other ones could afford that?
Fundamentalist propaganda shows up on plenty of sites like YouTube. CloudFlare's pro-free-speech attitude is pretty clear and results in things akin to KKK marches being allowed in the US despite the ugliness of their beliefs.
> controling several high-profile foreign websites
As a site visitor Cloudflare's certificate is the certificate you want, because that's the certificate the site owner has chosen to give you.
Cloudflare is not in the middle, it is is part of the server. We just have to adjust the notion that a server, from the protocol POV, is not a single machine with a single process httpd daemon anymore.
As a site visitor it was already murky - the site's probably passing off all sorts of data to Google, Facebook, etc., my ISP might be monitoring my DNS requests...
Except cloudflare doesnt give away a private key that can allow any arbitrary person to do this for any arbitrary site with little effort on affected machines.
This article misses the point entirely. Anyone running a load balancer in their production environment is "MITM" their SSL. The difference between CloudFare and Superfish is that A) as the site operator, I'm electing (opt-in) to use CloudFares service, and B) and configuring CloudFare to use SSL is something that is very apparent during the setup process. There's a huge green button.
In the case of Superfish, the software is opt-out. It comes pre-installed, and there's no giant green button that says "enable SSL through this service".
Too superficial of an analysis to be taken seriously. There is a reason children are taught how to write an article with a proper introduction (introduce the problem and provide a map of the article body), body (explain the problem, provide proof and/or proof of concept plus examples, and propose solution if possible), and conclusion (summarize arguments) sections.
CloudFlare doesn't have the ability to provision a certificate for any domain. They'd have to demonstrate control - usually with a webmasteer/hostmaster@example.com style email address or a DNS record. Easy for them to do for domains they host, not something they can do for Google.com.
To everyone complaining about the writing; yes, they need writing lessons, but it's not like you don't know what they mean. I'd like to see responses to the points they raise, rather than criticism of the style. It's a rant, with some value in it.
A service you can choose to use. Lenovo was installing malware without the knowledge of their users.
> doing MITM on a much larger scale that superfish will ever do
Again, optional, and for reasons beneficial to those utilizing the service.
> managed by people who's previous business was the project honeypot
This is oddly presented as a negative.
> monitoring and modifying traffic of websites it protects
As requested by the owner of the website. Adding the site's GA code without having to install it on the site itself is hardly the same as serving malware.
> apparently hosting several ISIS websites, while being an US-based company. How many other ones could afford that?
Fundamentalist propaganda shows up on plenty of sites like YouTube. CloudFlare's pro-free-speech attitude is pretty clear and results in things akin to KKK marches being allowed in the US despite the ugliness of their beliefs.
> controling several high-profile foreign websites
/me clutches pearls