@fribbledom and that's a conservative estimate based on what they can prove
@fribbledom Are they including themselves in that statistic?
@fribbledom In general?
@fribbledom I didn't know CF's marketshare was 18%...
@fribbledom makes me worry about protonvpn again..
Hmm `protonvpn-cli` tool wgets stuff from api.protonvpn.ch if that is middlemanned, probably they can subsequently middleman the VPN...
Made a git log the state of the files that tool gets to track it.. Not really useful in hindsight. Still feel there should be a gpg public key you can get off-channel, to check the certificates are right. Perhaps also a second https server using different certificates..
18% of the connections is via cloudflare
@fribbledom It's nice to see people starting to openly admit that https is broken.
@tfb @fribbledom That's what happens when the system is fed with CAs by snake oil and even on customer request. I had a customer that wanted me to install such a CA to work with their internal API. I refused and fiddled around with the project until I got it to run with custom bundle that was not used by the rest of the system. All the other people on the project simply did this - and used their VPN "software" on top. It's the way people "wave off" cert warnings or installations.
By whom, and for what?
@fribbledom isn’t that cloudflare’s business model?
They worked good for the first couple of months we used them, but started noticing intermittent and hard to diagnose problems with our API and web services. As soon as we turned the interception off, things magically improved.
@fribbledom A couple of weeks ago at work, I was on a conference call with our firewall vendor, where they bragged about how good a TLS MITM they could sell us (for our protection, of course). When I asked what they did for sites that implement MITM defences, such as HPKP, TLSA or CAA, I got the phone equivalent of a blank stare.
I wonder if the honest answer would have been "no server implements it", "no client implements it", or "the users will ignore the warnings".
How exactly do you intercept a secure connection tho?
I guess I should read the article.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!