The reporting about the Cloudflare leak had me puzzled. Apparently reliable reports said that its parser bug had leaked customer sites’ HTTPS data, including passwords. My immediate reaction was to wonder how this was even possible. You can’t pull data out of someone else’s HTTPS transactions without their private key. I asked about this in a comment on a Dreamwidth post that raised the matter, and was told I was being “belligerant” by asking. Hmm … At least one IT person doesn’t want me asking. Something interesting must be going on.
After some inquiries with more helpful people, I’ve figured it out, and it shows there’s a bigger weakness than the one that’s been publicized. Cloudflare acknowledges it quite casually: “While most customers are comfortable with Cloudflare managing their private keys…” The same is presumably true of other content delivery networks.
Yes, it should have been obvious all along. CDNs can’t provide much value to their customers if they can’t handle HTTPS requests for them. They can’t handle the requests unless they have their private keys. No doubt their security is excellent, probably better than most customers’; if a CDN were even slightly sloppy, its customers would flee. Cloudflare’s glitch was unusual, and it got the company a lot of adverse publicity.
But there’s one kind of security breach that happens silently, where the CDN can’t tell the customer even though it knows about it. That’s called a National Security Letter. This infamous provision of the PATRIOT Act lets the government demand information from a person or organization and forbids the target from telling anyone anything about the demand. In the original version of the law, victims couldn’t even talk to their own lawyers.
When the government went after Lavabit to get Edward Snowden, it demanded access to hundreds of thousands of email accounts. That wasn’t even an NSL case, as far as the reports indicate. Cloudflare has received NSLs; we don’t know how many or how much information they grabbed.
Casual spying increases the chance that some government agency will decide you’re dangerous, even if you live a boring life. Children get put on terrorist watch lists without explanation. Any keyword or joke might turn into a reason to investigate you.
It’s likely that the government has grabbed the private keys of many major websites and can snoop traffic on them without even needing to go to the site owners. The only fix for this weakness is to use sites based in countries that don’t spy on their citizens (though the FBI snoops in other countries too), and to make sure those countries don’t use services based in other countries.
Short of that, using a low-profile host that doesn’t rely on big companies may reduce the chances that the government isn’t casually spying on you.