How is this shrewd?
White wine with natural effervescence from fermentation is variously labelled as champagne, Spumante etc.
A ‘shrewd’ wine seller might try to pass cheap white carbonated in a soda stream as being the same, because it will bring attention the fake product. Others would suggest it’s also fraudulent.
Yes, but if I told you that when you go into a physical branch and you use the services of a teller and that teller is themself still using the same Cloudflare (or MitM’d) website to control your funds, we have a bigger problem. It’s not just manifesting as an issue when you are using the internet, it manifests even when you are not.
The Amazon Ring doorbell is another. When you visit someone with an Amazon Ring camera, were you informed that your likeness and facial data may be sent offshore before entering the premises? So its not just the internet, it’s abusing our physical interactions and experiences too.
Often there are hidden domain names and services that you can only find using by being given the address or making the address yourself.
Now we are getting into semantics?
Your communications and interactions with a Cloudflare’d site are unencrypted by Cloudflare. Cloudflare is the end-point for your interaction. Everything that you see and do on a website passes through the eyes of Cloudflare first who send it to your bank. Your bank sees the information second (if that!).
The reverse is true, all the banks information to you passes through Cloudflare servers who then apply the “encryption padlock” that you see.
You think you are talking to your bank, you’re actually talking to Cloudflare.
Banks are known to not have ever even seen a login attempt by particular persons.
Think about that. What does it mean?
This, exactly. (And exactly like a MitM attack.)
So the virtue of the “padlock” is not quite what it seems when this network architecture is employed.
“Cloudflare” knows your password. “Cloudflare” knows your bank balance.
In some cases, “Cloudflare” could generate transactions on your behalf. (To clarify that comment, if a bank uses 2FA always and only at login then it is open slather for bogus transactions once you have logged in. However my bank does not use 2FA that way. I am not sure what the Australian banking sector most commonly does regarding when 2FA is performed.)
There are concerns for privacy and security but the technical inner workings, or failures of same, transcend the consumer scope of this forum.
Thanks to the participants for highlighting some concerns. I’ll note some of the issues raised are, as was opined, partly a response to (esp the US) government mandates re money laundering and tax evasion, and the costs of doing so.
I am therefore closing this topic. Those interested in the issues are advised to join one or more of the numerous security forums where it is more likely practitioners are active and engaged.
