Why bother? They can just visit Cloudflare HQ, who already proxy 19.3%[1] of the internet. AFAICT, all https traffic proxied by them is accessible to them in plaintext. Of course, Cloudflare are disallowed by law from letting us know if the UK government were surveilling all of their proxied traffic.[2]
It surprises me I don't hear more about this in tech circles to be honest because it's something that concerns me greatly.
I like Cloudflare as a product, but it seems to me they've effectively made privacy from state actors online impossible.
Of course, if you cared enough you don't have to use services that use Cloudflare or other reverse proxy services, but most of the web is behind a reverse proxy these days making that difficult.
It's also understandable why services opt to use a Cloudflare proxy, what with the growing threat that is DDoS attacks from large botnets.
I feel we should build an extension to HTTPS to allow Cloudflare / other reverse proxy services to proxy web requests without circumventing the SSL guarantees between the user and the host. It should be trivially possible.
That said, the cynical side of me worries that it works this way by design.
