Ask HN: Are you concerned by TLS-terminating proxies like Cloudflare Tunnels?

2•thom-gtdp•1h ago

I believe many services rely on Cloudflare Tunnels or similar products that lets you proxy web requests from the public internet to your server without opening any port.

This kind of proxy handles TLS (HTTPS), it's not possible to use Cloudflare Tunnels for raw TCP/UDP passthrough. This is convenient because it makes it more simple to use, but may be concerning because Cloudflare technically has access to all the plain-text traffic, even though seen from the end user the connection is HTTPS and looks perfectly normal

This is even more concerning to me given it's now public that most of internet traffic is automatically stored (see Wikipedia article "Room 641A for a good start)

What are your opinions about this? Are this kind of proxy a no-go for any serious web service?

Comments

zhouzhao•1h ago

For European web services it should be a no-go.

I understand the easiness of that approach, but companies should realize that relying on a giant American company for stuff like that, is going to bite them in the ass, eventually.

andy_pl•1h ago

Same trust assumption as any reverse-proxied or CDN-fronted service. CF terminates TLS for Tunnels, Workers, the regular proxy, and Pages alike — if CF is in your threat model, the issue isn't Tunnels specifically, it's the entire CF surface you've accepted by being on their network. The honest framing isn't "no-go for serious services" but "what does your data residency / DPA / SCC posture look like."

thom-gtdp•35m ago

Yup Workers has similar risks as Tunnels. Cloudflare Pages isn't the same threat as Tunnels, as Pages only gives CF public data access. On Pages you trust Cloudflare for not altering the data served, while on Tunnels you trust CF for handling secret data. I actually don't really have a data residency / DPA / SCC policy because I was considering using Tunnels for my homelab only

andy_pl•42s ago

Right, the Pages vs Tunnels split is real — different threat surfaces. For a homelab the GDPR/SCC scaffolding doesn't apply; the practical question becomes "do I trust CF more than my own ISP for opportunistic snooping," and on that axis CF's incentive structure is reasonably well-aligned.

TidesDB – Fast, persistent, scalable key-value storage for modern systems

Show HN: Implit – A CLI that catches AI-hallucinated NPM packages

Shellora: SSH terminal, AI help, and server tools

Can We Vibe Code a Smart Home Device with Matter?

Samsung Galaxy S24 and S25: April update causes battery problems

Show HN: Agent Context – let your AI coding tools see your reference projects

Ask HN: Should HN have a new top category – Prompt HN?

A hallucination engine. Typed pseudorandom data via LLM

Oracle cutting thousands in latest layoff round, continues to ramp AI spending

Ask HN: What domain have you been sitting on for a while?

Healthcare Price Transparency

Moleskine's AI Lord of the Rings collection can only mock

Trump turns the WHCD shooting into a pitch for the White House ballroom

Show HN: Building a SQL analyst agent from scratch

Ubuntu 26.10 could drop btrfs, ZFS and LUKS support from GRUB

BSI (Germany) defines when a cloud is sovereign

Queen

An attempt at explaining bipolar disorder and psychosis

Quarkdown – Markdown with Superpowers

Show HN: Defeating AI by making knowledge accessible to Humans

China Blocks Meta's $2B Acquisition of AI Firm Manus

China blocks Meta's $2B purchase of AI startup Manus

Notes on Serial Experiments Lain

Open Source Mintlify Alternative

Open CoDesign: Open-source, local-first alternative to Claude Design and v0

Tell HN: Ebay.com Is Down

Enhancing Server Availability and Security Through Failure-Oblivious Computing [pdf]

The "Connectivome Theory": A New Model to Understand Autism Spectrum Disorders

Recursive Acronym

Soulful Sites