Couldn’t this same argument be made that anyone hosting their servers on AWS or any other cloud provider are also suspect? They own the hosts, so they could extract any TLS private keys they want from the guest OS. Or even worse if you are using an ELB and having that terminate your TLS.
Very few companies run their own servers in their own datacenters these days. They trust their vendors, which you have to do. Even then, they most likely use certs granted by a third party, who could easily grant the cert to someone else, too, and allow your traffic to be snooped.
Why do you single out Cloudflare and not those other service providers?
Very few companies run their own servers in their own datacenters these days. They trust their vendors, which you have to do. Even then, they most likely use certs granted by a third party, who could easily grant the cert to someone else, too, and allow your traffic to be snooped.
Why do you single out Cloudflare and not those other service providers?