my techbro shit reaction:

what's the point of TLS if some CAs/DNS operators somewhere own all the keys to kick folks off the network, impersonate them, etc?

Obviously cloudflare is worse because its impossible tell how much they are processing/recording your traffic, while bona-fide attacks against TLS/x.509 are harder to hide..

at any rate, trying to make my own mini cloudflare service where the user exclusively owns the keys, and maybe has automated monitoring to spot the x.509 authority attacks if/when they happen 😬