How does 2FA and https help, when site forwards all traffic from cloudfront to their actual servers in plain http?

  • 2
    Now you're thinking with portals
  • 6
    It depends, they might use a vpn to protect it, or a dedicated line.

    We run our own load balancers that terminated https but everything else was in internal network.

    And then you have sites that never used https but got it in the package when using a cloud front.

    They never bothered with security but the front helps their google standing.
  • 3
    2FA helps against insufficient protection from passwords, not against sniffing.

    Also the following is not unlikely:
    User -- HTTPS -> Cloudflare w TLS termination -- HTTPS -> Site
  • 0
    When your site resides on Amazon servers it might be acceptable as it is not a closed network and you trust AWS not to snoop (else you would not let them cache/decrypt your resources) if your site resides elsewhere you really should use https on your site and let CF use that to fetch ( as @sbiewald described)
  • 0
    Inho having a secure frontend and a non-secure backend connection over an unsecure link is a cheap way to score points on google and a way to trick users that the service is secure. I would ban such sites/services from the internet as users' data gets exposed.
Add Comment