I feel like we’ve just had our wires crossed here. In my mind there is a colloquial understanding of what it means when someone says “Cloudflare is a MITM”: It means that Cloudflare offers products which intercept traffic in the name of performance, and at the expense of an increased attack surface and potential privacy concerns with having your data being managed by multiple parties.
This website (and any other Privacy Guides site where we expect to handle public authentication) does not use any of these products.
We do use Cloudflare Registrar and Cloudflare DNS though, and if you want to focus on the literal/technical definition of “MITM,” it is certainly within their power to hijack the domain/records and MITM the site, yes.
All of this being said, we did use Cloudflare’s hosting service to redirect the base privacyguides.net
domain to privacyguides.org, and as a result Universal SSL was enabled on the zone, which causes Cloudflare to obtain a wildcard certificate for the domain.
We stopped using that service, had Cloudflare delete the private keys to those certificates, and disabled Universal SSL on the zone before this reply was posted here, but yes it was issued, and we’ll have no iron-clad guarantee of it being gone until its expiry date.
Do I think this is a big deal? No, because the main point I was trying to get across anyways is that a product like Cloudflare CDN which “MITM’s” your traffic inherently is a completely different situation than a rogue platform maliciously inserting themselves as a MITM.
Anyways… none of the mitigations you’ve noted here would be adequate protection against this threat in particular, so while we do subscribe to CT logs already and we do (now) have a CAA record which prevents Cloudflare Universal SSL from loading, it will simply always be the case that the registries, registrars, nameserver hosts, and IP space owners will have the capability of hijacking your website on a whim.
I don’t expect that will ever change, but anyone who is concerned about that is welcome to use our .onion website/forum instead, and maybe other networks in the future