Comment by yupyupyups

Load Balancing && WAF or CDN enablement usually suggests at least a decrypt step or two in the HTTP(s) chain. WAF for layer7 payload inspection, or the default wildcard cert'ing your Cloudflare site for instance.

There's also significant aggregation of traffic at handfuls of service providers amongst service categories, all generally HTTP(s) type services too ... Mail, CDN, Video, Voice, Chat, Social, etc. Each of these are still likely to employ Load Balancing & WAF.

Most WAF/Load Balancing providers have documentation about when/where to perform decrypt in your architecture.

How many Cloudflare sites are just using the Cloudflare wildcard cert?

From there, plenty of 3 letter agency space to start whiteboarding how they might continue to evolve their attack chain.

Often the connection between the load balancer and app backend also uses TLS. I've operated a large / complex service on AWS and all internal communications at each level were encrypted.

Of course, in principle, a cloud provider could tap in anywhere you're using their services – ELB (load balancer), S3, etc. I presume they could even provide backdoors into EC2 instances if they were willing to take the reputational risk. But even if you assume the NSA or whoever is able to tap into internal network links within a data center, that alone wouldn't necessarily accomplish much (depending on the target).

It is MITM, but is it an attack? Literally the website owner hires Cloudflare explicity to decrypt and filter the traffic. Attack implies that it's unwanted behavior, yet the reality seems to imply that its wanted behavior by the site owner at a minimum, although continued use of the site by visitors also suggests that they want that behavior (or they'd go elsewhere).

Worse is how most email providers require SMS confirmation or a secondary email.