Why can’t we encrypt twice instead of having Cloudflare MITM half the internet?
First of all I want to address a thought I had which is that they might market their ability to read the encrypted code being sent so they can spot "bots" and such, and that this is why they need to be able to decrypt the communication. This is valid but I think that I would prefer this being a program like fail2ban instead where you can anonymize certain information before it's being sent for example (if it has to be processed on a remote server).
But it seems that it's not even that. Cloudflare's stated benefit for keyless SSL:
Companies are able to get all of the benefits of the cloud (DDoS attack mitigation, load balancing, WAN optimization), [...] (source)
These functions don't seem to rely on them having to read the decrypted communications.
So it is as I thought.
The simple act of having a load balancer as a service requires them to be in a position where they can intercept SSL communication.
I guess this is because if you have SSL between an IP (let's say 127.0.0.1) and cloudflare, and they then add a domain and reverse proxy for this, they can't send two certificates so they must remove the previous encryption first.
Is it so? And if it is so, why?
