Padlock icon appears on MitMd Firefox connections
Whenever a CloudFlare site is accessed, Firefox shows the user a padlock. This is a false signal, misleading users to believe they have established an end-to-end tunnel. All CloudFlare sites are inherently MitMd by design:
A majority of the public unwittingly shares sensitive information with a single corporation that’s unknown to most users. This is a severe security problem, and it is rampant. Money is literally on the line. To illustrate the gravity of the problem, consider these bitcoin services that expose all Tails users web traffic to CloudFlare without their knowledge or consent:
* First Global Credit
This bug report should be treated with very high priority. In addition to money loss, all usernames and passwords are being exposed to CloudFlare without users knowledge or consent.
The browser should examine the http headers and replace the padlock with a caution triangle if “cf-ray” matches any of the headers.