If one of the many internet routers between IF and CF is compromised and someone can MITM, they can also inject any self-signed certificate and capture/modify all the content between IF and CF, which would then be equivalent to “Flexible” security level which already allows any of these routers to listen/modify the traffic between IF and CF. I think without certificate pinning on CF side, calling this mode “Full” is a bit misleading and gives a false sense of security but this is CloudFlares’s problem.
Cloudflare has gotten a lot of flack for this too. But it should be said that a single WiFi network getting intercepted is a lot more likely than someone hijacking the connection between Cloudflare and the backend server.
And at least the connection between Cloudflare and the backend server is encrypted, even if the identity verification is lacking.
Full Strict mode is better, but just not that easy to setup right now. But you can do it if you are willing to manually renew the backend certificate every 2-3 months.
4 Likes