AFAICT, CF’s role is mostly useless if the SSL keys are held by the site owner.
It seems like a lot of your points hinges on this being true, but it simply isn’t. There is a massive benefit to preventing DDoS attacks, and that does not require keys. There is no indication that banks are handing over client ctedentials to CF.
Well, it seems people are prepared to pay quite a bit for cloudflare DDoS protection. Maybe you are right, and they are all wrong. But it does not really matter, because they cmearly have convinced people that it is worth paying for it, even if you disagree.
Without TLS termination Cloudflare is still useful for e.g. DDoS protection, and serving content that do not contain client information.
Caching client data globally using Cloudflare would be pretty pointless and help very little and probably even be harmful to performance, so them having the TLS key for it would absolutely not be worth it.
I’m well aware that Cloudflare holds the TLS keys. I’m also well aware that that does not equal having access to credentials.
Banks certainly can not outsource willy nilly. Or well, I suppose they may in some jurisdictions, but the context here is Europe, where the banks actually are regulated.
Surely you are not suggesting that Cloudflare has access to end user credentials? Why would you say thay? Do uou have any hint of proof that that is the case? It would be a massive no-no, and heads would roll. If you hate electronic banking, here is your chance to take them down.
Be the change you want to see. The API is there. Go build that FOSS phone app.
I don’t know much about Belgian banks, but the first one I found is Ing, and here is their documentation: https://developer.ing.com/openbanking/home. I’m sure searching for " bankname PSD2" will give you results for other banks.
Thanks to PSD2 most european banks have APIs, so there isn’t actually any requireent to use the bank’s apps anymore.
But it does restrict making use of the program in specific fields of endeavor. That’s the entire point of the license. I would e.g. not be able to use it in a business that sells hate speech literature.
How many websites can handle the amount of traffic that CF can handle? It’s not just about configuring your firewall, it’s about having the bandwidth. Otherwise it’s not much of a DDoS protection.
As I don’t have an account there I can’t see which requests containing credentials use which cert.
And also, just because the cert is verified by cloudflare does not mean they have the private key.