> ... Cloudflare’s anti-DDoS protection for government services, which is fine since it can be done securely with end-to-end encryption in a zero-trust model.
Unless it's below L7/HTTP, the possibility of doing it securely is very questionable.
Up until very recently it was very trivial to conduct "domain fronting" of sorts but with colocations in hostile locations. So Chinese or Russian servers decrypting your TLS traffic no questions asked, and that was with their premium (DLS) offerings.
I suspect that if you're in a hostile country where CF announces their prefixes locally, it's still doable. Unfortunately that's a bit more difficult to test than it was before.
Unless it's below L7/HTTP, the possibility of doing it securely is very questionable.
Up until very recently it was very trivial to conduct "domain fronting" of sorts but with colocations in hostile locations. So Chinese or Russian servers decrypting your TLS traffic no questions asked, and that was with their premium (DLS) offerings.
I suspect that if you're in a hostile country where CF announces their prefixes locally, it's still doable. Unfortunately that's a bit more difficult to test than it was before.