It would be a conspiracy theory to say they were created by a three letter government agency, but if I was running one of those three letter agencies, this is exactly the kind of company I'd setup and control. People just give them their TLS keys lol
If you use a VPN or just like browsing in privacy mode, it will make your life as difficult as possible by having you fill out multiple captchas. And even then, it will sometimes not let you through.
If you're running a website, please stop using Cloudflare.
Even if you run your own proxy and caching, you can’t trust your cloud provider not to DMA your keys unless you’re using trusted computing[0] (which ironically requires remote attestation if a company wants to verify it’s active on their CPU), and then chances are a dedicated three-letter-agency has exploits at the ready if they really need to extract information.
If a company isn’t running their own bare metal, nothing is safe.
0: https://aws.amazon.com/blogs/security/confidential-computing...
the normal way to do this is to run your static content through CDN's and allow your dynamic content to hit origin.
you're not saved from DDoS of course, but you'd be surprised at how much cookies for static content can cost you in CDN costs; usually people use a separate domain.