The classic definition of mitm is the type of mitm that cloudflare does, that is how most mitm attacks are pulled off in the wild as well. Most mitm attacks use legitimately signed certificates and do not install new certificate into one’s browser. malicious mitm typically the hijack dns, get a legit certificate, then act as a mitm for traffic to the original server. that is the exact same thing a cdn does minus the “hijack the dns” step, instead the dns owner repoints it, other then that they are identical textbook mitm attacks.
a good percentage of mitm attacks use legitimately signed certificates, explained above.
That doesn’t really mean anything. The AV mitm is done with the full consent of the software provider.
BOTH do so without the consent of the end user, which is what is important and crucial, as that is who SSL protects.
With BOTH the user thinks their communication between the server they are accessing is encrypted between them and the server, aka a private connection. In BOTH cases the communication is actually intercepted by a “man in the middle” who has full and nonconsensual access to all their internet traffic content.
In the case of CDNs it is done for the benefit of the site provider, reduces their server load and gives them wider geographical serving distribution. In the case of the AV software it is done for the benefit of the end user, to be able to scan content before it is delivered to the browser to make sure it is malware free and safe. BOTH fundamentally break the idea behind SSL/TSL being a secure communication endpoint to endpoint, and BOTH execute mitm attacks, the AV companies at least ask for end user consent before installing their browser protection. Most people never know they are hitting a CDN over the real server and are unaware that their private encrypted communication is actually being intercepted by a third party.
CDNs are far worse than what we are talking about above. Most CDNs allow SSL from the client to them and then turn around and do unsecured traffic from them to the server, passing the previously secure information over an insecure pipe without the end user ever knowing that their secure traffic is being passed insecurly over the open internet. DAMN that is LAME. This is far far worse than what the AV companies are doing. With CloudFlare the “TotalSecure” or “VerifiedSecure” levels are when both sides of the CDN are secured, they’ve been called out for years for doing the one leg secure connections which are their “FlexibleSecure” or “UniversalSecure” options i beleive. As an end user, really one doesn’t know they are hitting a CDN let alone an open leg CDN connection. SO BAD. smdh.
As CDNs are by far the WORST mitm sll offenders on the net, and are called out for it repeatedly, it is a bit hypocritical of them to point the finger at anyone else. They are pulling the classic magician stunt of redirecting attention away from the real action. Squirrel!!!
negligible, but still a cool thing to have rolled together yourself. 
how does your interceptor decrypt and resign communication? is it secure on both legs for HTTPs communications?
