> See this page fetch itself... Raw TCP traffic is carried via a serverless WebSocket proxy.

To be pedantic, we're watching the webpage asking a Cloudflare "serverless" server to fetch the webpage and then send the results to the webpage.

I was confused as to how they were able to get a raw TCP connection in a webpage since I thought that was blocked by normal browsers.

Random thought:

TLS is broken if the random numbers used for key generation aren't actually random.

Lots of malware/state agencies are known to patch random number generators to make sure they aren't random, and rumours swirl about exactly how random hardware random number generators are.

So why not simply log random numbers used for TLS handshakes? My machine probably only does 10k Https handshakes per day, so keeping a log of all of them for a few years would allow me to later check them to see if they were impacted by any attack. By logging the data from the server side of the connection I can likewise see if a server was affected.

Why doesn't any software even have a --log-tls-random option allowing paranoid sysadmins to do this?

Because logging actually opens a security hole, by allowing anyone who gets access to your hard derive to retroactively decrypt your internet traffic.

Okay - log a hash/fingerprint then.

Then how would you know if the original random numbers were affected?

Once the hash function is inevitably broken in a few years you can find out.

Chrome/Firefox/curl do allow exporting this by setting the `SSLKEYLOGFILE` environment variable, but as another poster points out this would let anyone with access to your hard drive decrypt your historical traffic

Big thread from some months ago: https://news.ycombinator.com/item?id=35884437