> For this to be possible, wouldn’t they need to have a valid DV cert impersonating Google?
For it to be possible without Google's cooperation, they would. But Google does cooperate: their Web servers listen on two sets of IP addresses. The real DNS entries for www.google.com point to the first set, and for forcesafesearch.google.com to the second set. Cloudflare is spoofing DNS responses for www.google.com to point at forcesafesearch.google.com instead. When you connect to Google via the latter, it forces SafeSearch on for all traffic over that connection. Google documents this at https://support.google.com/websearch/answer/186669?hl=en
> For this to be possible, wouldn’t they need to have a valid DV cert impersonating Google?
For it to be possible without Google's cooperation, they would. But Google does cooperate: their Web servers listen on two sets of IP addresses. The real DNS entries for www.google.com point to the first set, and for forcesafesearch.google.com to the second set. Cloudflare is spoofing DNS responses for www.google.com to point at forcesafesearch.google.com instead. When you connect to Google via the latter, it forces SafeSearch on for all traffic over that connection. Google documents this at https://support.google.com/websearch/answer/186669?hl=en