: Are there any disadvantages to Cloudflare’s “Flexible SSL”? Cloudflare lets you serve your site over SSL without having to purchase and install a security certificate, a product they call
Cloudflare lets you serve your site over SSL without having to purchase and install a security certificate, a product they call “Flexible SSL”. (They act as a proxy and serve your site over SSL from their servers, while the connection from your server to theirs remains unencrypted.)
They currently offer Flexible SSL for free.
With Google's announcement that HTTPS is now a ranking signal, I'm considering switching several sites to Cloudflare, buying a Pro account, and turning on their “Flexible SSL” option, because it seems like the easiest way to serve several sites over HTTPS without having to purchase and manage multiple certificates.
Is there any downside to Cloudflare's Flexible SSL?
I'm comfortable using Cloudflare as a proxy – I'm more interested in two factors:
The experience for end-users. (e.g. Will visitors see security warnings?)
The level of security offered. (Enough for a simple blog, but not for an online shop because they'd pass credit card data from their server to yours unencrypted?)
More posts by @Jessie594
3 Comments
Sorted by latest first Latest Oldest Best
There's one big SEO disadvantage. Google said that it favors SSL sites but the certificate should be 2048 bit CloudFlare's "flexible SSL" is not 2048 bit.
This link explains what the CloudFlare SSL options are.
Flexible SSL, at least at this time, does not fully encrypt to your server. The issue being discussed on the blog by Matthew ("Actually, we'll be providing a free certificate that's pinned to the domain that you can install on your server for end-to-end crypto.... for free") isn't available just yet.
We'll most certainly update the content to reflect any changes when we roll out the free SSL option.
Flexible SSL is NOT fully secure
CloudFlare's Flexible SSL provides encryption from the user to CloudFlare's servers, but not from their servers to the website server. This avoids the hassle of installing (and renewing) a certificate on your web server, but does mean traffic gets sent plain text over the 2nd half of the journey.
The benefits of this setup are:
Easy to get started, no need to install certificates on your web server and deal with the periodic renewals
Provides protection from eavesdropping on insecure WiFi connections (internet cafes) and others on your local network or at the ISP level.
Users will see a green padlock in their browser and should not receive any security warnings
The inherent problems are:
Traffic from CloudFlare to your server is not encrypted, meaning wholesale ISPs, trunk providers, and the NSA can still read all requests in plain-text
The traffic is subject man-in-the-middle (MITM) attacks where another server can impersonate your server and receive its traffic (although this issue also applies to the "Full" SSL setting, you'll need "Strict" mode to avoid this).
Because of the above, it provides a misleading and false sense of security to your web site visitors (but that's a rant not appropriate for this venue)
Comparison of the SSL settings
Not encrypting traffic between a proxy and backend server is common when the traffic is sent over a private, secured network. But in this case, you are routing traffic over the public internet.
CloudFlare recommends that you also install a certificate on your web server for true end-to-end encryption, and even provide free certificates via their dashboard for doing so (if you don't want to install a self-signed certificate). From the discussion on the CloudFlare Blog:
Actually, we'll be providing a free certificate that's pinned to the
domain that you can install on your server for end-to-end crypto.
Whether "Full" or "Flexible" SSL is used, your users should not see a pop-up or other warnings.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.