Results 1 to 21 of 21
-
09-29-2014, 05:29 PM #1Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
CloudFlare's "Free SSL for all" - inherently insecure?
I'm sure many have seen CloudFlare's announcement today that all their customers (free or paying) who signed up directly with them will have SSL certificates (domain, and first-level wildcard) installed on their CloudFlare account. By default, it will use "Flexible SSL" (SSL protection from the browser to CloudFlare's POP, but not from CloudFlare's network to the origin server), although people are being encouraged to install certificates on their actual website so that the whole process is encrypted.
Here's my question: Assuming lots of people don't bother to install a certificate on their webserver, Flexible will be the common option.
That means your web browser will show green-bar reassurance that everything is encrypted, safe for e-commerce, etc. In fact, though, that traffic is all travelling unencrypted between Cloud Flare and the origin web server, so is prone to sniffing etc.
I'm sure they've thought of that, and it can't be as insecure (whilst looking secure) as that. What have I missed?Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
09-29-2014, 06:01 PM #2WHT Addict
- Join Date
- May 2006
- Posts
- 109
I think the point is that it's secure from sniffing from the user's location, and that's all. I don't think they can do green bar assurance w/o a backend ssl cert that identifies the entity.
Sounds like a problem to me if users are creating secure connections for login sessions on cloudflare but passed as unencrypted from cloudflare to origin server. Bypasses the end-user expectation that they are encrypted end to end (if they have one).Last edited by avibodha; 09-29-2014 at 06:05 PM.
-
09-29-2014, 06:10 PM #3WHT Addict
- Join Date
- May 2006
- Posts
- 109
Wonder what happens for self-signed certificates? If they bypass the browser warning, that's a problem too I think.
-
09-29-2014, 06:21 PM #4Disabled
- Join Date
- Jul 2009
- Posts
- 2,195
Because 99% of sniffing happens below the ISP level.
-
09-29-2014, 09:29 PM #5Web Hosting Evangelist
- Join Date
- Dec 2013
- Posts
- 522
Are we going to see more e-commerce sites?
I will bet you there will be some owners who will just use Cloudflare Flexible SSL and not install SSL on their site.
Can you trust e-commerce sites who use Cloudflare SSL from now on?
-
09-29-2014, 09:36 PM #6Aspiring Evangelist
- Join Date
- Jun 2014
- Posts
- 384
So it not pure SSL ?
-
09-29-2014, 09:42 PM #7CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
-
09-29-2014, 10:31 PM #8CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
-
09-29-2014, 11:06 PM #9Web Hosting Master
- Join Date
- Nov 2006
- Location
- USA
- Posts
- 1,274
-
09-29-2014, 11:19 PM #10Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Who will be the certifying authority, and what root certificate?
I find it worrying that the browser will say the session is more secure than it really is. Shouldn't everyone, to the point of revoking in their browsers the top of the chain for all these new certificates?Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
09-29-2014, 11:23 PM #11~~~~
- Join Date
- May 2008
- Posts
- 3,424
I believe this is a very valid concern risen in this thread and I think the fair thing would be for CloudFlare to warn somehow the users on a website which uses only Flexible SSl that the connection is not fully encrypted from one end to the other.
They can't simply leave this up to the site owners to have a conscience and install at least a self-signed cert on the server side, because most of them won't bother and their users' info could be exposed.Uptime Monitor - Minimize your downtime by being the first to know about it!
Blacklist Monitor - Are any of your IPs or Domains blacklisted? Find out before it gets to affect you or your clients.
-
09-29-2014, 11:44 PM #12Web Hosting Evangelist
- Join Date
- Dec 2013
- Posts
- 522
-
09-30-2014, 01:47 AM #13Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
As Wikipedia would put it: Citation needed.
In particular, I'm not sure Ed Snowden would agree.
In fact, even when the site owner implements SSL on the web server, the traffic would be encrypted between the webserver and CloudFlare. At this point it would be decrypted, before being encrypted again with a different key to go to the browser. So even if all the transit is encrypted, there's one key point in the middle at which everything is decrypted.
That's too tempting, as a single point of wire-tap.
Sure, the site owner could do that. As has been said, many won't bother. More to the point, the site's visitor has no way to know whether this has been done.
It's now the case that whether the browser says a session is secure bears no relation at all to whether it actually is.
All of this makes the internet a much less secure place, not more so (as is being trumpeted).
Yes. We all know that CloudFlare can enable apps that insert a message onto a webpage. It's easy to do, although I'm still troubled even when there is backend encryption. Really, if I'm browsing a secure site, I want to know that I'm decrypting the data that has been unaltered since the issuing server encrypted it
Bottom line: When I opened this thread, I said that CloudFlare have surely thought of this, so I asked "What have I missed?" That wasn't just being sarcastically charitable; I genuinely knew that my knowledge of encryption has many holes, and therefore someone would come along and say: "Ah, yes, but there's this thing which means it's actually all OK".
So far, nobody's done that. I hope someone still will.
In the meantime, anyone care to give instructions on asking Firefox or Chrome not to trust any certificate that has a CloudFlare certificate in its chain?Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
09-30-2014, 11:06 AM #14Web Hosting Master
- Join Date
- Mar 2013
- Posts
- 565
Cloudflare has been doing this with the paid sites for a while. I use it but I do have an ssl on my server as well.
I do agree cloudflare needs to have something that let's the client know both ends are not secure.
As for non ecommerce or login customers I'm going to take full advantage of the free ssl because Google is using it in their algorithm for ranking.WordPress Hosting
Shared / White Label Reseller WHM | SSD Cloud | CloudLinux
www.LarisMedia.com Wordpress & Magento Website Design
-
09-30-2014, 03:23 PM #15Web Hosting Master
- Join Date
- Nov 2010
- Location
- San Francisco, CA
- Posts
- 901
Hi,
You are correct that Flexible is not as secure as having SSL directly on the server (still safer than not having anything at all). We actually posted a good blog post last night about how people can get a free/cheap SSL option that they can use on their server, which would then allow us to do FULL or FULL strict SSL options that encrypts all the way to the origin.
CloudFlare Community Evangelist
-
09-30-2014, 03:26 PM #16Web Hosting Master
- Join Date
- Nov 2010
- Location
- San Francisco, CA
- Posts
- 901
Hi,
"That means your web browser will show green-bar reassurance that everything is encrypted, safe for e-commerce"
Just to clarify...a green bar (EV) is not going to show with the certificate option.CloudFlare Community Evangelist
-
09-30-2014, 03:35 PM #17Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Thanks Damon for stepping into this thread - I was hoping one of you guys would come by once the dust settled your end. Lots of new sign-ups I gather. Congratulations.
I understand that you're offering three solutions: Flexible, Full and Full Strict - with increasing measures of security.
My concern is from the perspective of the web browser, the person visiting a site that uses one of these technologies. The indicators that they see in their address bar do not distinguish which approach is being used for any given site.
I'd argue that has the potential to give someone a false sense of security. Picture the careful user, who only ever posts credit card data over SSL, so that their card details never cross the internet unencrypted. That user will think a CloudFlare Flexible SSL site is one of those trusted environments, and enter their card details, unaware that those card details will be crossing the internet unencrypted. (I know that the card details are encrypted for the first few hops, but that's not the point. If I'm browsing through a private-VPN tunnel, I still wouldn't enter card details into a non-https site).
Which means I'm not sure that is more secure. It would be more secure for a site that does not have end-to-end encryption to report itself as unencrypted, so that end users don't trust it with more data than they mean to.Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
09-30-2014, 03:57 PM #18Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
-
09-30-2014, 04:11 PM #19Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Sorry - I just noticed this post that appeared while I was typing my last reply.
SSL without a green bar just means that EV has not been done. It still tells the end-user that everything is encrypted.
I'm still waiting for someone to tell me I'm wrong: What you've just done is give your free users the ability to reassure visitors to their websites that everything is encrypted, without end-to-end encryption. You're giving everyone the chance to lull their visitors into a false sense of security, thus devaluing the trustworthiness of the entire SSL / certificate system.
I'm glad you're in the thread responding. So far, you've just responded to minor details (like saying webmasters can secure things properly with your system if they wish). Please respond to this main concern.Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
09-30-2014, 06:25 PM #20Web Hosting Master
- Join Date
- Feb 2006
- Posts
- 5,393
While I agree it would be a good idea for CF to require at least a self-signed certificate on the host machine, they aren't facilitating anything that isn't already being done. Many sites use proxy front-ends that pass data to back-end nodes, while you'd hope that front-end to back-end data was encrypted this is not always the case (creating the same scenario as the CF free certificates).
It's important to keep in mind that there is a much, much smaller risk of data sniffing between CF servers and host machines than there is between end-users and CF (just due to the nature of most MITM attacks). Overall, I can see this being a good option for sites that feature user logins but not sensitive data like CC numbers etc.WHMEasyBackup.com - Take Control Of Your Backups!
Complete Backup Solution For WHM Reseller Accounts
-
09-30-2014, 06:43 PM #21Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
I think a better approach would be to just give FULL support for SSL to the free users but limit the free plan to "CDN ONLY" and the security level to "LOW" that why it still gives users a way to check out CloudFlare for FREE and saves the resources used by them however just offering partial SSL is pretty naff..?
Similar Threads
-
SSL + Cloudflare Free?
By Ren3gade in forum Hosting Security and TechnologyReplies: 16Last Post: 07-07-2014, 05:46 AM -
[US] cPanel/WHM, Free SSL, R1Soft, Private NS, Free IP, CloudFlare, Starts at $4.95/m
By CloudStanza in forum Reseller Hosting OffersReplies: 0Last Post: 08-17-2013, 03:11 AM -
50% off lifetime - FREE SSL - FREE IP - End user support - R1soft - Cloudflare
By rakeshraja in forum Reseller Hosting OffersReplies: 0Last Post: 06-06-2013, 02:46 AM -
Reseller Hosting as low as $14.95/mo! - Free Domain + Free SSL + CloudFlare + cPanel
By Patrick in forum Reseller Hosting OffersReplies: 0Last Post: 12-07-2012, 02:23 PM -
Is it insecure to have a VPS with a SSL Certificate?
By snowweb in forum VPS HostingReplies: 12Last Post: 05-20-2012, 05:46 PM