Results 1 to 21 of 21
  1. #1
    Join Date
    Oct 2010
    Posts
    5,079

    CloudFlare's "Free SSL for all" - inherently insecure?

    I'm sure many have seen CloudFlare's announcement today that all their customers (free or paying) who signed up directly with them will have SSL certificates (domain, and first-level wildcard) installed on their CloudFlare account. By default, it will use "Flexible SSL" (SSL protection from the browser to CloudFlare's POP, but not from CloudFlare's network to the origin server), although people are being encouraged to install certificates on their actual website so that the whole process is encrypted.

    Here's my question: Assuming lots of people don't bother to install a certificate on their webserver, Flexible will be the common option.

    That means your web browser will show green-bar reassurance that everything is encrypted, safe for e-commerce, etc. In fact, though, that traffic is all travelling unencrypted between Cloud Flare and the origin web server, so is prone to sniffing etc.

    I'm sure they've thought of that, and it can't be as insecure (whilst looking secure) as that. What have I missed?
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  2. #2
    I think the point is that it's secure from sniffing from the user's location, and that's all. I don't think they can do green bar assurance w/o a backend ssl cert that identifies the entity.

    Sounds like a problem to me if users are creating secure connections for login sessions on cloudflare but passed as unencrypted from cloudflare to origin server. Bypasses the end-user expectation that they are encrypted end to end (if they have one).
    Last edited by avibodha; 09-29-2014 at 06:05 PM.

  3. #3
    Wonder what happens for self-signed certificates? If they bypass the browser warning, that's a problem too I think.

  4. #4
    Because 99% of sniffing happens below the ISP level.

  5. #5
    Join Date
    Dec 2013
    Posts
    522
    Are we going to see more e-commerce sites?
    I will bet you there will be some owners who will just use Cloudflare Flexible SSL and not install SSL on their site.
    Can you trust e-commerce sites who use Cloudflare SSL from now on?

  6. #6
    Join Date
    Jun 2014
    Posts
    384
    So it not pure SSL ?

  7. #7
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    Quote Originally Posted by OakHosting_James View Post
    I'm sure they've thought of that, and it can't be as insecure (whilst looking secure) as that. What have I missed?
    It is not particularly secure, if that's what you're asking. This method gives the end user a false sense of security.

  8. #8
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    Quote Originally Posted by avibodha View Post
    I think the point is that it's secure from sniffing from the user's location, and that's all. I don't think they can do green bar assurance w/o a backend ssl cert that identifies the entity.
    Yes, they can provide a "green bar" even if encryption is lacking on the origin interface.

  9. #9
    Join Date
    Nov 2006
    Location
    USA
    Posts
    1,274
    Quote Originally Posted by avibodha View Post
    Wonder what happens for self-signed certificates? If they bypass the browser warning, that's a problem too I think.
    You can do self-signed --> cloudflare --> user without any issues and the user doesn't see any "flags/warnings" when viewing the pages.

  10. #10
    Join Date
    Oct 2010
    Posts
    5,079
    Who will be the certifying authority, and what root certificate?

    I find it worrying that the browser will say the session is more secure than it really is. Shouldn't everyone, to the point of revoking in their browsers the top of the chain for all these new certificates?
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  11. #11
    I believe this is a very valid concern risen in this thread and I think the fair thing would be for CloudFlare to warn somehow the users on a website which uses only Flexible SSl that the connection is not fully encrypted from one end to the other.

    They can't simply leave this up to the site owners to have a conscience and install at least a self-signed cert on the server side, because most of them won't bother and their users' info could be exposed.
    Uptime Monitor - Minimize your downtime by being the first to know about it!

    Blacklist Monitor - Are any of your IPs or Domains blacklisted? Find out before it gets to affect you or your clients.

  12. #12
    Join Date
    Dec 2013
    Posts
    522
    Quote Originally Posted by [HB]Andrei View Post
    I believe this is a very valid concern risen in this thread and I think the fair thing would be for CloudFlare to warn somehow the users on a website which uses only Flexible SSl that the connection is not fully encrypted from one end to the other.
    This is what I am worried about future shopping websites, they just use Flexible SSL and then you might enter your credit card into one of them sites...ready for someone during transit to take...

    We need someone to design a plugin to block Cloudflare SSL

  13. #13
    Join Date
    Oct 2010
    Posts
    5,079
    Quote Originally Posted by Squidix - SamBarrow View Post
    Because 99% of sniffing happens below the ISP level.
    As Wikipedia would put it: Citation needed.

    In particular, I'm not sure Ed Snowden would agree.

    In fact, even when the site owner implements SSL on the web server, the traffic would be encrypted between the webserver and CloudFlare. At this point it would be decrypted, before being encrypted again with a different key to go to the browser. So even if all the transit is encrypted, there's one key point in the middle at which everything is decrypted.

    That's too tempting, as a single point of wire-tap.

    Quote Originally Posted by leckley View Post
    You can do self-signed --> cloudflare --> user without any issues and the user doesn't see any "flags/warnings" when viewing the pages.
    Sure, the site owner could do that. As has been said, many won't bother. More to the point, the site's visitor has no way to know whether this has been done.

    It's now the case that whether the browser says a session is secure bears no relation at all to whether it actually is.

    All of this makes the internet a much less secure place, not more so (as is being trumpeted).

    Quote Originally Posted by [HB]Andrei View Post
    I think the fair thing would be for CloudFlare to warn somehow the users on a website which uses only Flexible SSl that the connection is not fully encrypted from one end to the other.
    Yes. We all know that CloudFlare can enable apps that insert a message onto a webpage. It's easy to do, although I'm still troubled even when there is backend encryption. Really, if I'm browsing a secure site, I want to know that I'm decrypting the data that has been unaltered since the issuing server encrypted it

    Bottom line: When I opened this thread, I said that CloudFlare have surely thought of this, so I asked "What have I missed?" That wasn't just being sarcastically charitable; I genuinely knew that my knowledge of encryption has many holes, and therefore someone would come along and say: "Ah, yes, but there's this thing which means it's actually all OK".

    So far, nobody's done that. I hope someone still will.

    In the meantime, anyone care to give instructions on asking Firefox or Chrome not to trust any certificate that has a CloudFlare certificate in its chain?
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  14. #14
    Cloudflare has been doing this with the paid sites for a while. I use it but I do have an ssl on my server as well.

    I do agree cloudflare needs to have something that let's the client know both ends are not secure.

    As for non ecommerce or login customers I'm going to take full advantage of the free ssl because Google is using it in their algorithm for ranking.
    WordPress Hosting
    Shared / White Label Reseller WHM | SSD Cloud | CloudLinux

    www.LarisMedia.com Wordpress & Magento Website Design

  15. #15
    Join Date
    Nov 2010
    Location
    San Francisco, CA
    Posts
    901

    Post Hi,

    Quote Originally Posted by OakHosting_James View Post
    I'm sure many have seen CloudFlare's announcement today that all their customers (free or paying) who signed up directly with them will have SSL certificates (domain, and first-level wildcard) installed on their CloudFlare account. By default, it will use "Flexible SSL" (SSL protection from the browser to CloudFlare's POP, but not from CloudFlare's network to the origin server), although people are being encouraged to install certificates on their actual website so that the whole process is encrypted.

    Here's my question: Assuming lots of people don't bother to install a certificate on their webserver, Flexible will be the common option.

    That means your web browser will show green-bar reassurance that everything is encrypted, safe for e-commerce, etc. In fact, though, that traffic is all travelling unencrypted between Cloud Flare and the origin web server, so is prone to sniffing etc.

    I'm sure they've thought of that, and it can't be as insecure (whilst looking secure) as that. What have I missed?
    You are correct that Flexible is not as secure as having SSL directly on the server (still safer than not having anything at all). We actually posted a good blog post last night about how people can get a free/cheap SSL option that they can use on their server, which would then allow us to do FULL or FULL strict SSL options that encrypts all the way to the origin.
    CloudFlare Community Evangelist

  16. #16
    Join Date
    Nov 2010
    Location
    San Francisco, CA
    Posts
    901

    Post Hi,

    "That means your web browser will show green-bar reassurance that everything is encrypted, safe for e-commerce"

    Just to clarify...a green bar (EV) is not going to show with the certificate option.
    CloudFlare Community Evangelist

  17. #17
    Join Date
    Oct 2010
    Posts
    5,079
    Quote Originally Posted by damoncloudflare View Post
    You are correct that Flexible is not as secure as having SSL directly on the server (still safer than not having anything at all). We actually posted a good blog post last night about how people can get a free/cheap SSL option that they can use on their server, which would then allow us to do FULL or FULL strict SSL options that encrypts all the way to the origin.
    Thanks Damon for stepping into this thread - I was hoping one of you guys would come by once the dust settled your end. Lots of new sign-ups I gather. Congratulations.

    I understand that you're offering three solutions: Flexible, Full and Full Strict - with increasing measures of security.

    My concern is from the perspective of the web browser, the person visiting a site that uses one of these technologies. The indicators that they see in their address bar do not distinguish which approach is being used for any given site.

    I'd argue that has the potential to give someone a false sense of security. Picture the careful user, who only ever posts credit card data over SSL, so that their card details never cross the internet unencrypted. That user will think a CloudFlare Flexible SSL site is one of those trusted environments, and enter their card details, unaware that those card details will be crossing the internet unencrypted. (I know that the card details are encrypted for the first few hops, but that's not the point. If I'm browsing through a private-VPN tunnel, I still wouldn't enter card details into a non-https site).

    Which means I'm not sure that is more secure. It would be more secure for a site that does not have end-to-end encryption to report itself as unencrypted, so that end users don't trust it with more data than they mean to.
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  18. #18
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by damoncloudflare View Post
    You are correct that Flexible is not as secure as having SSL directly on the server (still safer than not having anything at all). We actually posted a good blog post last night about how people can get a free/cheap SSL option that they can use on their server, which would then allow us to do FULL or FULL strict SSL options that encrypts all the way to the origin.
    But... To use FULL or FULL Strict options you ask those to upgrade to the paid plans but only offer "Flexible" to your free account holders?

  19. #19
    Join Date
    Oct 2010
    Posts
    5,079
    Quote Originally Posted by damoncloudflare View Post
    "That means your web browser will show green-bar reassurance that everything is encrypted, safe for e-commerce"

    Just to clarify...a green bar (EV) is not going to show with the certificate option.
    Sorry - I just noticed this post that appeared while I was typing my last reply.

    SSL without a green bar just means that EV has not been done. It still tells the end-user that everything is encrypted.

    I'm still waiting for someone to tell me I'm wrong: What you've just done is give your free users the ability to reassure visitors to their websites that everything is encrypted, without end-to-end encryption. You're giving everyone the chance to lull their visitors into a false sense of security, thus devaluing the trustworthiness of the entire SSL / certificate system.

    I'm glad you're in the thread responding. So far, you've just responded to minor details (like saying webmasters can secure things properly with your system if they wish). Please respond to this main concern.
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  20. #20
    Join Date
    Feb 2006
    Posts
    5,393
    Quote Originally Posted by OakHosting_James View Post
    I'm still waiting for someone to tell me I'm wrong: What you've just done is give your free users the ability to reassure visitors to their websites that everything is encrypted, without end-to-end encryption. You're giving everyone the chance to lull their visitors into a false sense of security, thus devaluing the trustworthiness of the entire SSL / certificate system.
    While I agree it would be a good idea for CF to require at least a self-signed certificate on the host machine, they aren't facilitating anything that isn't already being done. Many sites use proxy front-ends that pass data to back-end nodes, while you'd hope that front-end to back-end data was encrypted this is not always the case (creating the same scenario as the CF free certificates).

    It's important to keep in mind that there is a much, much smaller risk of data sniffing between CF servers and host machines than there is between end-users and CF (just due to the nature of most MITM attacks). Overall, I can see this being a good option for sites that feature user logins but not sensitive data like CC numbers etc.
    WHMEasyBackup.com - Take Control Of Your Backups!
    Complete Backup Solution For WHM Reseller Accounts

  21. #21
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by OakHosting_James View Post
    I'm still waiting for someone to tell me I'm wrong: What you've just done is give your free users the ability to reassure visitors to their websites that everything is encrypted, without end-to-end encryption. You're giving everyone the chance to lull their visitors into a false sense of security, thus devaluing the trustworthiness of the entire SSL / certificate system.
    I think a better approach would be to just give FULL support for SSL to the free users but limit the free plan to "CDN ONLY" and the security level to "LOW" that why it still gives users a way to check out CloudFlare for FREE and saves the resources used by them however just offering partial SSL is pretty naff..?

Similar Threads

  1. SSL + Cloudflare Free?
    By Ren3gade in forum Hosting Security and Technology
    Replies: 16
    Last Post: 07-07-2014, 05:46 AM
  2. Replies: 0
    Last Post: 08-17-2013, 03:11 AM
  3. Replies: 0
    Last Post: 06-06-2013, 02:46 AM
  4. Replies: 0
    Last Post: 12-07-2012, 02:23 PM
  5. Replies: 12
    Last Post: 05-20-2012, 05:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •