CloudFlare enabling free SSL by mid-October (opens in new tab)

(blog.cloudflare.com)

154 pointsmoonboots11y ago61 comments

61 comments

Please note that using Cloudflare, even with free SSL, is not an increase to the security and privacy of your users. On the contrary, Cloudflare records information about your users (this cannot be disabled) and, by default, blocks users who attempt to view your site through privacy-enhancing software. I would suggest that people looking to install SSL on their website (this should be everybody) instead get their free SSL certificate from gandi.net or StartSSL, who do not spy on or block your users.

rdl11y ago

I assume you are referring to Tor? We love Tor and the specific things we block by default are resource consumption bots. If people enable. "I Am Under Attack" mode , I think there is some incidental interstitial challenge for Tor, but not blocked.

We don't comment on our customers unless they authorize us to, but based on the list of public ones, I would be pretty comfortable, even if I didn't work there.

ChrisAntaki11y ago

Anyone here can test nilved's claim easily enough. Just visit Hacker News using Tor or a VPN, since the site uses Cloudflare.

Side note: Your announcement is really exciting.

1 more reply

monokrome11y ago

So, you're saying that using HTTP instead of HTTPS doesn't increase the privacy of users? I'd say that it does "increase" the privacy, although nobody is saying that it fixes every hole in the boat...

nilved11y ago

Speaking strictly, you're right, but when you consider (a) Cloudflare's connection to your server is insecure (b) Cloudflare is listening in on every request (c) Cloudflare blocks VPN and Tor users, it doesn't seem like such an obvious decision. But that's a false dichotomy, since everybody should use HTTPS, nobody should use HTTP, and, most importantly, nobody should be okay with third-parties snooping on your users.

3 more replies

spindritf11y ago

Yes, it worries me that Cloudflare is proxying an ever larger number of websites I visit. It is not so easy to dump Cloudflare when you need it though. They mitigate DDoS attacks, handle large volume traffic. I think moot even said that he'd have to close 4chan if it wasn't for Cloudflare.

stevenh11y ago

Cloudflare hosts and defends the sites of numerous DDoS-for-pay services and they refuse to take them down.

http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...

"[The DDoS-for-pay] industry probably would destroy itself without Cloudflare’s protection, and furthermore ... some might perceive a credibility issue with a company that sells DDoS protection services providing safe haven to an entire cottage industry of DDoS-for-hire services."

1 more reply

namidark11y ago

Gandi is free for a year and then expensive after - Namecheap may not be free but renewals and initial costs are much lower. StartSSL is free but revoke-ing costs money.

nly11y ago

Revoking StartSSL is only $25. If you go 3 years without needing revocation then you're ahead of paying Namecheap or anyone else for basic domain validation.

tuneladora11y ago

Namecheap vs Gandi is like 6.5 vs 12 EUR. Yes is almost double, but I don't know if I would consider them as cheap and "expensive".

Ecio7811y ago

just checked now, Gandi is 40€/yr, not that expensive compared to big names like Verisign & co. I have used in the past RapidSSL, but it is same price, 50$/yr. I've just checked Namecheap and it's reselling other SSL like Comodo or Geotrust, but it looks less expensive, so yes, probably it's the best price.

1 more reply

user311y ago

Most of the websites wont encrypt the link from Cloudflare to the server, ultimately defeating the purpose of SSL aside from a better search ranking.

igul22211y ago

It's not a problem if those connections use self-signed certificates, right? If that's the case, then setting up SSL from CloudFlare to your servers should be pretty easy.

agwa11y ago

It would be free, but not necessarily easy, as it would still entail configuring your web server to use SSL, and that might not even be an option if you're using shared hosting.

(Aside: self signed certs don't protect the connection from active attacks unless CloudFlare pins the cert. I'm mainly concerned with passive eavesdropping though.)

1 more reply

guyht11y ago

Could you elaborate on this. My impression was that connections between data centres (e.g. in the case of using an EC2 instance with Cloudflare) were already very secure and therefore do not require SSL.

eli11y ago

Depends what you're trying to protect against. Those links are notably very insecure against the NSA.

3 more replies

mmohebbi11y ago

Agree with others that it depends on what you are trying to protect against. It's also worth reading through the options that Cloudflare supports for origin server communication:

http://blog.cloudflare.com/introducing-strict-ssl-protecting...

ihsw11y ago

What's the difference between this and using AWS ELB for HTTPS termination?

simpleigh11y ago

Communication from CloudFlare to your server is over the open Internet, whereas that from an ELB to an EC2 instance is within Amazon's datacentre.

donavanm11y ago

Are there more actual implementation details somewhere? Sounds like selecting the ssl context based on the clients SNI request. This (obviously) would predicate client SNI support, as opposed to anycast IPs or similar.

moonbootsOP11y ago

CloudFlare's CEO says that free SSL will use SNI with ipv4 [1] and possibly non-SNI with ipv6 [2]. A CloudFlare engineer has discussed splitting the SSL handshake between servers so their many edge nodes don't need to keep customer secret keys in memory [3]. However, this sounds slightly different than the lazy loading behavior in the blog post.

[1] https://news.ycombinator.com/item?id=7910849

[2] https://twitter.com/eastdakota/status/478369486643658754

[3] http://www.slideshare.net/cloudflare/running-secure-server-s...

asdfaoeu11y ago

Non-SNI over ipv6 seems pretty pointless since anything supporting ipv6 is going to have sni anyway.

2 more replies

indutny11y ago

I believe you could use node.js or https://github.com/indutny/bud for asynchronously selecting SNI context per request. This is very fast and flexible.

alanbyrne11y ago

Does it bother anyone else that when you try to visit the Google post explaining that they are using HTTPs as a ranking signal via https it redirects to http?

http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-...

curiousjorge11y ago

what I just paid 20/month for the SSL....

Update: I have another concern I just found out.

For example, I do a lot of web scraping through my domain and I see that I was automatically opted in to use https://www.cloudflare.com/apps/scrapeshield, something that is supposed to block scraping.

There's a huge conflict of interest if it turns out that the cloudflare network actively aims to help block scraping.

I know you guys said you will be on the neutral side but if the cloudflare is helping Scrapeshield become more intelligent about scraping by monitoring my scraping actions, I really don't know if it's wise to stay with cloudflare, as much as I love it.

eastdakota11y ago

Scrapeshield is a CloudFlare feature. If you don't want it, turn it off. Here's the announcement from when we launched the feature:

http://blog.cloudflare.com/introducing-scrapeshield-discover...

eastdakota11y ago

We'll be adding some cool new features to our paid plans at the same time, so I hope you'll decide to continue paying us the $20.

thoughtpolice11y ago

Good to hear - I just signed up and put in the $20 myself (not a very large barrier), and I'm glad features like custom certificates (& other things) will be available as mentioned elsewhere in this thread. CloudFlare seems like a great product so far.

icebraining11y ago

I don't get it. A domain is just an address, how can you scrape through your domain? Do you mean server? But scrapping is an outbound connection, how could they monitor it?

general_failure11y ago

Do not announce things until done. This is just shameless marketing stunt.

junto11y ago

I presume that customer private keys need to be stored on Cloudflare servers to implement this. Has that just made Cloudflare servers a legitimate prime NSA target?

I.e. all your keys belong to us

rdl11y ago

We have a product, "keyless ssl", which is used by some customers to retain on premise custody of their asymmetric key material, actually.

taksintik11y ago

Cloudflare throwing it down with authority...well played. In the end the consumer really doesn't give a hoot. They want simple.

tanglesome11y ago

Why are people up-voting an ad?

willu11y ago

Are EV certs going to remain Business/Enterprise-only?

eastdakota11y ago

No.

daveslash11y ago

I would have guessed EV certs to remain business only. Well, perhaps not business only, but still requiring additional validation. How do you believe EV will be handled? Thanks!

EDIT: I didn't realize you represented cloud-flare. I'm genuinely curious how EV certs will work. Thanks!

1 more reply

tuananh11y ago

CloudFlare is the coolest free CDN out there.

j / k navigate · click thread line to collapse

61 comments

nilved11y ago

rdl11y ago

We don't comment on our customers unless they authorize us to, but based on the list of public ones, I would be pretty comfortable, even if I didn't work there.

ChrisAntaki11y ago

Anyone here can test nilved's claim easily enough. Just visit Hacker News using Tor or a VPN, since the site uses Cloudflare.

Side note: Your announcement is really exciting.

1 more reply

monokrome11y ago

nilved11y ago

3 more replies

spindritf11y ago

stevenh11y ago

Cloudflare hosts and defends the sites of numerous DDoS-for-pay services and they refuse to take them down.

http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...

1 more reply

namidark11y ago

Gandi is free for a year and then expensive after - Namecheap may not be free but renewals and initial costs are much lower. StartSSL is free but revoke-ing costs money.

nly11y ago

Revoking StartSSL is only $25. If you go 3 years without needing revocation then you're ahead of paying Namecheap or anyone else for basic domain validation.

tuneladora11y ago

Namecheap vs Gandi is like 6.5 vs 12 EUR. Yes is almost double, but I don't know if I would consider them as cheap and "expensive".

Ecio7811y ago

1 more reply

user311y ago

Most of the websites wont encrypt the link from Cloudflare to the server, ultimately defeating the purpose of SSL aside from a better search ranking.

igul22211y ago

It's not a problem if those connections use self-signed certificates, right? If that's the case, then setting up SSL from CloudFlare to your servers should be pretty easy.

agwa11y ago

It would be free, but not necessarily easy, as it would still entail configuring your web server to use SSL, and that might not even be an option if you're using shared hosting.

(Aside: self signed certs don't protect the connection from active attacks unless CloudFlare pins the cert. I'm mainly concerned with passive eavesdropping though.)

1 more reply

guyht11y ago

eli11y ago

Depends what you're trying to protect against. Those links are notably very insecure against the NSA.

3 more replies

mmohebbi11y ago

Agree with others that it depends on what you are trying to protect against. It's also worth reading through the options that Cloudflare supports for origin server communication:

http://blog.cloudflare.com/introducing-strict-ssl-protecting...

ihsw11y ago

What's the difference between this and using AWS ELB for HTTPS termination?

simpleigh11y ago

Communication from CloudFlare to your server is over the open Internet, whereas that from an ELB to an EC2 instance is within Amazon's datacentre.

donavanm11y ago

moonbootsOP11y ago

[1] https://news.ycombinator.com/item?id=7910849

[2] https://twitter.com/eastdakota/status/478369486643658754

[3] http://www.slideshare.net/cloudflare/running-secure-server-s...

asdfaoeu11y ago

Non-SNI over ipv6 seems pretty pointless since anything supporting ipv6 is going to have sni anyway.

2 more replies

indutny11y ago

I believe you could use node.js or https://github.com/indutny/bud for asynchronously selecting SNI context per request. This is very fast and flexible.

alanbyrne11y ago

Does it bother anyone else that when you try to visit the Google post explaining that they are using HTTPs as a ranking signal via https it redirects to http?

http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-...

curiousjorge11y ago

what I just paid 20/month for the SSL....

Update: I have another concern I just found out.

There's a huge conflict of interest if it turns out that the cloudflare network actively aims to help block scraping.

eastdakota11y ago

Scrapeshield is a CloudFlare feature. If you don't want it, turn it off. Here's the announcement from when we launched the feature:

http://blog.cloudflare.com/introducing-scrapeshield-discover...

eastdakota11y ago

We'll be adding some cool new features to our paid plans at the same time, so I hope you'll decide to continue paying us the $20.

thoughtpolice11y ago

icebraining11y ago

I don't get it. A domain is just an address, how can you scrape through your domain? Do you mean server? But scrapping is an outbound connection, how could they monitor it?

general_failure11y ago

Do not announce things until done. This is just shameless marketing stunt.

junto11y ago

I presume that customer private keys need to be stored on Cloudflare servers to implement this. Has that just made Cloudflare servers a legitimate prime NSA target?

I.e. all your keys belong to us

rdl11y ago

We have a product, "keyless ssl", which is used by some customers to retain on premise custody of their asymmetric key material, actually.

taksintik11y ago

Cloudflare throwing it down with authority...well played. In the end the consumer really doesn't give a hoot. They want simple.

tanglesome11y ago

Why are people up-voting an ad?

willu11y ago

Are EV certs going to remain Business/Enterprise-only?

eastdakota11y ago

No.

daveslash11y ago

I would have guessed EV certs to remain business only. Well, perhaps not business only, but still requiring additional validation. How do you believe EV will be handled? Thanks!

EDIT: I didn't realize you represented cloud-flare. I'm genuinely curious how EV certs will work. Thanks!

1 more reply

tuananh11y ago

CloudFlare is the coolest free CDN out there.

j / k navigate · click thread line to collapse