Please note that using Cloudflare, even with free SSL, is not an increase to the security and privacy of your users. On the contrary, Cloudflare records information about your users (this cannot be disabled) and, by default, blocks users who attempt to view your site through privacy-enhancing software. I would suggest that people looking to install SSL on their website (this should be everybody) instead get their free SSL certificate from gandi.net or StartSSL, who do not spy on or block your users.
I assume you are referring to Tor? We love Tor and the specific things we block by default are resource consumption bots. If people enable. "I Am Under Attack" mode , I think there is some incidental interstitial challenge for Tor, but not blocked.
We don't comment on our customers unless they authorize us to, but based on the list of public ones, I would be pretty comfortable, even if I didn't work there.
No, (a) not all exit nodes and VPN IPs are effected (b) not all servers have that option enabled. I use Tor and am very frequently blocked from using reddit, imgur and other sites because of it.
Honestly the bot detection stuff in production today isn't the most awesome version of that feature possible, and improving it (especially to work with tor and vpns) is a priority, but not the highest. Cloudflare is paying for me to be at DefCon right now to launch an open source firewall / evasion tool (plug able transports to the next level) in 2 days, with the grugq, so it isn't like we are opposed to tor or anything.
So, you're saying that using HTTP instead of HTTPS doesn't increase the privacy of users? I'd say that it does "increase" the privacy, although nobody is saying that it fixes every hole in the boat...
Speaking strictly, you're right, but when you consider (a) Cloudflare's connection to your server is insecure (b) Cloudflare is listening in on every request (c) Cloudflare blocks VPN and Tor users, it doesn't seem like such an obvious decision. But that's a false dichotomy, since everybody should use HTTPS, nobody should use HTTP, and, most importantly, nobody should be okay with third-parties snooping on your users.
Yeah, it can even be cert pinned, which is probably better than a non pinned end to end tls unless your attacker is local to you, due to the wonders of anycast. Also, like Google, we are constantly looking for malicious stuff like this on our IPs.
I had the same initial thought about (a), but the comments mentioned that CloudFlare issues a certificate you can install on your origin servers which will allow secure connections with CloudFlare.
Yes, it worries me that Cloudflare is proxying an ever larger number of websites I visit. It is not so easy to dump Cloudflare when you need it though. They mitigate DDoS attacks, handle large volume traffic. I think moot even said that he'd have to close 4chan if it wasn't for Cloudflare.
"[The DDoS-for-pay] industry probably would destroy itself without Cloudflare’s protection, and furthermore ... some might perceive a credibility issue with a company that sells DDoS protection services providing safe haven to an entire cottage industry of DDoS-for-hire services."
Gandi is free for a year and then expensive after - Namecheap may not be free but renewals and initial costs are much lower. StartSSL is free but revoke-ing costs money.
Revoking StartSSL is only $25. If you go 3 years without needing revocation then you're ahead of paying Namecheap or anyone else for basic domain validation.
just checked now, Gandi is 40€/yr, not that expensive compared to big names like Verisign & co.
I have used in the past RapidSSL, but it is same price, 50$/yr.
I've just checked Namecheap and it's reselling other SSL like Comodo or Geotrust, but it looks less expensive, so yes, probably it's the best price.
It's not a problem if those connections use self-signed certificates, right? If that's the case, then setting up SSL from CloudFlare to your servers should be pretty easy.
It would be free, but not necessarily easy, as it would still entail configuring your web server to use SSL, and that might not even be an option if you're using shared hosting.
(Aside: self signed certs don't protect the connection from active attacks unless CloudFlare pins the cert. I'm mainly concerned with passive eavesdropping though.)
That's what we're going to do: issue certs that our customers can use on their origins, that will be trusted by our network, and that will be pinned to a particular site. That will allow end-to-end cryptographic connections. There are other groups working on making installing and setting up SSL on origin servers easier, that's not something we're likely to tackle, but agree it's important.
Could you elaborate on this. My impression was that connections between data centres (e.g. in the case of using an EC2 instance with Cloudflare) were already very secure and therefore do not require SSL.
Right. If there were a diagram of this architecture, the NSA would scribble "SSL added and removed here" with a smiley face[1]. It's arguably even worse, since the traffic between CloudFlare and the origin server would be traveling in the clear on the public Internet, as opposed to in the clear within Google's private network.
There is also the practical concern for NSA that cloudflare is a well resourced, highly motivated company who has publicly committed to protecting customer data. It would be a lot easier to push around a small company or non profit, especially a company which didn't have the resources or freedom to defend itself. It would certainly be possible to try to get a company like CloudFlare, Twitter, etc to bend to the NSA's will , but they know they are basically guaranteed a fight. Much safer to go to a smaller hosting provider or the end user organization or personnel themselves.
It's reasonable to suppose that the NSA have a whole bunch of private signing keys for a whole bunch of CAs, and will just MITM anyone they please regardless of our puny efforts.
I'm not sure that's a safe assumption and, regardless, an active MITM attack is a much bigger deal than passively collecting traffic as it flows past you in the clear.
Agree with others that it depends on what you are trying to protect against. It's also worth reading through the options that Cloudflare supports for origin server communication:
Are there more actual implementation details somewhere? Sounds like selecting the ssl context based on the clients SNI request. This (obviously) would predicate client SNI support, as opposed to anycast IPs or similar.
CloudFlare's CEO says that free SSL will use SNI with ipv4 [1] and possibly non-SNI with ipv6 [2]. A CloudFlare engineer has discussed splitting the SSL handshake between servers so their many edge nodes don't need to keep customer secret keys in memory [3]. However, this sounds slightly different than the lazy loading behavior in the blog post.
Not sure why otterley was down voted. XP is going to exist for a while.
Old android/mobile clients are another case. Mobile operators are moving towards transparent "4 in 6" NAT/encap on their edges. The server would see a layer 3 IPv6 client, while the actual layer 7 client is an old Android/java stack.
I believe you could use node.js or https://github.com/indutny/bud for asynchronously selecting SNI context per request. This is very fast and flexible.
Does it bother anyone else that when you try to visit the Google post explaining that they are using HTTPs as a ranking signal via https it redirects to http?
I presume that customer private keys need to be stored on Cloudflare servers to implement this. Has that just made Cloudflare servers a legitimate prime NSA target?
I would have guessed EV certs to remain business only. Well, perhaps not business only, but still requiring additional validation. How do you believe EV will be handled? Thanks!
EDIT: I didn't realize you represented cloud-flare. I'm genuinely curious how EV certs will work. Thanks!
For example, I do a lot of web scraping through my domain and I see that I was automatically opted in to use https://www.cloudflare.com/apps/scrapeshield, something that is supposed to block scraping.
There's a huge conflict of interest if it turns out that the cloudflare network actively aims to help block scraping.
I know you guys said you will be on the neutral side but if the cloudflare is helping Scrapeshield become more intelligent about scraping by monitoring my scraping actions, I really don't know if it's wise to stay with cloudflare, as much as I love it.
Good to hear - I just signed up and put in the $20 myself (not a very large barrier), and I'm glad features like custom certificates (& other things) will be available as mentioned elsewhere in this thread. CloudFlare seems like a great product so far.
I don't get it. A domain is just an address, how can you scrape through your domain? Do you mean server? But scrapping is an outbound connection, how could they monitor it?
