Slashdot Mirror

← Back to Stories (view on slashdot.org)

CloudFlare Announces Free SSL Support For All Customers

Posted by Soulskill on from the big-step-in-the-right-direction dept.

Z80xxc! writes: CloudFlare, a cloud service that sits between websites and the internet to provide a CDN, DDOS and other attack prevention, speed optimization, and other services announced today that SSL will now be supported for all customers, including free customers. This will add SSL support to approximately 2 million previously unprotected websites. Previously SSL was only available to customers paying at least $20/month for a "Pro" plan or higher.

Browsers connect to CloudFlare's servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website's server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator's preferences. CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.

67 comments

  1. In the Market by pubwvj · · Score: 0

    Interesting... I'm in the market for a new web host... Got my attention.

    1. Re:In the Market by Z80xxc! · · Score: 5, Informative

      CloudFlare isn't a host, it's a sort of advanced CDN with extra features. You still need to have the website hosted on another server somewhere. Their website explains how it works better than I can, so you might as well read it there: https://www.cloudflare.com/ove...

    2. Re:In the Market by tepples · · Score: 3, Informative

      But if your site is behind a CDN proxy and highly cacheable, then you can probably get away with cheap hosting like WebFaction or something.

    3. Re:In the Market by pubwvj · · Score: 1

      Checking it out as we 'speak'...

    4. Re:In the Market by Anonymous Coward · · Score: 0

      Most Effective Advertising Campaign Ever.

    5. Re:In the Market by Z80xxc! · · Score: 3, Informative

      Indeed. I run a couple websites that see a decent amount of traffic. CloudFlare up front, Webfaction on the backend. Works quite well overall. Very speedy load times and easy to set up. I'm looking forward to enabling SSL for all my sites. I have had some troubles getting the right IP addresses into logs and applications though... WebFaction's nginx reverse proxy adds an X-FORWARDED-FOR header, which replaces that sent by CloudFlare with the CloudFlare IP... so you end up not getting the right IP returned.

    6. Re:In the Market by lucm · · Score: 3, Interesting

      Amazon CloudFront is a lot better than CloudFlare and has supported SSL for years. Plus it's possible to store a website in a S3 bucket, there is no need for a web server. For pennies a month you get an insanely fast website, there is nothing close to it performance-wise. Pricing is around $0.12 per GB of transfer. S3 is about $0.03 per GB of storage per month.

      The only complicated thing with a CDN is that since it puts the website in cache, it's more tricky to push updates. Either you wait until the cache expires or pay a small fee to "invalidate" content.

      --
      lucm, indeed.
    7. Re:In the Market by Anonymous Coward · · Score: 0

      It's a one to many cache, would you expect the IP to be anything but the IP of the caching host? You don't see every client requesting your page, because the cache sees it.

      Cookies and ETags are probably better ways to track people than IPs. If you offer a few non-cached logo images you can still track each client without having to serve up everything directly.

  2. Now how about the third party ad networks by tepples · · Score: 2

    CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.

    Lack of support for EOL'd web browsers is one roadblock for affordable HTTPS hosting. The other is that many major ad networks lack support for HTTPS, leading web browsers to block the ads as "mixed content." (AdSense added HTTPS support only a year ago.) And this is why Slashdot is among sites that redirect non-subscribers from HTTPS to HTTP because they subcontract advertising.

    1. Re:Now how about the third party ad networks by Anonymous Coward · · Score: 1

      The ads that various sites are now serving me are coded in such a way that they turn the Back button on my browser into a "load me a different ad on the same page" button instead. So I kill JavaScript and plugins before visiting these sites, Slashdot included. That, along with blackholing the name resolution for the less scrupulous networks, improves my experience considerably.

      And I wouldn't do this if the sites wouldn't make douchy choices for what ads they serve. But they do, so I have to take measures to keep my browser working correctly.

    2. Re:Now how about the third party ad networks by SpzToid · · Score: 4, Interesting

      Google announced in August (I believe) that page rank will now include SSL scoring. So if those ad networks want to remain relevant, by not breaking all the pages they want to get published on, then those web devs and admins better step up their game. Let me rephrase that, the ad networks need to budget for, and pay for web devs and admins, or train the ones they have already.

      --
      You can't be ahead of the curve, if you're stuck in a loop.
    3. Re:Now how about the third party ad networks by Anonymous Coward · · Score: 0

      EOL browsers can go to hell. Seriously? If you use still using MSIE 6 you should just be cut off from the Internet anyway.

    4. Re:Now how about the third party ad networks by Anonymous Coward · · Score: 0

      But Yahoo! Mail doesn't look right in newer browsers! Seriously, I like the look in IE6.

    5. Re:Now how about the third party ad networks by AmiMoJo · · Score: 2

      Old browsers can still use the non-HTTPS site. I think covering 90% of users with HTTPS is a worthwhile improvement.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Now how about the third party ad networks by squiggleslash · · Score: 1

      Looking at the Wikipedia page, the two EOL'd environments that stand out are:

      - Android browser on Gingerbread (and older) - hopefully this'll be solved soon, Gingerbread is finally disappearing but it's taken a while.
      - Internet Explorer on Windows XP.

      Everything else seems to be the kind of environment where if you're still using a browser that cannot support SNI then you're probably running into all kinds of problems anyway.

      (I would like to think that Windows XP users are using Firefox these days, but...)

      Question: aren't there privacy issues associated with SNI? http://tools.ietf.org/html/rfc... shows no attempt to munge the server name. So even though a third party might not be able to determine what content you're trying to access, they probably can intercept - albeit with the victim experiencing an interuption in service - the hostname and determine whose content you're trying to view.

      --
      You are not alone. This is not normal. None of this is normal.
    7. Re:Now how about the third party ad networks by tepples · · Score: 1

      IE on Windows Server 2003 has the same lack of SNI support as IE 8 on Windows XP, and Windows Server 2003 isn't even EOL yet.

    8. Re:Now how about the third party ad networks by tepples · · Score: 1

      Gingerbread is finally disappearing but it's taken a while.

      I still haven't seen an iPod touch counterpart (that is, a 4"-class tablet without a cellular radio) that runs recent Android. Both the Archos 43 Internet Tablet and the Samsung Galaxy Player are stuck on 2.x without rooting and CMing the thing because they lack the RAM for 4.x.

      aren't there privacy issues associated with SNI? [describes outline of attack]

      Someone monitoring your DNS requests can see the same hostname that you're sending to the SNI server. Besides, pre-DNS, someone monitoring your TLS requests could see the IP address to which you connect and the certificate that the server returns.

    9. Re:Now how about the third party ad networks by Anonymous Coward · · Score: 0

      Question: aren't there privacy issues associated with SNI? http://tools.ietf.org/html/rfc... [ietf.org] shows no attempt to munge the server name. So even though a third party might not be able to determine what content you're trying to access, they probably can intercept - albeit with the victim experiencing an interuption in service - the hostname and determine whose content you're trying to view.

      That's not really avoidable with HTTPS. The host you are connecting to is already visible to anyone packet sniffing for non-SNI HTTPS because the "attacker" can see what IP address you are making HTTPS requests to, which can be easily converted to a hostname. SNI has the same security properties in that sense.

  3. Re:beta.slashdot.org sucks! by jones_supa · · Score: 4, Insightful

    Could Slashdot start offering free SSL support for all readers?

  4. Ad networks that support HTTPS by tepples · · Score: 3, Insightful

    That would require Slashdot to switch to an ad network that supports HTTPS, such as Google AdSense. Which others do?

    1. Re:Ad networks that support HTTPS by Anonymous Coward · · Score: 1

      The ad-networks could use something like CloudFlare as an SSL-proxy. I hear that it now is free.

  5. Re:beta.slashdot.org sucks! by c0d3g33k · · Score: 1

    Mod parent up. /. needs to support SSL yesterday.

  6. Do they support tor? by NotInHere · · Score: 2

    SSL is already a great step, but they should also try to find ways to work over tor:

    https://blog.torproject.org/bl...

  7. Secure. Unicode. SoylentNews is people. by tepples · · Score: 1

    SoylentNews is people. Like Slashdot, SoylentNews runs Slash software. But unlike Slashdot, SoylentNews is secure and Unicode-capable.

    1. Re: Secure. Unicode. SoylentNews is people. by Anonymous Coward · · Score: 0

      With no mobile friendly site.

      Why is that?

    2. Re: Secure. Unicode. SoylentNews is people. by Anonymous Coward · · Score: 0

      I read Soylent and /. both (no special loyalty to either) on my iPhone. Safari does a good enough job that I don't really need a special mobile site. What mobile device are you using that's so backward that it needs a special site? A flip phone?

    3. Re: Secure. Unicode. SoylentNews is people. by Anonymous Coward · · Score: 0

      Let us compare slashdot's mobile site to soylentnews.org's.

      Oh, I can't since one doesn't exist. I don't want to have to zoom in and out, scroll side to side or jump through hoops to read comments.

    4. Re: Secure. Unicode. SoylentNews is people. by tepples · · Score: 1

      I read Slashdot's non-mobile site without problems on my first-generation Nexus 7 tablet. Chrome and Firefox both do a good job of blowing up the text so that it's readable without having to scroll sideways. I have Slashdot set never to use the mobile site because the mobile site didn't support the Preview button when I checked.

  8. ... and other services by Anonymous Coward · · Score: 0

    Like assisting cyber criminals: http://www.spamhaus.org/sbl/li...

  9. UTF-8 by Anonymous Coward · · Score: 0

    Could Slashdot start offering free SSL support for all readers?

    Would this before or after UTF-8 in the comments?

  10. Free as in beer? by Anonymous Coward · · Score: 1

    Or free as in pay me now or pay me later?

    Yours,
    Fram

  11. Re:... and other services by SpzToid · · Score: 0

    +5 informative

    --
    You can't be ahead of the curve, if you're stuck in a loop.
  12. Puts the hurt on StartSSL. Good on 'em! by Anonymous Coward · · Score: 2, Informative

    StartSSL has a business model of free non-commercial certificates, and their profit seems to stem from an archaic, non-user-friendly website with poor to no documentation, while revocation fees do in-fact cost real money for errors made. Real SSL Security I suppose, but at the cost of obfuscation, which ain't exactly free. And seriously, how long do they keep the passport scan, etc. you had to send them to get the free certificate on file? GeoTrust/RapidSSL or Comodo never asked me for a passport scan, etc.

    StartSSL wants a pile of documentation first though, and once they reject your certificate request, for example by deeming your purpose to be of a commercial nature, you're (seemingly) banned for life, (while they don't tell you how long they'll retain the documents you had to submit). Here's a guy that wrote a web page with his experience using StartSSL: http://danconnor.com/post/50f6... When I first read this, I was considering myself to be a normal customer trying to use free StartSSL certs. There's probably several more. After much time and effort, I have come to agree with the person who was so motivated to create that web page, (not that I'd go so far as to publish such a doc, but yeah, I gotta agree with 'em).

    Anyway, I'm just one of many it seems StartSSL has chosen not to business with, although after all this pain, they do sell a cheap wildcard certificate. I just wish I'd have purchased it cheap from the beginning, instead of all the %$#@! hoops to learn their bullshit model model so well, that I got accused of abusing their system by requesting too many free certs, (when I should have just bought a wildcard certificate, saving me a TON of time, tedium, and in the end money too) banned for life from doing business with StartSSL again, with all my documents retained in their files for an inexplicable time, (care to reply StartSSL folks?). How'd you like to be me?

    Thank goodness Cloudflare is open for business with what looks like a solid product. I think I'll walk across the street and look a closer at Cloudflare now. StartSSL closed the door on me, so I can't do business with them if I wanted to.

    1. Re:Puts the hurt on StartSSL. Good on 'em! by Anonymous Coward · · Score: 0

      So you are you feeling lucky, punk? I'll keep it and maybe I'll pastebin it. And I know exactly who you are, punk. And no, it wasn't six shots, if you gots to know.

    2. Re:Puts the hurt on StartSSL. Good on 'em! by stoborrobots · · Score: 1

      Passport scan to get a free certificate?

      I've been using StartSSL for years, for a number of certificates - all they verify for the free cert is that I can click on a link sent to the postmaster address for the relevant domain...

      If you want anything other than basic class-1 certificates for a single hostname there's a cost, and a more involved process; but that process is similar regardless of who does your identity verification.

      If you want free class-1 certificates, there is no additional cost, and no super-secret documentation to send around.

      I have no experience with StartCom's organisation verification process. However, for domain-verified class-1 certificates for individual hosts, they offer a free, immediate, trouble-free process which involves no more than clicking a link in my email.

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  13. Re:... and other services by Guspaz · · Score: 3, Interesting

    Have some irony:

    C:\Users\Guspaz>tracert www.spamhaus.org

    Tracing route to cdn-cf.spamhaus.eu [190.93.243.93]
    over a maximum of 30 hops:

        1 <1 ms <1 ms 1 ms 192.168.1.1
        2 10 ms 39 ms 14 ms 10.245.x.x
        3 11 ms 13 ms 10 ms 10.170.x.x
        4 10 ms 8 ms 17 ms xe-0-1-1_0-bdr01-mtl.teksavvy.com [206.248.155.109]
        5 16 ms 15 ms 16 ms xe-1-1-0_2210-bdr04-tor.teksavvy.com [192.171.63.161]
        6 22 ms 17 ms 23 ms gw-cloudflare.torontointernetxchange.net [206.108.34.208]
        7 17 ms 16 ms 15 ms cf-190-93-243-93.cloudflare.com [190.93.243.93]

    Trace complete.

  14. The illusion of security by Animats · · Score: 2

    OK, so now you're encrypted from user to Cloudflare, in plaintext within Clouflare, and possibly in plaintext from Cloudflare to the destination site. That's more an illusion of security than real security. Even worse, if they have an SSL cert for your domain, they can impersonate you. Worst case, they have some cheezy cert with a huge number of unrelated domains, all of which can now impersonate each other.

    1. Re:The illusion of security by Anonymous Coward · · Score: 1

      Worst case, they have some cheezy cert with a huge number of unrelated domains, all of which can now impersonate each other.

      From TFS: CloudFlare's servers will use SNI

      Rest may be valid.

    2. Re:The illusion of security by Gerald · · Score: 3, Informative

      They discuss origin server encryption (the plaintext issue) in a follow-on blog post: https://blog.cloudflare.com/or...

  15. Re:beta.slashdot.org sucks! by rubycodez · · Score: 1

    for what purpose?

  16. CloudFlare is a f.ing nightmare for anonymity by Rosco+P.+Coltrane · · Score: 5, Interesting

    A surprising number of sites use CloudFlare. The trouble with CloudFlare is, if you want to stay anonymous on the internet using Tor, you're SOL, as they serve you captchas every 3 pages when they see a connection coming from a Tor exit node.

    So essentially, if you're a Tor user, CloudFlare:

    - Renders a sizeable portion of the internet unusuable for you
    - Makes money on your back by making you solve captcha, and turning you into a human OCR.

    CloudFlare and Google (which also serve captchas to Tor users, only fewer exit nodes are concerned) are quickly making Tor unusable, which must make the NSA wet their pants.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:CloudFlare is a f.ing nightmare for anonymity by PhrostyMcByte · · Score: 2

      he trouble with CloudFlare is, if you want to stay anonymous on the internet using Tor, you're SOL, as they serve you captchas every 3 pages when they see a connection coming from a Tor exit node.

      This feature can be easily turned off in their settings. It is part of their security features.

    2. Re:CloudFlare is a f.ing nightmare for anonymity by Anonymous Coward · · Score: 2, Interesting

      CloudFlare *is* the NSA. They're the biggest MITM service in the world.

    3. Re:CloudFlare is a f.ing nightmare for anonymity by Anonymous Coward · · Score: 0

      Then why are they the first (and only, as far as I know) to implement a "keyless SSL" system to ensure you don't have to send them your keys at all?

      You're free to keep looking for reasons to hate Cloudflare for incidentally hurting Tor, but the vast majority of what they do for the internet is good.

      https://www.cloudflare.com/keyless-ssl

    4. Re:CloudFlare is a f.ing nightmare for anonymity by IamTheRealMike · · Score: 1

      Occams Razor says ...... networks like Tor which are incapable of handling abuse by design ...... get a lot of abuse! So not surprisingly networks that have advanced anti-abuse controls in place throttle it a lot. Otherwise you're just asking to get crawled by SQL injector searchers and so on. This is not CloudFlare's problem, it's inherent in how Tor works and what it's trying to achieve. Solving it means finding a way to trade off anonymity against accountability using user reputation systems or the like, but the Tor project has shown little interest in implementing such a thing, so all Tor users get treated as a whole.

    5. Re:CloudFlare is a f.ing nightmare for anonymity by nmb3000 · · Score: 2

      CloudFlare is a f.ing nightmare for anonymity

      Not only anonymity, but privacy as well.

      Try browsing around with your browser's Referer header disabled (or spoofed to be empty/google/etc). You'll run into sites that either (1) won't load at all, only showing a "CloudFlare security page" that totally blocks access, or (2) have content that won't load due to CloudFlare's default referrer blocking settings. I assume (2) is to prevent "hotlinking" (aka - "using the Web"), but it prevents scripts, styles, etc from loading. However the first behavior (blocking anyone without a Referer header) is complete bullshit.

      Using NoScript on a CloudFlare site can also be a nightmare. They have their own absolutely batshit absurd scripting thing call Rocket Loader. The only impression I've gotten from it so far is that it makes script whitelisting difficult and user-scripts even worse.

      I can appreciate the primary selling points of CloudFlare (CDN, DDoS protection), but they do a lot more to interfere with site web traffic. The default settings for a site are also probably too aggressive.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    6. Re:CloudFlare is a f.ing nightmare for anonymity by Slashdot+Parent · · Score: 1

      I wouldn't even care about solving captchas if CloudFlare's captcha worked without JavaScript. But you need JavaScript to solve the captcha, and enabling it goes against Tor best practices, so that kinda blows.

      --
      They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
    7. Re:CloudFlare is a f.ing nightmare for anonymity by Anonymous Coward · · Score: 0

      Hotlink prevention is a feature that defaults to "off" when you set up a site with Cloudflare.

  17. Friendly Sites Don't Use CloudFlare by Anonymous Coward · · Score: 1

    Cloudflare chases your customers away.

      End user here, not overly tech-literate. Three sites that I used to read regularly have lost me. Each time I try going to their URLs I get re-directed to some stupid captcha from CloudFlare. I'm not trying to comment, only to read. Why intercept and re-direct me unless it's because you're trying to track/market or otherwise control me? Buh-bye

  18. How do they sign the certificate? by Gollum · · Score: 3, Interesting

    Am I the only one wondering how they get a CA to sign the certificate? Seems like an interesting opportunity for someone within CloudFlare to get their own SSL certs signed, and MITM to their hearts content.

    1. Re: How do they sign the certificate? by Anonymous Coward · · Score: 0

      Cloud flare only does this if you're coming from a subnet they've seen malicious traffic from lately. This is perfectly acceptable behavior in my opinion.

      Go yell at your ISP and make this world a better place

  19. A middleman equipped for MITM attack. by Anonymous Coward · · Score: 1

    How appropriate. When will the Internet (industry in general) get over this outsource-everything fad?

    1. Re: A middleman equipped for MITM attack. by Anonymous Coward · · Score: 0

      As soon as they get over the 100% uptime fad

  20. Re:beta.slashdot.org sucks! by Anonymous Coward · · Score: 1

    for what purpose?

    To stop malicious content injection by third parties (which has happened) such as the NSA and GCHQ (which has happened).

  21. False Sense of Security by Anonymous Coward · · Score: 0

    First, cloudflare is a CDN.
    The SSL they are offering is between the Browser and the CDN.
    Between the CDN and the webserver could be unsecure/no ssl/clear text
    If the link between the CDN and webserver is cleartext, the user will see the green padlock, making the users believe they are using a secure link.
    cloudflare is a US comapny subject to the patriot act and legally must cooperate with NSA

    Rather no security than bad/misleading.

  22. Doesn't CloudFlare Scare Anyone? by _bug_ · · Score: 4, Insightful

    You've got a single company who is encouraging web site operators to direct all traffic through CloudFlare's network. Now we don't need things like 'web bugs' to track you as you browse the internet, CloudFlare has your IP and can watch you as you go from one CloudFlare site to the next. Even if the site uses SSL, it's being decrypted now inside CloudFlare's network where they can watch everything you do.

    And the NSA/CIA/etc must love that too. They don't have to subpoena many different web sites, they just subpoena CloudFlare or even work with CloudFlare like they do with AT&T and Verizon, stick an NSA black box on the network just after the connection has been decrypted, and watch everything you're doing while you think you're protected with an SSL connection to the web site you're visiting.

  23. Re:... and other services by Anonymous Coward · · Score: 0

    If you offer online services, there's a good chance cyber criminals will also use your services. Just how much effort are online services expected to put into investigating their own clients?

    I could see the answer reasonably being "zero effort" for any service that values privacy, and only kick off clients that have been shown to be abusing the service.

  24. BUY NOW!!!! by neurovish · · Score: 1

    Shouldn't this be over to the side with the rest of the advertisements?

    1. Re:BUY NOW!!!! by Z80xxc! · · Score: 1

      Considering that it used to cost $20/month to use SSL on CloudFlare and the whole point of this announcement was that now it costs $0/month to use SSL on CloudFlare... no. I'm a happy CloudFlare "customer" but I've never paid them a cent in my life.

  25. Thats not exactly true by nefus · · Score: 1

    CloudFlare doesn't require a fee to invalidate content. You just set your site to Development Mode. Then turn it off or wait 3 hours for it to auto-turn off. This feature is available even to free accounts. Seems presumptuous to say Amazon CloudFront is better when you don't know the whole feature set.

    1. Re:Thats not exactly true by Anonymous Coward · · Score: 1

      CloudFlare doesn't require a fee to invalidate content. You just set your site to Development Mode. Then turn it off or wait 3 hours for it to auto-turn off

      With Amazon CloudFront the first 1000 invalidations each month are free. Subsequent invalidations cost a half cent each. http://aws.amazon.com/cloudfront/pricing/

      Re: "turn it off or wait 3 hours for it to auto-turn off": sounds like an extreme measure for replacing a single piece of content.

    2. Re:Thats not exactly true by localhost8080 · · Score: 1

      There is a button to nuke the whole cache or you can give it a url to nuke only the cached content from that url. doesn't cost anything and takes about 2 seconds...

  26. Re:beta.slashdot.org sucks! by Anonymous Coward · · Score: 0

    I'm sure the NSA or GCHQ could never, ever lean on or compromise a trusted CA to keep the little lock icon green while injecting content.

  27. Shared links would produce certificate errors by tepples · · Score: 1

    Old browsers can still use the non-HTTPS site.

    Here's how that breaks: Somebody uses the new browser to share a link to a page on the HTTPS site with somebody else, and somebody else uses an old browser to view that page. Certificate error.

  28. Re:beta.slashdot.org sucks! by rubycodez · · Score: 1

    you are silly, it is much more likely you will get malicious content intentionally brought in by a page regardless of whether loaded by http or https. It would be easier for NSA and GCHQ to make their wares loaded by popular web site page without need for injection