Slashdot Mirror
CloudFlare Announces Free SSL Support For All Customers
Z80xxc! writes: CloudFlare, a cloud service that sits between websites and the internet to provide a CDN, DDOS and other attack prevention, speed optimization, and other services announced today that SSL will now be supported for all customers, including free customers. This will add SSL support to approximately 2 million previously unprotected websites. Previously SSL was only available to customers paying at least $20/month for a "Pro" plan or higher.
Browsers connect to CloudFlare's servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website's server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator's preferences. CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.
Browsers connect to CloudFlare's servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website's server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator's preferences. CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.
CloudFlare isn't a host, it's a sort of advanced CDN with extra features. You still need to have the website hosted on another server somewhere. Their website explains how it works better than I can, so you might as well read it there: https://www.cloudflare.com/ove...
CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.
Lack of support for EOL'd web browsers is one roadblock for affordable HTTPS hosting. The other is that many major ad networks lack support for HTTPS, leading web browsers to block the ads as "mixed content." (AdSense added HTTPS support only a year ago.) And this is why Slashdot is among sites that redirect non-subscribers from HTTPS to HTTP because they subcontract advertising.
Could Slashdot start offering free SSL support for all readers?
But if your site is behind a CDN proxy and highly cacheable, then you can probably get away with cheap hosting like WebFaction or something.
That would require Slashdot to switch to an ad network that supports HTTPS, such as Google AdSense. Which others do?
SSL is already a great step, but they should also try to find ways to work over tor:
https://blog.torproject.org/bl...
StartSSL has a business model of free non-commercial certificates, and their profit seems to stem from an archaic, non-user-friendly website with poor to no documentation, while revocation fees do in-fact cost real money for errors made. Real SSL Security I suppose, but at the cost of obfuscation, which ain't exactly free. And seriously, how long do they keep the passport scan, etc. you had to send them to get the free certificate on file? GeoTrust/RapidSSL or Comodo never asked me for a passport scan, etc.
StartSSL wants a pile of documentation first though, and once they reject your certificate request, for example by deeming your purpose to be of a commercial nature, you're (seemingly) banned for life, (while they don't tell you how long they'll retain the documents you had to submit). Here's a guy that wrote a web page with his experience using StartSSL: http://danconnor.com/post/50f6... When I first read this, I was considering myself to be a normal customer trying to use free StartSSL certs. There's probably several more. After much time and effort, I have come to agree with the person who was so motivated to create that web page, (not that I'd go so far as to publish such a doc, but yeah, I gotta agree with 'em).
Anyway, I'm just one of many it seems StartSSL has chosen not to business with, although after all this pain, they do sell a cheap wildcard certificate. I just wish I'd have purchased it cheap from the beginning, instead of all the %$#@! hoops to learn their bullshit model model so well, that I got accused of abusing their system by requesting too many free certs, (when I should have just bought a wildcard certificate, saving me a TON of time, tedium, and in the end money too) banned for life from doing business with StartSSL again, with all my documents retained in their files for an inexplicable time, (care to reply StartSSL folks?). How'd you like to be me?
Thank goodness Cloudflare is open for business with what looks like a solid product. I think I'll walk across the street and look a closer at Cloudflare now. StartSSL closed the door on me, so I can't do business with them if I wanted to.
Have some irony:
C:\Users\Guspaz>tracert www.spamhaus.org
Tracing route to cdn-cf.spamhaus.eu [190.93.243.93]
over a maximum of 30 hops:
1 <1 ms <1 ms 1 ms 192.168.1.1
2 10 ms 39 ms 14 ms 10.245.x.x
3 11 ms 13 ms 10 ms 10.170.x.x
4 10 ms 8 ms 17 ms xe-0-1-1_0-bdr01-mtl.teksavvy.com [206.248.155.109]
5 16 ms 15 ms 16 ms xe-1-1-0_2210-bdr04-tor.teksavvy.com [192.171.63.161]
6 22 ms 17 ms 23 ms gw-cloudflare.torontointernetxchange.net [206.108.34.208]
7 17 ms 16 ms 15 ms cf-190-93-243-93.cloudflare.com [190.93.243.93]
Trace complete.
OK, so now you're encrypted from user to Cloudflare, in plaintext within Clouflare, and possibly in plaintext from Cloudflare to the destination site. That's more an illusion of security than real security. Even worse, if they have an SSL cert for your domain, they can impersonate you. Worst case, they have some cheezy cert with a huge number of unrelated domains, all of which can now impersonate each other.
A surprising number of sites use CloudFlare. The trouble with CloudFlare is, if you want to stay anonymous on the internet using Tor, you're SOL, as they serve you captchas every 3 pages when they see a connection coming from a Tor exit node.
So essentially, if you're a Tor user, CloudFlare:
- Renders a sizeable portion of the internet unusuable for you
- Makes money on your back by making you solve captcha, and turning you into a human OCR.
CloudFlare and Google (which also serve captchas to Tor users, only fewer exit nodes are concerned) are quickly making Tor unusable, which must make the NSA wet their pants.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Indeed. I run a couple websites that see a decent amount of traffic. CloudFlare up front, Webfaction on the backend. Works quite well overall. Very speedy load times and easy to set up. I'm looking forward to enabling SSL for all my sites. I have had some troubles getting the right IP addresses into logs and applications though... WebFaction's nginx reverse proxy adds an X-FORWARDED-FOR header, which replaces that sent by CloudFlare with the CloudFlare IP... so you end up not getting the right IP returned.
Am I the only one wondering how they get a CA to sign the certificate? Seems like an interesting opportunity for someone within CloudFlare to get their own SSL certs signed, and MITM to their hearts content.
Amazon CloudFront is a lot better than CloudFlare and has supported SSL for years. Plus it's possible to store a website in a S3 bucket, there is no need for a web server. For pennies a month you get an insanely fast website, there is nothing close to it performance-wise. Pricing is around $0.12 per GB of transfer. S3 is about $0.03 per GB of storage per month.
The only complicated thing with a CDN is that since it puts the website in cache, it's more tricky to push updates. Either you wait until the cache expires or pay a small fee to "invalidate" content.
lucm, indeed.
You've got a single company who is encouraging web site operators to direct all traffic through CloudFlare's network. Now we don't need things like 'web bugs' to track you as you browse the internet, CloudFlare has your IP and can watch you as you go from one CloudFlare site to the next. Even if the site uses SSL, it's being decrypted now inside CloudFlare's network where they can watch everything you do.
And the NSA/CIA/etc must love that too. They don't have to subpoena many different web sites, they just subpoena CloudFlare or even work with CloudFlare like they do with AT&T and Verizon, stick an NSA black box on the network just after the connection has been decrypted, and watch everything you're doing while you think you're protected with an SSL connection to the web site you're visiting.