since 1999


3 minutes estimated reading time.

Free, Universal SSL with Cloudflare

Cloudflare, the web application security forward proxy and transparent CDN service, has announced on their blog universal SSL even on their free accounts.

This is a very welcome development for the public interest on the internet.

Their post states that:

This morning we began rolling out the Universal SSL across all our current customers. We expect this process to be complete for all current customers before the end of the day. Yesterday, there were about 2 million sites active on the Internet that supported encrypted connections. By the end of the day today, we’ll have doubled that.

A trusted man in the middle

The approach that CloudFlare takes for this service, which is different from the enterprise keyless SSL offering, is having wildcard SSL certificates issued in their name for a bunch of customer domains. This Cloudflare certificate is presented to the user. The service acts as a decrypting endpoint, performs the contracted security filtering and scanning for the website, and then retransmits the request to the final web server.

The final leg may be transmitted between Cloudflare’s servers and the final web server as plaintext (that is not encrypted) if the customer’s web server is not configured for SSL itself or it may be sent as proper ciphertext stream (that is strongly encrypted). This will depend upon the final web server having been configured SSL certificate itself, which may be self-signed, and the Cloudflare customer selecting to use the Full SSL mode.

What a user would see

If a user were to click on the Green lock icon in his or her web browser on a Cloudflare-protected website, this is an example of what would be seen: Cloudflare’s Wildcard SSL Certificate as Reported for a Pro account website, which was the least expensive way to get SSL support prior to today

It’s not a verification that the website is operated by your company, but rather a form of domain control validation that certifies that the website owner has knowingly engaged Cloudflare’s services and thus this utility certificate is valid. It will show up as a green lock icon without an error message in all modern browsers.

Governments seeking information

One should not expect this to keep out warrant wielding agencies, though the Cloudflare Transparency Report sheds some light on how they deal with questions of governmental information requests and legal process.

A good thing on balance

This service is worth taking a look at and to elect to use for many classes of websites and web applications.

There are industries where off-premises key management is not appropriate and certainly not a trusted man-in-the-middle by a third-party vendor. For these organizations, having any party be in the position to be able to intercept communications is a total no-go.

But for a lot of the internet community that is not the primary threat to model. Rather its inertia that prevents SSL from being set up in the first place because it is seen as either expensive, hard, or somehow unnecessary. For these circumstances, protecting users from criminal surveillance at the local coffee shop and from content manipulation by unscrupulous, unaccountable cable internet service providers is a very good thing for the Internet that is in the public interest.

I have clients who I will advise to pass on this based upon their threat model and others for whom this is a great option. For my own blog, this is perfect too. It’s about knowing your threat model and choosing the appropriate countermeasures accordingly.

This is a very good development for the people who use the internet.