AnsweredAssumed Answered

CloudFlare Flexible SSL rating

Question asked by John Blackbourn on Sep 24, 2014
Latest reply on Dec 5, 2015 by smaug

I've recently been made aware of a CloudFlare product called "Flexible SSL". Here's the description from the SSL page on CloudFlare's knowledge base:

 

SSL between the visitor and CloudFlare -- visitor sees HTTPS on your site, but no SSL between CloudFlare and your web server. You don't need to have an SSL cert on your web server, but your visitors will still see the site as being HTTPS enabled.

 

This strikes me as a complete breach of trust, and a violation of the principles of an HTTPS connection. The connection from the client to CloudFlare is secure, but the connection from CloudFlare to the customer's web server is plain HTTP (invisible to the client of course).

 

There's nothing stopping any other HTTPS web server from making HTTP connections to third party servers and sending unencrypted data over the open internet, but this is part of the trust model and we have to trust that it's mostly not happening. For CloudFlare to offer a service which actively does this, and with no indication to the client that it happens, is unbelievable.

 

To get to my point, I think it would be interesting to investigate whether it's possible for the SSL Server Test to detect whether a site is using CloudFlare's Flexible SSL and slash its rating accordingly. Personally I think it should get a straight up "F", even though this behaviour is not technically related to the configuration of CloudFlare's SSL termination.

 

An example of a site which uses "Flexible SSL" is https://ghost.org/. The certificate presented by the site contains many separate domains in the SAN, although this isn't itself an indication of "Flexible SSL" in use. There are some CloudFlare-specific fields in the certificate such as the common name and one of the domains in the SAN, but I'm not sure if there's anything which makes it possible to determine whether "Flexible SSL" is in use, versus CloudFlare's "Full SSL".

 

Thoughts?

Outcomes