CloudFlare Announces Free SSL Support For All Customers

Z80xxc! writes: CloudFlare, a cloud service that sits between websites and the internet to provide a CDN, DDOS and other attack prevention, speed optimization, and other services announced today that SSL will now be supported for all customers, including free customers. This will add SSL support to approximately 2 million previously unprotected websites. Previously SSL was only available to customers paying at least $20/month for a "Pro" plan or higher.

Browsers connect to CloudFlare's servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website's server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator's preferences. CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.

In the Market

[pubwvj]

Interesting... I'm in the market for a new web host... Got my attention.

Re:In the Market

[Z80xxc!]

CloudFlare isn't a host, it's a sort of advanced CDN with extra features. You still need to have the website hosted on another server somewhere. Their website explains how it works better than I can, so you might as well read it there: https://www.cloudflare.com/ove... [cloudflare.com]

Re:In the Market

[tepples]

But if your site is behind a CDN proxy and highly cacheable, then you can probably get away with cheap hosting like WebFaction or something.

Re:In the Market

[Z80xxc!]

Indeed. I run a couple websites that see a decent amount of traffic. CloudFlare up front, Webfaction on the backend. Works quite well overall. Very speedy load times and easy to set up. I'm looking forward to enabling SSL for all my sites. I have had some troubles getting the right IP addresses into logs and applications though... WebFaction's nginx reverse proxy adds an X-FORWARDED-FOR header, which replaces that sent by CloudFlare with the CloudFlare IP... so you end up not getting the right IP returned.

Re:In the Market

[lucm]

Amazon CloudFront is a lot better than CloudFlare and has supported SSL for years. Plus it's possible to store a website in a S3 bucket, there is no need for a web server. For pennies a month you get an insanely fast website, there is nothing close to it performance-wise. Pricing is around $0.12 per GB of transfer. S3 is about $0.03 per GB of storage per month.

The only complicated thing with a CDN is that since it puts the website in cache, it's more tricky to push updates. Either you wait until the cache expires or pay a small fee to "invalidate" content.

Thats not exactly true

[nefus]

CloudFlare doesn't require a fee to invalidate content. You just set your site to Development Mode. Then turn it off or wait 3 hours for it to auto-turn off. This feature is available even to free accounts. Seems presumptuous to say Amazon CloudFront is better when you don't know the whole feature set.

Re:

[Anonymous Coward]

CloudFlare doesn't require a fee to invalidate content. You just set your site to Development Mode. Then turn it off or wait 3 hours for it to auto-turn off

With Amazon CloudFront the first 1000 invalidations each month are free. Subsequent invalidations cost a half cent each. http://aws.amazon.com/cloudfront/pricing/

Re: "turn it off or wait 3 hours for it to auto-turn off": sounds like an extreme measure for replacing a single piece of content.

Re:

[localhost8080]

There is a button to nuke the whole cache or you can give it a url to nuke only the cached content from that url. doesn't cost anything and takes about 2 seconds...

Re:

[pubwvj]

Checking it out as we 'speak'...

Re:beta.slashdot.org sucks!

[jones_supa]

Could Slashdot start offering free SSL support for all readers?

Ad networks that support HTTPS

[tepples]

That would require Slashdot to switch to an ad network that supports HTTPS, such as Google AdSense. Which others do?

Re:

[Anonymous Coward]

The ad-networks could use something like CloudFlare as an SSL-proxy. I hear that it now is free.

Re:

[c0d3g33k]

Mod parent up. /. needs to support SSL yesterday.

Re:

[rubycodez]

for what purpose?

Re:

[Anonymous Coward]

for what purpose?

To stop malicious content injection by third parties (which has happened) such as the NSA and GCHQ (which has happened) [arstechnica.com].

Re:

[rubycodez]

you are silly, it is much more likely you will get malicious content intentionally brought in by a page regardless of whether loaded by http or https. It would be easier for NSA and GCHQ to make their wares loaded by popular web site page without need for injection

Secure. Unicode. SoylentNews is people.

[tepples]

SoylentNews is people. Like Slashdot, SoylentNews runs Slash software. But unlike Slashdot, SoylentNews is secure and Unicode-capable [soylentnews.org].

Re:

[tepples]

I read Slashdot's non-mobile site without problems on my first-generation Nexus 7 tablet. Chrome and Firefox both do a good job of blowing up the text so that it's readable without having to scroll sideways. I have Slashdot set never to use the mobile site because the mobile site didn't support the Preview button when I checked.

Now how about the third party ad networks

[tepples]

CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.

Lack of support for EOL'd web browsers is one roadblock for affordable HTTPS hosting. The other is that many major ad networks lack support for HTTPS, leading web browsers to block the ads as "mixed content." (AdSense added HTTPS support only a year ago [blogspot.com].) And this is why Slashdot is among sites that redirect non-subscribers from HTTPS to HTTP because they subcontract advertising.

Re:

[Anonymous Coward]

The ads that various sites are now serving me are coded in such a way that they turn the Back button on my browser into a "load me a different ad on the same page" button instead. So I kill JavaScript and plugins before visiting these sites, Slashdot included. That, along with blackholing the name resolution for the less scrupulous networks, improves my experience considerably.

And I wouldn't do this if the sites wouldn't make douchy choices for what ads they serve. But they do, so I have to take measures

Re:Now how about the third party ad networks

[SpzToid]

Google announced in August (I believe) that page rank will now include SSL scoring. So if those ad networks want to remain relevant, by not breaking all the pages they want to get published on, then those web devs and admins better step up their game. Let me rephrase that, the ad networks need to budget for, and pay for web devs and admins, or train the ones they have already.

Re:

[tepples]

IE on Windows Server 2003 has the same lack of SNI support as IE 8 on Windows XP, and Windows Server 2003 isn't even EOL yet.

Re:

[AmiMoJo]

Old browsers can still use the non-HTTPS site. I think covering 90% of users with HTTPS is a worthwhile improvement.

Shared links would produce certificate errors

[tepples]

Old browsers can still use the non-HTTPS site.

Here's how that breaks: Somebody uses the new browser to share a link to a page on the HTTPS site with somebody else, and somebody else uses an old browser to view that page. Certificate error.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tepples]

Gingerbread is finally disappearing but it's taken a while.

I still haven't seen an iPod touch counterpart (that is, a 4"-class tablet without a cellular radio) that runs recent Android. Both the Archos 43 Internet Tablet and the Samsung Galaxy Player are stuck on 2.x without rooting and CMing the thing because they lack the RAM for 4.x.

aren't there privacy issues associated with SNI? [describes outline of attack]

Someone monitoring your DNS requests can see the same hostname that you're sending to the SNI server. Besides, pre-DNS, someone monitoring your TLS requests could see the IP address to which you connect and the certificate that the s

Do they support tor?

[NotInHere]

SSL is already a great step, but they should also try to find ways to work over tor:

https://blog.torproject.org/bl... [torproject.org]

Re:

[SpzToid]

+5 informative

Re:... and other services

[Guspaz]

Have some irony:

C:\Users\Guspaz>tracert www.spamhaus.org

Tracing route to cdn-cf.spamhaus.eu [190.93.243.93]
over a maximum of 30 hops:

    1 <1 ms <1 ms 1 ms 192.168.1.1
    2 10 ms 39 ms 14 ms 10.245.x.x
    3 11 ms 13 ms 10 ms 10.170.x.x
    4 10 ms 8 ms 17 ms xe-0-1-1_0-bdr01-mtl.teksavvy.com [206.248.155.109]
    5 16 ms 15 ms 16 ms xe-1-1-0_2210-bdr04-tor.teksavvy.com [192.171.63.161]
    6 22 ms 17 ms 23 ms gw-cloudflare.torontointernetxchange.net [206.108.34.208]
    7 17 ms 16 ms 15 ms cf-190-93-243-93.cloudflare.com [190.93.243.93]

Trace complete.

Free as in beer?

[Anonymous Coward]

Or free as in pay me now or pay me later?

Yours,
Fram

Puts the hurt on StartSSL. Good on 'em!

[Anonymous Coward]

StartSSL has a business model of free non-commercial certificates, and their profit seems to stem from an archaic, non-user-friendly website with poor to no documentation, while revocation fees do in-fact cost real money for errors made. Real SSL Security I suppose, but at the cost of obfuscation, which ain't exactly free. And seriously, how long do they keep the passport scan, etc. you had to send them to get the free certificate on file? GeoTrust/RapidSSL or Comodo never asked me for a passport scan, etc.

Re:

[stoborrobots]

Passport scan to get a free certificate?

I've been using StartSSL for years, for a number of certificates - all they verify for the free cert is that I can click on a link sent to the postmaster address for the relevant domain...

If you want anything other than basic class-1 certificates for a single hostname there's a cost, and a more involved process; but that process is similar regardless of who does your identity verification.

If you want free class-1 certificates, there is no additional cost, and no super

The illusion of security

[Animats]

OK, so now you're encrypted from user to Cloudflare, in plaintext within Clouflare, and possibly in plaintext from Cloudflare to the destination site. That's more an illusion of security than real security. Even worse, if they have an SSL cert for your domain, they can impersonate you. Worst case, they have some cheezy cert with a huge number of unrelated domains, all of which can now impersonate each other.

Re:

[Anonymous Coward]

Worst case, they have some cheezy cert with a huge number of unrelated domains, all of which can now impersonate each other.

From TFS: CloudFlare's servers will use SNI

Rest may be valid.

Re:The illusion of security

[Gerald]

They discuss origin server encryption (the plaintext issue) in a follow-on blog post: https://blog.cloudflare.com/or... [cloudflare.com]

CloudFlare is a f.ing nightmare for anonymity

[Rosco P. Coltrane]

A surprising number of sites use CloudFlare. The trouble with CloudFlare is, if you want to stay anonymous on the internet using Tor, you're SOL, as they serve you captchas every 3 pages when they see a connection coming from a Tor exit node.

So essentially, if you're a Tor user, CloudFlare:

- Renders a sizeable portion of the internet unusuable for you
- Makes money on your back by making you solve captcha, and turning you into a human OCR.

CloudFlare and Google (which also serve captchas to Tor users, only fewer exit nodes are concerned) are quickly making Tor unusable, which must make the NSA wet their pants.

Re:

[PhrostyMcByte]

he trouble with CloudFlare is, if you want to stay anonymous on the internet using Tor, you're SOL, as they serve you captchas every 3 pages when they see a connection coming from a Tor exit node.

This feature can be easily turned off in their settings. It is part of their security features.

Re:

[Anonymous Coward]

CloudFlare *is* the NSA. They're the biggest MITM service in the world.

Re:

[IamTheRealMike]

Occams Razor says ...... networks like Tor which are incapable of handling abuse by design ...... get a lot of abuse! So not surprisingly networks that have advanced anti-abuse controls in place throttle it a lot. Otherwise you're just asking to get crawled by SQL injector searchers and so on. This is not CloudFlare's problem, it's inherent in how Tor works and what it's trying to achieve. Solving it means finding a way to trade off anonymity against accountability using user reputation systems or the like,

Re:

[nmb3000]

CloudFlare is a f.ing nightmare for anonymity

Not only anonymity, but privacy as well.

Try browsing around with your browser's Referer header disabled (or spoofed to be empty/google/etc). You'll run into sites that either (1) won't load at all, only showing a "CloudFlare security page" that totally blocks access, or (2) have content that won't load due to CloudFlare's default referrer blocking settings. I assume (2) is to prevent "hotlinking" (aka - "using the Web"), but it prevents scripts, styles, etc from loading. However the first behavior (block

Re:

[Slashdot Parent]

I wouldn't even care about solving captchas if CloudFlare's captcha worked without JavaScript. But you need JavaScript to solve the captcha, and enabling it goes against Tor best practices, so that kinda blows.

Friendly Sites Don't Use CloudFlare

[Anonymous Coward]

Cloudflare chases your customers away.

  End user here, not overly tech-literate. Three sites that I used to read regularly have lost me. Each time I try going to their URLs I get re-directed to some stupid captcha from CloudFlare. I'm not trying to comment, only to read. Why intercept and re-direct me unless it's because you're trying to track/market or otherwise control me? Buh-bye

How do they sign the certificate?

[Gollum]

Am I the only one wondering how they get a CA to sign the certificate? Seems like an interesting opportunity for someone within CloudFlare to get their own SSL certs signed, and MITM to their hearts content.

A middleman equipped for MITM attack.

[Anonymous Coward]

How appropriate. When will the Internet (industry in general) get over this outsource-everything fad?

Doesn't CloudFlare Scare Anyone?

[_bug_]

You've got a single company who is encouraging web site operators to direct all traffic through CloudFlare's network. Now we don't need things like 'web bugs' to track you as you browse the internet, CloudFlare has your IP and can watch you as you go from one CloudFlare site to the next. Even if the site uses SSL, it's being decrypted now inside CloudFlare's network where they can watch everything you do.

And the NSA/CIA/etc must love that too. They don't have to subpoena many different web sites, they just subpoena CloudFlare or even work with CloudFlare like they do with AT&T and Verizon, stick an NSA black box on the network just after the connection has been decrypted, and watch everything you're doing while you think you're protected with an SSL connection to the web site you're visiting.

BUY NOW!!!!

[neurovish]

Shouldn't this be over to the side with the rest of the advertisements?

Re:

[Z80xxc!]

Considering that it used to cost $20/month to use SSL on CloudFlare and the whole point of this announcement was that now it costs $0/month to use SSL on CloudFlare... no. I'm a happy CloudFlare "customer" but I've never paid them a cent in my life.