0

I recently read a somewhat funny article at crimeflair.net, questioning (read: murdering) the way CloudFlare provides SSL. In their words: "CloudFlare's half-baked SSL: suspicious sockets layer".

Note: The name crimeflair suggests some kind of propaganda against CloudFlare, and the text, design and images of the site almost make me feel like reading a conspiracy theory. Also the article has quite some unproven theories and assumptions. But...

CloudFlare SSL

Local authorities could be sniffing the plaintext available at these data centers, and CloudFlare wouldn't have a clue.

This made me think about the current way CloudFlare works. CloudFlare is indeed a Man-in-the-Middle, encryption can never be end-to-end because then the CloudFlare CDN/proxy won't work.

Using CloudFlare's SSL to add a "free" SSL layer to some simple website of the local bakery (half-baked, got it?) seems to me like little risk. But using this in enterprise solutions with confidential data might be a thing.

It will probably protect the end-user against local network sniffing and spoofing fine! Since the connection from the end-user to CloudFlare is encrypted. But against a government or ISP that can just read the unencrypted connection behind the CloudFlare proxy towards the origin server? Probably not at all.

... it would make no difference whether the origin server has its own certificate.

Recap: CloudFlare might "secure" the availability by their great anti DDoS features but it might be a serious risk for the confidentiality and possibly even integrity of the connection due to the SSL tricks they need to use.

Interesting additional whitepaper: "When HTTPS Meets CDN: A Case of Authentication in Delegated Service" or mirror at ieee.org.

While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service.

Question: Is CloudFlare's SSL half-baked since they become the Man-in-the-Middle (MitM)? And so, should it be discouraged?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • 1
    It's a CDN right? That shouldn't have a lot of personal data flying around on it, more like static JS+CSS files for websites. Just use the `integrity` attribute on ` – dandavis Aug 09 '17 at 23:12
  • What does google have to do with it? They are one of the few enterprises large enough to run their own worldwide cloud that does _not_ use CF. – dave_thompson_085 Aug 10 '17 at 06:07
  • @dave_thompson_085 it's an image from their article. What they tried to show in the image is probably that the concept is basically the same with the Google Cloud. – Bob Ortiz Aug 10 '17 at 07:13
  • @dandavis No they are **not** just a CDN, they work as a proxy for the entire site, so they can access **all** the information (not just assets), that includes passwords, cookies, headers, 2FA codes, creditcards codes, just everything. – eloyesp Apr 06 '21 at 01:33

1 Answers1

3

CloudFlare isn't promising anything they're not delivering. Any service provider decrypts the data at the cloud end; they have to in order to perform their service. CloudFlare's architecture simply decrypts it at the point of entry, instead of at each and every service endpoint.

This offers a couple advantages to their clients: they don't have to do anything to maintain their certificates, and they aren't paying any performance or CPU penalties to re-encrypt the internal traffic. Meanwhile, their customers see https locks, and are comforted.

Is the data from the CloudFlare server traveling in cleartext to the web service? Sure. Who can intercept it? Backbone providers, and other large entities. In some cases they're trustworthy, in others they aren't.

But if the NSA or other Three Letter Agency has a warrant, National Security Letter or other desire to view the data, they're going to find a way with or without this architecture. In a repressive regime like Iran, China, or other, they're going to demand this access anyway. No decision CloudFlare makes will change any of that, so they may as well use the cheapest architecture that provides the most benefit.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 2
    If you want HTTPS (SSL/TLS) on the backend connection (to your origin server(s)) CF does support it -- although your data is still temporarily clear _within_ CF. – dave_thompson_085 Aug 10 '17 at 06:09