6

I was reading about the offerings of the Cloudflare and then I read about the working of Cloudflare. Based on my understanding, the domain name of my website(alice.com) is resolved to the IP address of Cloudflare Data Center which communicates with the user and deliver the static content. In the scenario where the dynamic content is required the Cloudflare Data Center communicates with my web server and delivers the content to Cloudflare Data Center which in turn delivers the content to the user. This makes my server invisible for the external world thus providing the overall security.

The thing triggering in my head is how the SSL handshake is happening when Cloudflare is used. As per my understanding there will be two handshakes happening

  1. User<->Cloudflare

  2. Cloudflare<->alice.com

If this is true then Cloudflare must be having access of all the traffic in the plain-text. As the initial handshake happens with Cloudflare which allows Cloudflare to decrypt the traffic. In this scenario, we are letting third party(Cloudflare) access to user's sensitive information such as user credentials, PII etc. Does this makes sense?

Also, if the aforementioned statements are true how is the hostname verification happening during initial SSL handshake?

Shiv Sahni
  • 921
  • 8
  • 16
  • 8
    This is correct. Cloudflare is able to see all traffic in plain and also to modify the traffic. This allows it also to add some additional protections. It is essentially a (friendly) man in the middle. – Steffen Ullrich May 27 '18 at 14:55
  • @SteffenUllrich Thanks for the revert. I missed one question in it and so I have updated the question. Can you please check the last statement of the above question? – Shiv Sahni May 27 '18 at 15:06
  • 4
    You are right in that Cloudflare is the responsible DNS server for this domain. There is no difference in how SSL validation (including hostname validation) works from the perspective of the client. See also [How can CloudFlare provide a valid SSL certificate for domains not under its control?](https://security.stackexchange.com/questions/101521/how-can-cloudflare-provide-a-valid-ssl-certificate-for-domains-not-under-its-con). – Steffen Ullrich May 27 '18 at 15:38

1 Answers1

2

You would need to provide your private key to Cloud Flare to have them create a valid SSL/TLS connection with your clients on your behalf. This gives them full plain text access to all content exchanged between your clients and you. This is one of the tradeoffs of using them.

MikeSchem
  • 2,266
  • 1
  • 13
  • 33
  • 1
    There is a new option where you don't need to give them your private key, but you still need to terminate the encryption on their servers, giving them full plaintext access to the traffic. The only difference is that you get to keep your private key. – forest Sep 10 '18 at 07:01