0

So I have a S3 static website. Domain, DNS and proxy is managed via Cloudflare. Cloudflare is set to communicate with browsers using SSL and it in fact enforces SSL for non-SSL requests. However, traffic between CF and S3 is http only, as S3 buckets don't support SSL on their own and i assume I'd have to remedy that using Cloudfront. Now, having Cloudflare AND Cloudfront both invloved is kinda dumb.

So, how bad is it, to have Cloudflare talk to S3 sites directly, without SSL?

marko-36
  • 101
  • 1
  • Only you can answer that, because you haven't mentioned what data are stored in S3, and even then, we'd only be giving you an opinion. Aside from confidentiality, what is also missing from reverse-proxying that occurs without authenticated encryption is the integrity of the data. – brynk Apr 03 '21 at 10:11
  • 1
    S3 buckets don't support TLS with your own custom domain (used with DNS CNAME) but S3 supports TLS just fine when used with amazon's domain. Why not do that? – Z.T. Apr 03 '21 at 12:44

2 Answers2

3

Attackers with limited reach like lokal HotSpots or smaller ISP level will not be able to read the data. The traffic they have access to is between the client and Cloudflare and thus protected by SSL. Government-level actors though might have ways to read and maybe even modify the unprotected traffic between Cloudflare and S3. This includes actors from multiple governments.

If this is "A big security issue" or not depends on the kind of data, i.e. how sensitive these are and what is at stake if they get accessed or even modified by others. Additionally there might be explicit regulations how well these specific data need to be protected.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

TLS is designed to provide three attributes: privacy, integrity, and authenticity. That is, the data is encrypted so others cannot read it (privacy), it is protected from tampering or modification (integrity), and it comes from the expected source (authenticity). Without TLS, you don't have those things.

It is true that between Cloudflare and the user, this data is protected. However, depending on the endpoints between a particular Cloudflare server and S3, the data may transit other networks, including those of companies known to intentionally tamper with data (e.g., Verizon) or those in countries that may have autocratic governments.

Whether not using TLS between Cloudflare and S3 is a problem depends on the consequences of losing these guarantees. For example, would it bother you if a third party injected malware or trackers into your site? (These kinds of things have been known to happen in the past when part of a connection is unsecured.) If so, then TLS is probably warranted.

I should point out that S3 buckets do support TLS just fine if you're using Amazon's domains, and if that's an option in your scenario, I strongly recommend it since it's already set up and available.

bk2204
  • 7,828
  • 16
  • 15