6

CloudFlare's basic SSL package provides SSL encryption for you site, but only between your customer's browser, and the CloudFlare server where SSL is terminated. The connection between CloudFlare and your own server is not served over SSL.

How safe is this? And what infomration would you not want to send using this system? And how easy would it be for someone to snoop on your CloudFare -> Server connection?

CloudFlare also offer a full SSL service which allows you to install your own cert, and encrypt the entire route, but its 10x the price.

mrwooster
  • 233
  • 3
  • 7

1 Answers1

6

Ultimately for clients the best security is too have end to end SSL. It does look like you can get 'Full-SSL' on just their Pro account, and you can do it with self-signed certificates on your own personal server if you'd like.

For an attacker to intercept traffic while using their 'Flexible-SSL' (SSL only between clients and Cloudflare), that attacker would need to be in the middle of Cloudflare and your server. The easiest place for this too take place is more likely than not on your local network by using a MITM technique like arp poisoning or by sniffing the traffic right off the wire if they get access to a hub or switch with a monitor mode.

It's reasonable to expect that an attacker won't be able to MITM or sniff connections between your ISP and Cloudflare's unless your attacker is either one of the ISPs or a larger state-actor (such as the NSA).

At a minimum if you're going to use any SSL you mind as well throw a self-signed certificate and open up port 443 on your webserver so that the information isn't going across the wire plaintext. I don't know if cloudflare watches for changes to the certificate but it will at the very least prevent sniffing the traffic and forcing the attacker to use a noisier, more aggressive, and potentially easy to notice attack.

Edit: The only thing the Business and Enterprise levels of their service provide you in regards to SSL is the ability for you too upload your own custom SSL certificate that will be facing clients. For example if you wanted an extended validation certificate.

TrueDuality
  • 1,844
  • 5
  • 27
  • 37
  • Thanks for the response. The issue tho is that CloudFlare will only forward to port 80 unless you have a Business ($200/month) account. I could open up port 443 on my server and install my own cert, but that would defeat the point of using CloudFlare. – mrwooster May 06 '13 at 21:26
  • 3
    @mrwooster Ultimately only you can determine what the risk of a compromise between CloudFlare and your server is (and how serious a compromise would be), but as a potential end user of whatever it is you're selling I strongly urge you to fork over the cash for end-to-end SSL. Charging a bit more for your service (or running less of a profit) is better/easier than explaining to your users how their data got stolen because you cheaped out on security... – voretaq7 May 06 '13 at 22:03
  • @voretaq7 100% agree, tho $200 for end to end vs $20 for std is quite a step up price wise. I am also surprised (given this discussion) that cloudflare offer (and encourage) this practice. If end users see a site has SSL encryption they put a lot more trust in the site. This sounds like we are deceiving users by using CloudFlare SSL because it only goes half way to the server before its no longer secure? – mrwooster May 06 '13 at 22:26
  • @mrwooster I'm using their Pro account with the Full-SSL without issue. If it's requesting you to upgrade I'd recommend contacting their support. – TrueDuality May 07 '13 at 18:43