11

CloudFlare provides ssl support. However, if a visitor visits a website protected by CloudFlare, is CloudFlare able to know the plain data transfered during this visit?

There are a few SSL options:

  • Flexible SSL
  • Full SSL
  • Full SSL (strict)

I know that for Flexible SSL, CloudFlare probably knows the plain data, as the data has been decrypted by CloudFlare and send to the web server insecurely.

What about Full SSL and Full SSL (strict)? Does CloudFlare decrypt first then encrypt again to send to the web server?

xuhdev
  • 800
  • 2
  • 6
  • 19
  • Are you giving them a certificate for your domain? If you need to give them a certificate, assume they can see and modify everything being communicated. Without a certificate they can't see or modify what is being send, but they also cannot cache anything. Without caching you only get some parts of the benefits offered by a CDN. – kasperd Jan 28 '15 at 08:47
  • No I didn't give them the certificate. If CloudFlare cannot cache anything, it acts like a proxy, is it correct? What I don't understand is that in the `Full SSL` case, why the web client still trusts the SSL certificate even when the server certificate is self signed (in my case the site is showed to be signed by COMODO), if CloudFlare acts like a proxy. – xuhdev Jan 28 '15 at 08:56
  • That's not making sense. Self signed isn't the same as signed by Comodo. – kasperd Jan 28 '15 at 09:08
  • @AD7six If it is two different SSL connections, then they need to have a certificate as well. In order for that SSL certificate to be issued, the domain owner has to approve it first. And xuhdev said that hasn't happened. – kasperd Jan 28 '15 at 09:25
  • @kasperd the connection from the visitor to cloudflare has a _cloudflare issued_ ssl cert - see answer below. – AD7six Jan 28 '15 at 09:27
  • @AD7six Nobody is supposed to issue a certificate for a domain without that being requested by the domain owner. It is technically possible for a CA to issue a certificate without involving the domain owner, that is generally seen as the most prominent problem with SSL. I would not expect Cloudflare to issue a certificate without due diligence, but of course it may happen that the domain owner grant permission without carefully reading what they are granting permission to. – kasperd Jan 28 '15 at 11:18
  • @kasperd perhaps ask cloudflare's about their due-diligence checks =)? Generally, cloudflare doesn't do anything except spit out errors unless the domain's nameservers point at cloudflare's and the domain is configured (which if nothing else implies consent of the owner). You also can't get a response from cloudflare over ssl unless the domain is configured for ssl. In the context of this question/general-use, cloudflare is an ssl-cert issuer (the user is asking cloudflare to provide an ssl cert by enabling ssl and selecting one of the 3 options they provide). – AD7six Jan 28 '15 at 12:11
  • 2
    @AD7six When CA and CDN are two separate entities, it is a bit more obvious that you are requesting a certificate from one entity and handing it to the other. When the two are one entity it can become less obvious to the domain owner what they are giving consent to. I'd say the onus is on Cloudflare to tell the domain owner, what they are giving consent to. It appears that this wasn't made clear enough for xuhdev to realize, since he was apparently unaware of Cloudflare having a certificate. I don't know if this means Cloudflare did not explain clearly enough or if xuhdev did not pay attention – kasperd Jan 28 '15 at 12:51

1 Answers1

15

Refer to the documentation

Cloudflare's docs are fairly clear on this. Obviously (it should be obvious) Flexible ssl means the connection from cloudflare to the origin is unencrypted.

Cloudflare's ssl image

For full ssl (either permutation) the following applies:

Encrypts the connection between your site visitors and CloudFlare, and from CloudFlare to your server.

They are two different connections, So the answer to "Does cloudflare know the decrypted content?" is: "Yes".

Note that for EV or OV SSL certificates - you need to uploaded them to to cloudflare for end-users to see them, it's still 2 connections - not end-to-end encryption.

Reasons to use SSL

Using ssl prevents MITM attacks, it doesn't mean the cdn you're using is oblivious to the content it's serving, for you. You should maybe ask yourself why you want to encrypt the connection.

With no SSL, there are plenty of places a MITM attack can occur:

No ssl, lots of possible attack points

With Flexible SSL - that eliminates most, but not all of them:

Flexible ssl, only one attack point now

With Full SSL - there's still the possibility of a MITM attack:

Full ssl, one attack point but now harder

With Full SSL (Strict) - a MITM attack is now not possible without cloudflare itself being compromised:

Full SSL - no attack possible

If you are concerned that cloudflare can read your data - don't use cloudflare.

Community
  • 1
AD7six
  • 2,810
  • 2
  • 20
  • 23
  • 6
    It's important to note that even with strict SSL, you'll never know if CloudFlare is compromised unless somebody illegally leaks it. If they are compromised, they can read *everything*. – Oli Jan 28 '15 at 12:08
  • 3
    I really love their usage of "NSA" and the infamous NSA smiley. – ASA Jan 28 '15 at 14:29