0 Members and 1 Guest are viewing this topic.
Desktop BrowsersInternet Explorer 7 and laterFirefox 2Opera 8 with TLS 1.1 enabledGoogle Chrome: Supported on Windows XP on Chrome 6 and later Supported on Vista and later by default OS X 10.5.7 in Chrome Version 5.0.342.0 and laterSafari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).Note: No versions of Internet Explorer on Windows XP support SNIMobile BrowsersMobile Safari for iOS 4.0Android 3.0 (Honeycomb) and laterWindows Phone 7
Ok thanks for the info. And I assume when you say it will just prompt you to accept the certificate that it will only do so when using an invalid browser? Otherwise that might get annoying >.< (unless it only happens once for everyone)
So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.
For a site that did not have SSL before, we will default to our Flexible SSL mode, which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not. We strongly recommend site owners install a certificate on their web servers so we can encrypt traffic to the origin. Later today we'll be publishing a blog with instructions on how to do that at no cost. Once you've installed a certificate on your web server, you can enable the Full or Strict SSL modes which encrypt origin traffic and provide a higher level of security.
... but you can secure the whole trip ...
Quote from: Eeems on October 02, 2014, 10:30:55 am... but you can secure the whole trip ...CloudFlare is still MITMing the connection and since they are based in the USA, several three letter agencies will probably have access to the traffic.Of course a bit encryption is better than no encryption, I just hope that nobody seriously thinks this is secure.
They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.