https://blog.cloudflare.com/introducing-universal-ssl/

Dubbed Cloudflare Universal SSL, they are now offering free SSL to everyone, including free plans!
This includes if you are running a non-secured (no HTTPS) website, in which they will still give you HTTPS, but warn you that their server to your website will be unencrypted. (Do NOT try to run a e-commerce website if this is the case!)

The catch? For free users, they are deprecating support for older browsers by enforcing newer security standards - ECDSA and SNI.
(ECDSA is a newer and more secure encryption algorithm, and SNI is just a way to emit different SSL certificates from one IP!)

SNI support:

Desktop Browsers

• Internet Explorer 7 and later
• Firefox 2
• Opera 8 with TLS 1.1 enabled
• Google Chrome:
   Supported on Windows XP on Chrome 6 and later
   Supported on Vista and later by default
   OS X 10.5.7 in Chrome Version 5.0.342.0 and later
• Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
• Note: No versions of Internet Explorer on Windows XP support SNI

Mobile Browsers

• Mobile Safari for iOS 4.0
• Android 3.0 (Honeycomb) and later
• Windows Phone 7

Source: https://www.digicert.com/ssl-support/apache-secure-multiple-sites-sni.htm

Warning: Technical jargon follows!

ECDSA support gets murky, though. According to Cloudflare, it is not available on Windows XP (and below), or anything older than Android 4.0 ICS.
To clarify, they're saying you MUST have Windows Vista (and newer), as well as Android 4.0 ICS (and newer).

...but wait! Does that mean everyone using Windows XP is screwed? Not quite.
According to https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites, SSL support for IE depends on the OS's SSL support. Running IE8 on XP means that the SSL support will suffer, since IE8 will use XP's SSL support, which doesn't have the new ECDSA. (Not totally sure about SNI, though.)

So what does Firefox and Chrome use? They use their own library called NSS, which is their own SSL stack that supports EVERYTHING - so as long as you're running a pretty recent version of Firefox/Chrome, you're fine! Safari/Opera support is still unknown though. Supposedly, Opera should be using NSS since they've moved to Chrome's core, but not too sure...

In Plain English
If you're on Windows XP and you use IE: regardless of version, you will NOT be able to access a Cloudflare SSL secured site.
If you're on Windows XP and you use the latest Firefox/Chrome: you WILL be able to access a Cloudflare SSL secured site.
If you're on Windows Vista and you use the latest browser: you WILL be able to access a Cloudflare SSL secured site.
If you're on Linux and you use the latest browser (with a recent OpenSSL): you WILL be able to access a Cloudflare SSL secured site.
If you're on Android and you use Android ICS 4.0 or later: you WILL be able to access a Cloudflare SSL secured site.
If you're on iOS/Mac OS X and/or using Safari/Opera: UNKNOWN. See the next section for more details.

Finding out if you have ECDSA/SNI:
A lot of websites run with Cloudflare (including Omnimaga) - however, many will probably wait to see whether SSL support is available yet for a good amount of platforms.

That said, if you're unsure (or wanna help us out), take our survey:
https://docs.google.com/forms/d/1tXP6uoqoZUQmvPV5tclc16Nlwuza2U60_xRCAJ4BL9g/viewform

In the survey, there is a website that will tell you everything - including whether you have ECDSA and SNI or not!

withgusto...
We're not too sure whether we want to adopt this yet or not - we'll probably make a decision once the migration is complete.

Sounds fun! I'd probably turn it on for my website, but make it optional (because they don't really need HTTPS).

https == http via an ssl connection.
To answer other questions about cloudflare these are good articles to read:

• https://blog.cloudflare.com/introducing-universal-ssl/
• https://blog.cloudflare.com/origin-server-connection-security-with-universal-ssl/
• https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/

I'm not entirely sure if it will ask you to accept the cert or just error. I'd have to test since the articles don't really talk about that.
According to my testing you will just be prompted to accept the certificate.

Ok thanks for the info. And I assume when you say it will just prompt you to accept the certificate that it will only do so when using an invalid browser? Otherwise that might get annoying >.< (unless it only happens once for everyone)

https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/#errorsyoumaysee
All browsers will show the error until they finish provisioning SLL certificates. After that only older browsers will show an error, on which you can just tell it to ignore that error forever. Not all browsers let you remember that choice though.

So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.

So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.

For just the unencrypted part, yeah. But that's just bad security in general, and I highly doubt that you can get PCI compliance with that kind of setup. (If you can, then we're going to see some interesting things soon...)

I'm not sure about the situation for HTTPS native, but I imagine using "Full SSL (Strict)" will make it so that you server will only be the one that can decrypt. (Possibly "Full SSL" as well, assuming your SSL certificate is secure.)

... but you can secure the whole trip ...

CloudFlare is still MITMing the connection and since they are based in the USA, several three letter agencies will probably have access to the traffic.
Of course a bit encryption is better than no encryption, I just hope that nobody seriously thinks this is secure.

They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.

But is it 100% guaranteed that all countries in the world will not try to force their way in to get the info without CloudFlare's permission? I know that CloudFlare will be transparent about it but the possibility that a government agency goes that far (eg China or North Korea, for example) is probably what compu is concerned about. Not that I have anything to hide, personally, although I am not too comfortable about the idea of my Paypal login/password falling into the hands of random strangers since we never know what people might be up to.