Author Topic: Cloudflare offers free SSL to everyone  (Read 17537 times)

0 Members and 1 Guest are viewing this topic.

Offline alberthrocks

  • Moderator
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 876
  • Rating: +103/-10
    • View Profile
Cloudflare offers free SSL to everyone
« on: September 29, 2014, 01:16:04 pm »
https://blog.cloudflare.com/introducing-universal-ssl/

Dubbed Cloudflare Universal SSL, they are now offering free SSL to everyone, including free plans!
This includes if you are running a non-secured (no HTTPS) website, in which they will still give you HTTPS, but warn you that their server to your website will be unencrypted. (Do NOT try to run a e-commerce website if this is the case!)

The catch? For free users, they are deprecating support for older browsers by enforcing newer security standards - ECDSA and SNI.
(ECDSA is a newer and more secure encryption algorithm, and SNI is just a way to emit different SSL certificates from one IP!)

SNI support:
Quote
Desktop Browsers
  • Internet Explorer 7 and later
  • Firefox 2
  • Opera 8 with TLS 1.1 enabled
  • Google Chrome:
     Supported on Windows XP on Chrome 6 and later
     Supported on Vista and later by default
     OS X 10.5.7 in Chrome Version 5.0.342.0 and later
  • Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
  • Note: No versions of Internet Explorer on Windows XP support SNI
Mobile Browsers
  • Mobile Safari for iOS 4.0
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7
Source: https://www.digicert.com/ssl-support/apache-secure-multiple-sites-sni.htm

Warning: Technical jargon follows!

ECDSA support gets murky, though. According to Cloudflare, it is not available on Windows XP (and below), or anything older than Android 4.0 ICS.
To clarify, they're saying you MUST have Windows Vista (and newer), as well as Android 4.0 ICS (and newer).

...but wait! Does that mean everyone using Windows XP is screwed? Not quite.
According to https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites, SSL support for IE depends on the OS's SSL support. Running IE8 on XP means that the SSL support will suffer, since IE8 will use XP's SSL support, which doesn't have the new ECDSA. (Not totally sure about SNI, though.)

So what does Firefox and Chrome use? They use their own library called NSS, which is their own SSL stack that supports EVERYTHING - so as long as you're running a pretty recent version of Firefox/Chrome, you're fine! Safari/Opera support is still unknown though. Supposedly, Opera should be using NSS since they've moved to Chrome's core, but not too sure...

In Plain English
If you're on Windows XP and you use IE: regardless of version, you will NOT be able to access a Cloudflare SSL secured site.
If you're on Windows XP and you use the latest Firefox/Chrome: you WILL be able to access a Cloudflare SSL secured site.
If you're on Windows Vista and you use the latest browser: you WILL be able to access a Cloudflare SSL secured site.
If you're on Linux and you use the latest browser (with a recent OpenSSL): you WILL be able to access a Cloudflare SSL secured site.
If you're on Android and you use Android ICS 4.0 or later: you WILL be able to access a Cloudflare SSL secured site.
If you're on iOS/Mac OS X and/or using Safari/Opera: UNKNOWN. See the next section for more details.

Finding out if you have ECDSA/SNI:
A lot of websites run with Cloudflare (including Omnimaga) - however, many will probably wait to see whether SSL support is available yet for a good amount of platforms.

That said, if you're unsure (or wanna help us out), take our survey:
https://docs.google.com/forms/d/1tXP6uoqoZUQmvPV5tclc16Nlwuza2U60_xRCAJ4BL9g/viewform

In the survey, there is a website that will tell you everything - including whether you have ECDSA and SNI or not!

withgusto...
We're not too sure whether we want to adopt this yet or not - we'll probably make a decision once the migration is complete.
« Last Edit: September 29, 2014, 01:23:34 pm by alberthrocks »
Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/


Proud member of ClrHome!

Miss my old signature? Here it is!
Spoiler For Signature:
Alternate "New" IRC post notification bot (Newy) down? Go here to reset it! http://withg.org/albert/cpuhero/

Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/

Activity remains limited due to busyness from school et al. Sorry! :( Feel free to PM, email, or if you know me well enough, FB me if you have a question/concern. :)

Don't expect me to be online 24/7 until summer. Contact me via FB if you feel it's urgent.


Proud member of ClrHome!

Spoiler For "My Projects! :D":
Projects:

Computer/Web/IRC Projects:
C______c: 0% done (Doing planning and trying to not forget it :P)
A_____m: 40% done (Need to develop a sophisticated process queue, and a pretty web GUI)
AtomBot v3.0: 0% done (Planning stage, may do a litmus test of developer wants in the future)
IdeaFrenzy: 0% done (Planning and trying to not forget it :P)
wxWabbitemu: 40% done (NEED MOAR FEATURES :P)

Calculator Projects:
M__ C_____ (an A____ _____ clone): 0% done (Need to figure out physics and Axe)
C2I: 0% done (planning, checking the demand for it, and dreaming :P)

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6266
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Cloudflare offers free SSL to everyone
« Reply #1 on: September 29, 2014, 01:37:18 pm »
Still waiting on proper propagation for Omnimaga to make use of this.
/e

Offline Juju

  • Incredibly sexy mare
  • Coder Of Tomorrow
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 5730
  • Rating: +500/-19
  • Weird programmer
    • View Profile
    • juju2143's shed
Re: Cloudflare offers free SSL to everyone
« Reply #2 on: September 29, 2014, 03:01:31 pm »
Sounds fun! I'd probably turn it on for my website, but make it optional (because they don't really need HTTPS).

Remember the day the walrus started to fly...

I finally cleared my sig after 4 years you're happy now?
THEGAME
This signature is ridiculously large you've been warned.

The cute mare that used to be in my avatar is Yuki Kagayaki, you can follow her on Facebook and Tumblr.

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Cloudflare offers free SSL to everyone
« Reply #3 on: October 01, 2014, 11:16:37 am »
So basically this lets Omnimaga use the https that many people requested in the past without having to purchase an expensive certificate? Also, for unsupported browsers, would the site just error completely or just warns you that you have to accept the certificate? On TVA Nouvelles, for example, I get asked to accept some certificate thing when I browse the website via Android 2.2.2 browser or Opera 12.17 but not from any other browser.

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6266
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Cloudflare offers free SSL to everyone
« Reply #4 on: October 01, 2014, 12:33:46 pm »
https == http via an ssl connection.
To answer other questions about cloudflare these are good articles to read:
I'm not entirely sure if it will ask you to accept the cert or just error. I'd have to test since the articles don't really talk about that.
According to my testing you will just be prompted to accept the certificate.
/e

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Cloudflare offers free SSL to everyone
« Reply #5 on: October 01, 2014, 03:28:19 pm »
Ok thanks for the info. And I assume when you say it will just prompt you to accept the certificate that it will only do so when using an invalid browser? Otherwise that might get annoying >.< (unless it only happens once for everyone)

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6266
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Cloudflare offers free SSL to everyone
« Reply #6 on: October 01, 2014, 04:41:16 pm »
Ok thanks for the info. And I assume when you say it will just prompt you to accept the certificate that it will only do so when using an invalid browser? Otherwise that might get annoying >.< (unless it only happens once for everyone)
https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/#errorsyoumaysee
All browsers will show the error until they finish provisioning SLL certificates. After that only older browsers will show an error, on which you can just tell it to ignore that error forever. Not all browsers let you remember that choice though.
/e

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Cloudflare offers free SSL to everyone
« Reply #7 on: October 01, 2014, 06:29:44 pm »
Ok good. I was a bit worried lol :P

On TVA Nouvelles in Opera 12.17 it only shows the warning about every 4 page load (I think it might be due to some of the ads but I could be wrong) and on the Android 2.2.2 stock browser it happens around 80% of the time. Neither the browsers remember the choice.

Offline utz

  • LV4 Regular (Next: 200)
  • ****
  • Posts: 161
  • Rating: +28/-0
    • View Profile
    • official hp - music, demos, and more
Re: Cloudflare offers free SSL to everyone
« Reply #8 on: October 01, 2014, 07:52:21 pm »
So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.

Offline Juju

  • Incredibly sexy mare
  • Coder Of Tomorrow
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 5730
  • Rating: +500/-19
  • Weird programmer
    • View Profile
    • juju2143's shed
Re: Cloudflare offers free SSL to everyone
« Reply #9 on: October 01, 2014, 08:03:28 pm »
Well yeah, I guess it's just there so HTTPS works if it's not critical to your website to have it. If you really want full HTTPS you have to opt for a paid plan.

Remember the day the walrus started to fly...

I finally cleared my sig after 4 years you're happy now?
THEGAME
This signature is ridiculously large you've been warned.

The cute mare that used to be in my avatar is Yuki Kagayaki, you can follow her on Facebook and Tumblr.

Offline alberthrocks

  • Moderator
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 876
  • Rating: +103/-10
    • View Profile
Re: Cloudflare offers free SSL to everyone
« Reply #10 on: October 01, 2014, 08:08:14 pm »
So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.
For just the unencrypted part, yeah. But that's just bad security in general, and I highly doubt that you can get PCI compliance with that kind of setup. (If you can, then we're going to see some interesting things soon...)

I'm not sure about the situation for HTTPS native, but I imagine using "Full SSL (Strict)" will make it so that you server will only be the one that can decrypt. (Possibly "Full SSL" as well, assuming your SSL certificate is secure.)
Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/


Proud member of ClrHome!

Miss my old signature? Here it is!
Spoiler For Signature:
Alternate "New" IRC post notification bot (Newy) down? Go here to reset it! http://withg.org/albert/cpuhero/

Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/

Activity remains limited due to busyness from school et al. Sorry! :( Feel free to PM, email, or if you know me well enough, FB me if you have a question/concern. :)

Don't expect me to be online 24/7 until summer. Contact me via FB if you feel it's urgent.


Proud member of ClrHome!

Spoiler For "My Projects! :D":
Projects:

Computer/Web/IRC Projects:
C______c: 0% done (Doing planning and trying to not forget it :P)
A_____m: 40% done (Need to develop a sophisticated process queue, and a pretty web GUI)
AtomBot v3.0: 0% done (Planning stage, may do a litmus test of developer wants in the future)
IdeaFrenzy: 0% done (Planning and trying to not forget it :P)
wxWabbitemu: 40% done (NEED MOAR FEATURES :P)

Calculator Projects:
M__ C_____ (an A____ _____ clone): 0% done (Need to figure out physics and Axe)
C2I: 0% done (planning, checking the demand for it, and dreaming :P)

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6266
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Cloudflare offers free SSL to everyone
« Reply #11 on: October 02, 2014, 10:30:55 am »
So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.
Quote
For a site that did not have SSL before, we will default to our Flexible SSL mode, which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not. We strongly recommend site owners install a certificate on their web servers so we can encrypt traffic to the origin. Later today we'll be publishing a blog with instructions on how to do that at no cost. Once you've installed a certificate on your web server, you can enable the Full or Strict SSL modes which encrypt origin traffic and provide a higher level of security.
If you want to leave it as only partially secured then you can, but you can secure the whole trip, and half of the trip being secure is better then none of it.
/e

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Cloudflare offers free SSL to everyone
« Reply #12 on: October 02, 2014, 12:05:13 pm »
... but you can secure the whole trip ...
CloudFlare is still MITMing the connection and since they are based in the USA, several three letter agencies will probably have access to the traffic.
Of course a bit encryption is better than no encryption, I just hope that nobody seriously thinks this is secure.

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6266
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Cloudflare offers free SSL to everyone
« Reply #13 on: October 02, 2014, 02:43:01 pm »
... but you can secure the whole trip ...
CloudFlare is still MITMing the connection and since they are based in the USA, several three letter agencies will probably have access to the traffic.
Of course a bit encryption is better than no encryption, I just hope that nobody seriously thinks this is secure.
You should probably do some reading before you make accusations like that. Also, the concern with SSL encryption is keeping your personal information (like bank accounts, credit cards etc) out of the hands of thieves. It is not to keep it out of the hands of the law enforcement. If you are trying to do that, well
  • Why don't you want the law enforcement to know about what you are doing?
  • The internet is totally the wrong media for that. There are too many ways to trace information over the internet for that to be truly viable.
  • Law enforcement could easily just go to the site you are visiting and request information, that or the hosting provider for the site.
https://www.cloudflare.com/security-policy
https://www.cloudflare.com/transparency

I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
/e

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Cloudflare offers free SSL to everyone
« Reply #14 on: October 03, 2014, 12:44:51 am »
They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.

But is it 100% guaranteed that all countries in the world will not try to force their way in to get the info without CloudFlare's permission? I know that CloudFlare will be transparent about it but the possibility that a government agency goes that far (eg China or North Korea, for example) is probably what compu is concerned about. Not that I have anything to hide, personally, although I am not too comfortable about the idea of my Paypal login/password falling into the hands of random strangers since we never know what people might be up to.