Author Topic: Cloudflare offers free SSL to everyone  (Read 17549 times)

0 Members and 1 Guest are viewing this topic.

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Cloudflare offers free SSL to everyone
« Reply #15 on: October 03, 2014, 05:46:03 am »
You should probably do some reading before you make accusations like that.
Here, so you can do some reading before accusing me of false accusations: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-Off-Flexible-SSL-Full-SSL-Full-SSL-Strict-mean-
Cloudflare decrypts the traffic and acts as a man in the middle. So this is not end-to-end encryption and therefore NOT secure.
Quote
Also, the concern with SSL encryption is keeping your personal information (like bank accounts, credit cards etc) out of the hands of thieves. It is not to keep it out of the hands of the law enforcement.
No, I want to keep my data out of the hands of anyone who is not the intended receiver. The government is certainly not an intended receiver.
Quote
Why don't you want the law enforcement to know about what you are doing?
Because it's none of their business.

Quote
https://www.cloudflare.com/security-policy
https://www.cloudflare.com/transparency

I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.

Offline alberthrocks

  • Moderator
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 876
  • Rating: +103/-10
    • View Profile
Re: Cloudflare offers free SSL to everyone
« Reply #16 on: October 03, 2014, 10:48:31 am »
But is it 100% guaranteed that all countries in the world will not try to force their way in to get the info without CloudFlare's permission? I know that CloudFlare will be transparent about it but the possibility that a government agency goes that far (eg China or North Korea, for example) is probably what compu is concerned about. Not that I have anything to hide, personally, although I am not too comfortable about the idea of my Paypal login/password falling into the hands of random strangers since we never know what people might be up to.
Most of the time, you'll survive as long as you don't accept invalid certificates! However, if an agency were to be able to request a falsified certificate, then it's game over... but that applies for every secured website out there.

I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.

So.... I read up a few more things and have a better grasp of the situation now.

Let's start off by stating a few facts:
  • Cloudflare is using a MITM (a "trusted" one) to secure websites. That means they do encrypt and decrypt using their certificate, and then send the traffic over to origin server by re-encrypting it with origin server's keys.
  • Cloudflare does it interestingly by using one node and signing their own certificates for all domains that use that node. So they sign for cloudflare.com, *.cloudflare.com, and then client domains, like bla1.com, coolwebsite.com, etc.
That said, let's clarify...

They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
Yes... if this was a regular warrant search. If this was NSL'd, then this would not be the case.

However - they are being slightly transparent by using something called a warrant canary, in which they discreetly notify everyone that they have been NSL'd by removing a certain phrase. But don't interpret this as something that is 100% transparent - if your node got NSL'd on Cloudflare, they won't (and can't) tell you.

If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.
Yes, but this applies to plenty of things:
  • Your web service provider can be NSL'd to monitor traffic;
  • Your server hosting provider can be NSL'd to install a backdoor on your server;
  • Your SSL provider can be NSL'd to give up your private key;
  • An American SSL provider can be NSL'd to forge a certificate for your website, and MITM it.
I should note that while the first three are probably nothing to worry about for those in other countries, the last one is very real, and can have global impact for those trying to visit your website.

That said, should I, a server admin, go crazy over all of this? Nope, and here's why:
  • Encryption and protection on a server you don't physically control is not going to help. In fact, virtualized instances are not secure at all. The only secure server is a dedicated hardware node that you physically have in your house. And even that isn't necessarily secure!
  • Security many websites at once isn't too bad of an idea. This is really big because if suddenly, if millions of websites start being HTTPS, it's harder for the agencies to determine who's who. (In the past, with fewer SSL sites, it's easier to say, "Oh this guy is using SSL, he must be hiding something".)
  • Cost vs. benefit. This is probably the biggest reason. If this service provides more security to those who wish to protect sensitive information (or just prevent easy snooping), AND provides DDoS mitigation, AND provides caching, etc. etc., I think the benefits outweigh the costs. Yes, it's true that some agencies see this as a good chance to hop on in and intercept, but there are plenty of other ways for them to do that, and plenty of other opportunities to secure your data with my own efforts.
Nevertheless, I agree that privacy is a major concern that has been overlooked by lawmakers and the like. "Why don't you want the law enforcement to know about what you are doing?" is a strange question to ask - sure, I don't mind (I'm not doing anything illegal), but you're just asking to get mauled.

"They can do X now, so what?" is a question that many people ask. Then said agencies that "do X" will do even more, like Y and Z, which people will really not like! (What if Z was installing a camera in the bathroom and monitoring your "activities" there? Surely you won't mind then? ;D )

That aside - in terms of overall security, going with Cloudflare still seems like the best choice. My only reason for not setting this up yet is due to compatibility concerns, and that Cloudflare shares the same certificate with other domains, which may or may not become an issue - still researching. Of course, for those who are really concerned, I'd be happy to provide a secret, alternate route to access my server without going through Cloudflare.

tl;dr Cloudflare is not immune to NSLs, but they provide more benefit vs. cost; alt methods are available for securing server; despite all of this your privacy is still something you should value!
Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/


Proud member of ClrHome!

Miss my old signature? Here it is!
Spoiler For Signature:
Alternate "New" IRC post notification bot (Newy) down? Go here to reset it! http://withg.org/albert/cpuhero/

Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/

Activity remains limited due to busyness from school et al. Sorry! :( Feel free to PM, email, or if you know me well enough, FB me if you have a question/concern. :)

Don't expect me to be online 24/7 until summer. Contact me via FB if you feel it's urgent.


Proud member of ClrHome!

Spoiler For "My Projects! :D":
Projects:

Computer/Web/IRC Projects:
C______c: 0% done (Doing planning and trying to not forget it :P)
A_____m: 40% done (Need to develop a sophisticated process queue, and a pretty web GUI)
AtomBot v3.0: 0% done (Planning stage, may do a litmus test of developer wants in the future)
IdeaFrenzy: 0% done (Planning and trying to not forget it :P)
wxWabbitemu: 40% done (NEED MOAR FEATURES :P)

Calculator Projects:
M__ C_____ (an A____ _____ clone): 0% done (Need to figure out physics and Axe)
C2I: 0% done (planning, checking the demand for it, and dreaming :P)

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Cloudflare offers free SSL to everyone
« Reply #17 on: October 03, 2014, 11:47:35 am »
Sure, you're right, there is no 100% security.
Like I said in my first post, this is not necessarily a bad thing - the more SSL used on the internet, the better. It's a security tradeoff I personally would not want to make.
Let's just not forget that StartSSL gives out free SSL certs for everyone ;)

Offline Adriweb

  • Editor
  • LV10 31337 u53r (Next: 2000)
  • **********
  • Posts: 1708
  • Rating: +229/-17
    • View Profile
    • TI-Planet.org
Re: Cloudflare offers free SSL to everyone
« Reply #18 on: October 03, 2014, 11:55:18 am »
Let's just not forget that StartSSL gives out free SSL certs for everyone ;)
Yep, and cheap (US$ 60 for 2 years) Class II ones :D
(at TI-Planet we've upgraded to that (from the free one) partly because of wildcard domains (set up at registration) - it's quite useful, especially with subdomains.)

Edit : btw, HTTPS Everywhere FTW, and for those who didn't know about it :)
« Last Edit: October 03, 2014, 12:55:22 pm by Adriweb »
My calculator programs
TI-Planet.org co-admin.
TI-Nspire Lua programming : Tutorials  |  API Documentation

Offline aeTIos

  • Nonbinary computing specialist
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3915
  • Rating: +184/-32
    • View Profile
    • wank.party
Re: Cloudflare offers free SSL to everyone
« Reply #19 on: October 03, 2014, 01:57:48 pm »
So does this mean I won't be able to access websites that use the free ssl with my android 2.3 gingerbread phone?
I'm not a nerd but I pretend:

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6268
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Cloudflare offers free SSL to everyone
« Reply #20 on: October 03, 2014, 06:54:40 pm »
So does this mean I won't be able to access websites that use the free ssl with my android 2.3 gingerbread phone?
To answer your question:
https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/#errorsyoumaysee
All browsers will show the error until they finish provisioning SLL certificates. After that only older browsers will show an error, on which you can just tell it to ignore that error forever. Not all browsers let you remember that choice though.
/e