CloudFlare's "Universal SSL" Initiative

Discussion in 'Security' started by Chris.M, Sep 29, 2014.

  1. Chris.M

    Chris.M Member

    (Not sure if this is more "The Lounge" worthy.)

    CloudFlare today announced that customers using their free offering will now have the ability to encrypt their connection by default (functionality that was initially only available on higher-tier plans). They're referring to this upgrade as "Universal SSL" and are rolling it out to all users throughout the day. A much more detailed explanation of what they're doing can be found here, on their blog.

    I'm an advocate of using encryption whenever and wherever possible, and as such I think this is a huge step in the right direction. This being said, I'm confused as to what's being offered here. Are they encrypting by way of auto-provisioning SSL certificates for every customer's connection? Or are they simply enabling any given customer to purchase an SSL certificate and use it with their CloudFlare-protected websites? I have not used CloudFlare in a while and their service has evolved pretty quickly. From the blog entry linked above, they make it sound as if they're automatically securing their customers connections with some sort of certificate that has been developed for "mass use." Bottom line: my understanding of how they're doing this is incredibly limited.

    Thoughts? I'm genuinely interested in seeing how this pans out for them.
  2. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    Hey Chris,

    Thanks for the share.

    Quoting that blog post:
    To me, (i may be misinterpreting), this means that site's need to have their own SSL Certificate already installed. This allows for non"mixed" insecure content between your server and CloudFlare's cached content that is actually served to the customer.

    Also to keep in mind, their statement here:
    However, that's not really limiting anyone out =P
  3. Chris.M

    Chris.M Member

    That's exactly how I interpreted it, and I'm assuming it's the most likely. I couldn't imagine them issuing a literal certificate for each customer, regardless of whether or not the customer has one already. I'm viewing it as a step that will make encryption more enticing to both their existing customer base and definitely potential new customers. No extra charge, happy people.

    Some customers, at least from comments, seem to think that their connections will magically become encrypted with a free SSL certificate provided by CloudFlare. Maybe this is the case. Maybe they're also planning to offer free ponies, too. We'll have to see. :p
  4. KH-Jared

    KH-Jared Jr. Sysadmin Staff Member

    I'm very interested in this but I actually haven't used CloudFlare personally before. So to test this, I've already created a new CloudFlare account. I won't be able to report anything until tomorrow, unfortunately.
    But it looks interesting already. I'm not sure what's going to be different on their backend between now and tomorrow, but right now, I can't pick between the three SSL options, which are Flexible, Full, and Full (strict). It tells me those are premium options only. We'll see if this changes in 24 hours.

    My test domain does seem to use their certificate already.
    It looks to already be using either Full or Strict because it is giving defaultwebpage.cgi, which it would do if I tried to connect to any of my other domains using https right now.
  5. Chris.M

    Chris.M Member

    @KH-Jared I'm really looking forward to hearing your thoughts on this. I don't think they're being very clear in terms of wording. The general consensus seems to be that the connection is indeed encrypted, by way of a certificate on their end, automatically - without an existing certificate on the user's end. If this is the case, man oh man. They must be doing something crafty (not saying this negatively) in order to pull this off for such a sizable user population.

    Edit: It took me all of a minute to realize what they're doing: encrypted connection from browser to CloudFlare by default, but an encrypted connection from CloudFlare to a user's server would require a certificate installed on the user's server. Thank you, Dave, for providing the above quote... which I apparently disregarded earlier. Oy.

    I still think this is going to confuse more than a few people.
    Last edited: Sep 29, 2014
  6. KH-Jared

    KH-Jared Jr. Sysadmin Staff Member

    @Chris.M There is definitely plenty to be confused about. What has got me the most confused is this bit which certainly makes it sound like 'Free SSL certificate on our servers.'
    Right now I'm able to pick between Flexible, Full, and Full (strict). I've gone with Flexible just to test for the time being and it loads my site but with the same warning as before. They have not hid the fact that for free accounts they are taking their time so I'll check back again this evening and in the morning to see if they get a certificate that legitimately covers my domain, as the above seems to imply, or if they are trying to say that their certificate cover's your domain and gets it a secured connection.

    If it is the latter, then its not wrong, but its just as secured as a self-signed certificate. It'll give you a secured connection but browsers won't trust it. It'll also be much less useful than it sounds, especially since they restrict custom SSL certificates to the paid plans.
  7. Chris.M

    Chris.M Member

    Jared, apologies for the delayed response on my part!

    Thanks for testing this out and getting back to me with the results. They're clearly inundated with new signups and getting this rolled out for existing folks... so who knows if things are working correctly. Honestly, I'd like to see them rephrase their entire explanation of what they're hoping to achieve with this. It's great in theory, but whether or not it ends up working out is another story altogether. They do recommend that users have a valid certificate installed on their end to ensure a fully encrypted connection, but it's mentioned almost as if it's an afterthought.

    Keep me posted if anything changes. If I were to use CloudFlare again, I'd likely opt for their Pro plan from the get-go... but I'm curious to see how this ends up rolling out.
  8. KH-Jared

    KH-Jared Jr. Sysadmin Staff Member

    Absolutely no problem. Currently, its still showing their certificate. I still can not supply my own certificate. I'm thinking of trying the full option but I'm going to hold off until tomorrow just to make sure I provide them enough time. If its secured just with their certificate and there's no way to provide your own, then its not really that much of a help, since anyone who is going to want an SSL certificate will not want their user's browsers giving them a warning every time they visit.
    Chris.M likes this.
  9. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

  10. Chris.M

    Chris.M Member

    @KH-DavidL Yep, it does. At this point, I'm more interested in the implementation and seeing how it's actually working (versus how they envisioned it to). Seems like a big undertaking.
  11. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    Well, like @KH-Jared, I've decided to take on some testing of my own. I've got a brand new domain, with valid SSL Certificate setup on CloudFlare, all the DNS is swapped over. Experiencing the same as previously mentioned. Visiting the domain provides the certificate for "" rather than the actual domain. I'll be curious to see if anything changes after the 24 hour period that the disclaimer references.
  12. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    Quick update on this and my progress with CloudFlare.

    Thus far, I've continued experiencing the same issues previously described. So, I went ahead and switch over my SSL Settings to use the Full Strict option. The admin panel suggests that it should take no longer than 5 minutes to process and be set in place. After waiting around 30 minutes and continuing to experience the same configuration and issues, I opened a ticket! :eek:

    My Ticket to CloudFlare:
    After ~25 minutes (not bad, but certainly not KnownHost timing), I received an update to my inquiry. While not unique to my specific ticket, nor detailing my exact information/request(s), I was provided with some informative documentation.

    My Reply from CloudFlare:
    Already passing the 0700 UTC mark, I'm not noticing any differences yet!
  13. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    Additional Note:

    Just logged into my CloudFlare admin panel to see if any changes or updates were made there. Check this out:

    A SSL issuance status has been added. Mine, still stating that it's currently in the process of being issued. However, another interesting observation is that my selected option from the drop down box no longer is "Full SSL Strict", as I originally chose. It now shows "Full SSL" as my selected option. Hm..

    Will continue the updates.
  14. Chris.M

    Chris.M Member

    David, your updates are both riveting and informative as usual. :D

    Seems like the response you received from them is canned, and more or less saying, "Hey! Here's some reading material for you as we continue fix our issues." I think they were being a tad too optimistic by saying the new system would hopefully be rolled out to all customers by the end of business on the first day (... I think they said this, could be wrong). "Hopefully" being the key word here.

    Again, this must be a massive undertaking. Massive. I'm sure they'll work out the kinks, but I imagine it'll take them a hell of a lot longer than a few days to smooth everything out.
  15. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    Awe, *blushing*. Thanks!

    Pretty much what I expected, just like I stated in the ticket opener, "I imagine you are quite inundated at the moment, so I sincerely appreciate you taking the time to review this ticket and get back with me!" That being said, even just a "Hey David, check out these links: [...] Let me know if you have any more questions! Thanks" would have been nice, instead of mass-canned. I can certainly imagine the load they're receiving right now though.

    Agreed, however in my eyes (disclaimer: 2c here) owning up to 'mistakes' or 'misleading' information solidifies a companies reputation. Everyone makes mistakes, just be honest about it.
    Chris.M likes this.
  16. Chris.M

    Chris.M Member

    I agree with you entirely. Something still tells me that this offering will be difficult to sustain, at least for the free-tier percentage of folks. We'll see! I hope (and like) to be surprised. Let's see how this works for both yourself and @KH-Jared.

    In the meantime, I'll wait for KnownHostFlare.
    KH-DavidL likes this.
  17. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member


    That was quick.
    $ dig NS [removed].org +short
    $ openssl s_client -showcerts -connect [removed].org:443 |grep Domain
    depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=[removed].org
       i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=[removed].org

    It's working with no issues for me at this point. However, the CloudFlare admin panel still shows "Issuing".
  18. KH-Jared

    KH-Jared Jr. Sysadmin Staff Member

    @KH-DavidL Obviously they like you more than me :oops:
    Mine is still showing their certificate, and SSL issuing, so I suppose its still in progress. I'm curious if this is due to Flexible vs Full or just a traffic difference since they've even said they're doing highest traffic first. I know they said 0700 UTC this morning but I'll give it more time before I open another ticket.
  19. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    I believe I was wrong here. Looks like CF is having some issues right now. The domain was constantly flipping between my primary IP address and theirs, even while using their correct name servers. Apparently, even pro accounts are experiencing issues right now. Heh.
  20. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Our (KH's) account is a pro and our stuff that runs through them was most definitely least for about 5 mins before I re-routed our traffic around them :D
    KH-DavidL likes this.

Share This Page