undefined | Better HN

0 pointsfiatjaf8y ago0 comments

Use Cloudflare SSL. It will disguise your lack of SSL perfectly.

0 comments

I've been wondering--is there any disadvantage to doing that? Cloudflare's SSL at least guarantees no MITM, right?

I too am somewhat confused about Cloudflare. They provide an SSL option called "Flexible SSL", about which Cloudflare itself states:

    [Flexible SSL] is less secure than [even no SSL],
    and could even cause you trouble when you decide 
    to switch away from it[1]

Then why even offer it? Particularly when they have "Full SSL", which can be used with a self-signed certificate, or "Full SSL (strict)", which can be used with Cloudflare's own freely provided "Origin CA"[2].

I don't know if flatjaf's post is just referring to Flexible SSL, but if there are any issues with either of CF's "Full SSL" options I'd be interested to hear them (genuinely, in case that sounds like insincere sarcasm).

[1] https://support.cloudflare.com/hc/en-us/articles/200170416-W...

[2] https://blog.cloudflare.com/cloudflare-ca-encryption-origin/

fiatjafOP8y ago

I believe Flexible SSL is a good thing if you're not doing user sessions, storing private user data or anything like that. It's good for information-only sites, as you'll save your visitor from their network administrator, ISP and lower-profile hackers.

For more serious things it shouldn't be used, but I like the fact that it is there.

Maybe browsers should distinguish it somehow for the user: "your connection with this site is safe from everybody except the site's administrators" versus "your connection with this site is safe from your neighbor, ISP and network administrator".

But perhaps that would be meaningless, as all servers may be hosted anywhere, and their SSL private keys may be anywhere also -- for example, if you're serving SSL from Heroku you must upload your keys to Heroku, which means Heroku folks can see your connections if they want. Am I wrong?

quickthrower28y ago

Some people just want a padlock symbol.

1 more reply

j / k navigate · click thread line to collapse