Don't use Cloudflare's "Flexible SSL"

Cloudflare are a content delivery / security company that currently handle over 10% of global internet traffic. It's free to sign up and you can have your website on their network in a matter of minutes. They offer some pretty neat features, but the one I want to talk about in this blog is their "Flexible SSL" offering.

Flexible SSL is a way for non-secure websites (those running over HTTP) to appear secure (HTTPS). I say appear secure, because Flexible SSL only encrypts the traffic between the user and the Cloudflare network point-of-presence (POP). Once it gets to the Cloudflare POP, the traffic is decrypted and sent over the public internet to the target web server, which sends the unencrypted response back to the POP where it gets delivered securely to the user.

The problem is, on the internet, any ISP at any point along the path between you and the target server can intercept or modify the traffic. Since Cloudflare POPs are positioned close to population centers, the only part of the connection that's protected is the shortest part - between you and Cloudflare. Some people will argue that this is enough, since most attackers are going to be close to you, eg on your local network (think coffee shop / airport WiFi). While the local network is where the biggest risk lies, the internet at large is still a huge network of different ISPs, some of which may have been compromised or may have unscrupulous employees, traffic logging or similar. BGP hijacking means any ISP in the world can claim to be parts of the internet - in effect, forcing your traffic to be routed through them. Government agencies like the NSA are known to use "traffic engineering" to force traffic through monitored ISPs or into countries less protected by privacy laws.

While Flexible SSL sounds like a good upgrade over no encryption at all (plain old HTTP), it has a serious consequence: a visitor to a HTTPS website can no longer tell if the site is really 100% secured (HTTPS to the target server) or if it's only the connection to the Cloudflare POP. Both instances present a nice green HTTPS lock icon in the browser, and that's a big problem. I certainly wouldn't enter my credit card details into a HTTP site, but when the site shows up as HTTPS, I'm left wondering: are my card details being sent securely to the merchant's website, or are they going to be routed as plain text over the public internet? Right now, there's no way to tell and that's a huge issue. Cloudflare themselves actually recommend against using Flexible SSL, saying "It should only be used as a last resort if you are not able to setup SSL on your own web server, but it is less secure than any other option (even “Off”)".

If you use Cloudflare, I strongly recommend avoiding anything other than "Full SSL (Strict)". This is the only secure mode of SSL which fully encrypts both the connection between the POP and the visitor and the POP and your website. Setting up Full SSL is unfortunately more work than just clicking a toggle in the Cloudflare control panel, but it's the only way to really ensure secure communication over the internet. Thankfully with services like Let's Encrypt, it no longer costs anything to obtain an SSL certificate, but there's still work involved in setting it up.