2014-09-29
2 min read
Earlier today, CloudFlare enabled Universal SSL: HTTPS support for all sites by default. Universal SSL provides state-of-the-art encryption between browsers and CloudFlareâs edge servers keeping web traffic private and secure from tampering.
CloudFlareâs Flexible SSL mode is the default for CloudFlare sites on the Free plan. Flexible SSL mode means that traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not be. To take advantage of our Full and Strict SSL modeâwhich encrypts the connection between CloudFlare and the origin serverâitâs necessary to install a certificate on the origin server.
We made Universal SSL free so that everyone can use modern, strong encryption tools to protect their web traffic. More encrypted traffic helps build a safer, better Internet. In keeping with CloudFlareâs goal to help build a better Internet, we have some tips on how to upgrade your site from Flexible SSL to Full or Strict SSL.
Option 1: Full SSL: create a self-signed certificateDealing with Certificate Authorities (CAs) can be frustrating, and the process of obtaining a certificate can be time consuming. In the meantime, you can get started by installing a self-signed certificate on your origin server. This allows CloudFlare to encrypt the communication with the origin, protecting the communication against passive surveillance, but not against active attackers.
Our handy CSR guide for CFSSL describes how to generate a self-signed certificate. Using OpenSSL to create it is another option.
Once you have created a self-signed certificate and private key, you can install them on your origin server. Digicert has a guide for installing a certificate that covers the most popular server software.
Keep in mind that a self-signed certificate is not signed by a trusted CA. This means that you can change your SSL setting from Flexible SSL to Full, but not Full (strict). Full SSL wonât be able to provide authentication, but it will make sure the connection to the origin is encrypted and protected from passive snoopers.
Option 2: Strict SSL: get a certificate from trusted CAMost CAs offer low-cost or even free certificates. A popular CA that offers free SSL certificates is StartSSL. Buying and installing a trusted certificate on your origin server is currently the simplest way to enable Strict SSL on your site.
To enable TLS on your server, you need both a certificate and a corresponding private key. The first step in obtaining a certificate from a CA is creating a Certificate Signing Request (CSR). A CSR contains your public key and a proof that you have the associated private key. The CA will verify it and give you back a certificate that you install on your web server. We put together a guide to creating a private key and CSR with CloudFlareâs CFSSL tool that you can use, or alternatively, thereâs always OpenSSL.
Once you have a certificate installed on your origin server, you can change your SSL setting from Flexible to Full (strict) and have the added benefit of an authenticated and encrypted connection to your origin server.
Option 3: (sneak preview) The CloudFlare Origin CA/Certificate PinningSoon you will be able to send your CSR to CloudFlare to get a certificate instantaneously, speeding up the certificate acquisition process. This process will be like that of a regular CA, but much faster. These certificates aren't yet trusted by browsers, but will be trusted by CloudFlare, allowing the back end connection to be both encrypted and authenticated. This also protects your site if one of the publicly trusted certificate authorities is compromised by attackers and used to issue illegitimate certificates.
Weâre also investigating the possibility of adding a feature called Certificate Pinning. Certificate Pinning would allow you to tell CloudFlare exactly which certificate to trust for your origin. This would allow customers to use hosting services that donât allow custom certificates to have the benefit of a fully encrypted tunnel, or to simply use a self-signed certificate and get the benefit of both authentication and encryption.
Cloudflare's connectivity cloud protects
entire corporate networks, helps customers build
Internet-scale applications efficiently, accelerates any
website or Internet application,
wards off DDoS attacks, keeps
hackers at bay, and can help you on
your journey to Zero Trust.
Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.
To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
HTTPSUniversal SSLEncryptionSSLCFSSLSecurityRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4