Free SSL?

Free SSL?

Is CloudFlare Giving Away SSL Certificates really a good thing?

You get free SSL! You get free SSL! Everyone gets free SSL! That was one of the many headlines announcing that CloudFlare is giving out free SSL certificates. As you may remember, it’s a play on Oprah announcing that everyone in the audience was getting a free car years ago.

What many media didn’t follow up on was that the free gifts caused a lot of problems because people weren’t able to afford to pay the taxes on the new vehicle they got “for free.” Keep reading to find out why “free SSL certificates” from CloudFlare may not be as good as you might think.

Man in the Middle

Back in February 2014, Scott Helme, an Information Security Consultant, posted a blog that outlined his problems with SSL options offered by CloudFlare at that time. What he wrote is pretty enlightening. (We recommend going to read his whole post.)

As it turns out, I could have literally used just about any certificate I’d liked and it would have worked just fine. Not only that, but anyone could MiTM my perfectly valid SSL certificate, swap it out, and CloudFlare would have been just as happy. To me, their blog post should be more along the lines of ‘we now do SSL properly’ than ‘hey we added a new feature’.

While the above was posted back in February – before CloudFlare announced they’re giving out free SSL certificates, the way they handled TLS / SSL implementations in the past is definitely reason to pause and think carefully about whether they’ve got it right this time.

Paying for CloudFlare

While they do have free options at CloudFlare, if you’re running a website that gets a lot of traffic, you’re likely going to end up paying anywhere from $20 to $5,000 PER MONTH or more. Throwing in a free SSL certificate when you’re paying that much for their other services doesn’t seem like that big of a bargain if you ask us.

At the end of the day, you really need to sit down and think carefully about the cost of free. As the old saying goes, “You get what you pay for…” If you’re getting something for free, you really have to question whether it’s a true value or not. As for now, in our opinion, Universal SSL™ offered by CloudFlare should be something you consider carefully.

According to The Register, “…the Universal SSL service will only support “modern” browsers. Due to the use of ECDSA, the SSL connections will not be available to people running Windows XP editions of Internet Explorer and pre-Ice Cream Sandwich Android devices, as well as some other older browsers.” This is something else to think about.

A safer and more secure internet is great, but it’s important to make sure it’s done correctly. As you may have noticed, CloudFlare has gotten a LOT of media attention since their announcement about free SSL certificates. Still, it’s a good idea to know exactly how something works and ensure it’s going to be right for you – even if it’s free.

The last thing you want or need is a false sense of security. For example, if you’re on a shared server, you really want to think twice about a free SSL certificate from CloudFlare. If someone were to gain root access, simply running tcpdump could capture all of the encrypted data on that machine in real time.

Basically, CloudFlare is only offering half of the connection securely – especially with their new free SSL certificates. Before you rush out and grab one, take some time to consider all of the implications. Free is good, but 100% secure is much better. Have thoughts or disagree? Leave a comment below and let us know.

About The Author

Comments

  1. cjohnson

    They send the original IP in a header, as all proxies do. If your host is even remotely sanely configured it’s very easy to put the original IP back in place. NGINX has a “real ip” module to do this neatly for you. If you’d read the docs this is very clearly outlined.

     
  2. Daniel Somers

    I’ve been testing CloudFlare on a couple of websites, using the free SSL option. I haven’t noticed a massive improvement of speed like they promote.

    One of the main things that I find a ‘flaw’ with is all traffic coming over from the same IPS (due to CF being a proxie) so this messes up goals in Google Analtyics etc. Nightmare.

    If you’re a small business and heavily rely on sales from your website, remember to keep a note of when you changed to CF because your sales could look like they’ve dropped due to the IP issue. (isn’t really an issue, people just don’t know until they look at their analytics)

    You can install scripts that show’s the true IP but they don’t exactly tell you that.

    SSL’s have dropped in price so no reason to use a free version, defiantly not a shared one

     

Leave a Reply