Please note that using Cloudflare, even with free SSL, is not an increase to the security and privacy of your users. On the contrary, Cloudflare records information about your users (this cannot be disabled) and, by default, blocks users who attempt to view your site through privacy-enhancing software. I would suggest that people looking to install SSL on their website (this should be everybody) instead get their free SSL certificate from gandi.net or StartSSL, who do not spy on or block your users.
I assume you are referring to Tor? We love Tor and the specific things we block by default are resource consumption bots. If people enable. "I Am Under Attack" mode , I think there is some incidental interstitial challenge for Tor, but not blocked.
We don't comment on our customers unless they authorize us to, but based on the list of public ones, I would be pretty comfortable, even if I didn't work there.
So, you're saying that using HTTP instead of HTTPS doesn't increase the privacy of users? I'd say that it does "increase" the privacy, although nobody is saying that it fixes every hole in the boat...
Yes, it worries me that Cloudflare is proxying an ever larger number of websites I visit. It is not so easy to dump Cloudflare when you need it though. They mitigate DDoS attacks, handle large volume traffic. I think moot even said that he'd have to close 4chan if it wasn't for Cloudflare.
Gandi is free for a year and then expensive after - Namecheap may not be free but renewals and initial costs are much lower. StartSSL is free but revoke-ing costs money.
It's not a problem if those connections use self-signed certificates, right? If that's the case, then setting up SSL from CloudFlare to your servers should be pretty easy.
Could you elaborate on this. My impression was that connections between data centres (e.g. in the case of using an EC2 instance with Cloudflare) were already very secure and therefore do not require SSL.
Are there more actual implementation details somewhere? Sounds like selecting the ssl context based on the clients SNI request. This (obviously) would predicate client SNI support, as opposed to anycast IPs or similar.
CloudFlare's CEO says that free SSL will use SNI with ipv4 [1] and possibly non-SNI with ipv6 [2]. A CloudFlare engineer has discussed splitting the SSL handshake between servers so their many edge nodes don't need to keep customer secret keys in memory [3]. However, this sounds slightly different than the lazy loading behavior in the blog post.
I believe you could use node.js or https://github.com/indutny/bud for asynchronously selecting SNI context per request. This is very fast and flexible.
Does it bother anyone else that when you try to visit the Google post explaining that they are using HTTPs as a ranking signal via https it redirects to http?
For example, I do a lot of web scraping through my domain and I see that I was automatically opted in to use https://www.cloudflare.com/apps/scrapeshield, something that is supposed to block scraping.
There's a huge conflict of interest if it turns out that the cloudflare network actively aims to help block scraping.
I know you guys said you will be on the neutral side but if the cloudflare is helping Scrapeshield become more intelligent about scraping by monitoring my scraping actions, I really don't know if it's wise to stay with cloudflare, as much as I love it.
I don't get it. A domain is just an address, how can you scrape through your domain? Do you mean server? But scrapping is an outbound connection, how could they monitor it?
I presume that customer private keys need to be stored on Cloudflare servers to implement this. Has that just made Cloudflare servers a legitimate prime NSA target?
nilved|11 years ago
rdl|11 years ago
We don't comment on our customers unless they authorize us to, but based on the list of public ones, I would be pretty comfortable, even if I didn't work there.
monokrome|11 years ago
spindritf|11 years ago
unknown|11 years ago
[deleted]
namidark|11 years ago
user3|11 years ago
igul222|11 years ago
guyht|11 years ago
ihsw|11 years ago
donavanm|11 years ago
moonboots|11 years ago
[1] https://news.ycombinator.com/item?id=7910849
[2] https://twitter.com/eastdakota/status/478369486643658754
[3] http://www.slideshare.net/cloudflare/running-secure-server-s...
indutny|11 years ago
alanbyrne|11 years ago
http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-...
curiousjorge|11 years ago
Update: I have another concern I just found out.
For example, I do a lot of web scraping through my domain and I see that I was automatically opted in to use https://www.cloudflare.com/apps/scrapeshield, something that is supposed to block scraping.
There's a huge conflict of interest if it turns out that the cloudflare network actively aims to help block scraping.
I know you guys said you will be on the neutral side but if the cloudflare is helping Scrapeshield become more intelligent about scraping by monitoring my scraping actions, I really don't know if it's wise to stay with cloudflare, as much as I love it.
eastdakota|11 years ago
http://blog.cloudflare.com/introducing-scrapeshield-discover...
eastdakota|11 years ago
icebraining|11 years ago
general_failure|11 years ago
junto|11 years ago
I.e. all your keys belong to us
rdl|11 years ago
taksintik|11 years ago
tanglesome|11 years ago
willu|11 years ago
eastdakota|11 years ago