CloudFlare recently introduced a ‘Free SSL’ service. Straight off the bat, this sounds great for website owners. It’s basically the service that they’ve been offering to their pro users for a while. A chance for organisations and websites to use SSL without knowing the slightest about security.
It is fundamentally flawed and shows the problem with the centralized authority system we have right now. However, we’ve never had a system where it is incredibly easy to serve HTTPS sites before. Yes, we’ve had “free” certificate authorties like Startcom, but they are known for doing a lot of manual verification and validate WHOIS details. CloudFlare Free SSL is the final bullet in this ridculous system.
Phishing. Fraudsters and phishers love the new service. It means they can setup a fraudulent website very quickly, and without any verification apart from that they can change the DNS records of the domain, instantly getting that padlock that we’ve been telling people is great for years.
False sense of security. One of the major reasons more and more organisations and website owners are flocking to SSL is because it protects against interception. Flexible SSL is a CloudFlare solution which works by adding security between the user and CloudFlare, but not between CloudFlare and the server. Anyone who is on any hop between CloudFlare and the origin server can listen in, and you bet that probably includes your buddies the NSA/GCHQ.
The very annoying part of this is you’ve got absolutely no idea if a website you are connecting to is using this Flexible SSL, so you’ve got absolutely no way of trusting that padlock anymore.
Hacking. If someone discovers your CloudFlare username and password, they can change the origin server to somewhere else. They could change the origin server to a reverse proxy server that logs everything and then passes it on to the real server. You as a user would see absolutely nothing. The site owner might not even figure it out, as it looks like everything is fine and well. Without CloudFlare, an attacker would at the very least have to get a new certificate issued, or hack the server and steal the private key. Now, they don’t have to.
What could CloudFlare do? There are a few things CloudFlare could do to make their Free SSL service not suck as much.
I would recommend getting rid of Flexible SSL, or at least add a warning to the user that your traffic could still be intercepted.
They could do more manual verification of new accounts, and domains that look suspicious should not be issued a certificate.
I’ll admit, there’s not much they can do about the hacking aspect, although I’d personally require users to use two factor authentication to activate their SSL options.
It should be noted I use SSL as it’s the industry standard term. Nowadays, it mostly refers to newer TLS technology.