Compliance Management, Privacy

CloudFlare offers free SSL to its customers

Website performance and security company CloudFlare announced on Monday that it would be supporting SSL connections to every customer – that includes about two million who have signed up for its free service.

The undertaking is being called Universal SSL and is being rolled out to all CloudFlare customers throughout Monday, after which it will be activated within 24 hours for new customers who sign up for the free plan, according to a Monday post by Matthew Prince, CEO of CloudFlare.

CloudFlare has been supporting SSL for paid customers since the company launched four years ago, but Prince believes that users should not have to pay to be safe online, he told in a Monday email correspondence.

“Increasingly, the Internet is moving to an encrypted-by-default standard, with new protocols such as SPDY and HTTP/2 requiring an encrypted connection,” Prince said. “We think it's important to make sure even smaller sites don't get left behind.”

What can happen to websites that do not have SSL enabled? Ultimately, Prince said, anyone can intercept, throttle or modify content as it flows across the internet. He added that a lack of encryption causes many of the most troubling issues on the internet.

“Encryption, for instance, is ultimately the solution to network neutrality – if bytes are encrypted then an ISP can't tell one from another and change how they're delivered,” Prince said. “Encryption is also the solution for authoritarian regimes that try to censor certain content.”

Now, CloudFlare will automatically provision a SSL certificate on its network that accepts HTTPS connections for customer domains and subdomains, according to the post, which explains that the certificates include an entry for the root domain and a wildcard entry for all first-level subdomains.

Websites without any SSL previously will be defaulted to CloudFlare's Flexible SSL option. By securing the connection from the device browsing a site and CloudFlare's network, Flexible SSL solves 95 percent of risk associated with passing unencrypted traffic online, Prince said.

“What Flexible SSL doesn't stop is someone sitting deep inside the network and watching the traffic from CloudFlare's network back to a customer's origin server,” Prince said. “The biggest risk here is national governments engaged in some sort of spying activity.”

Prince recommended that customers install a certificate on their web server and choose either Full SSL mode or Strict SSL mode, which he said ensures encryption from the browser to CloudFlare and from CloudFlare to the origin server.

For free customers, Universal SSL support is limited to modern browsers, which is typically any browser that is less than six years old, according to the post. Legacy browsers will likely be met with an error, Prince said, explaining he hopes this will encourage users to update, and adding that updating would help clean up botnets and other malicious activity causing issues online.

According to the post, prior to launching Universal SSL, roughly two million sites active on the internet supported encrypted connections. A Google search, sourcing Netcraft, reveals that there are currently more than 644 million active websites on the internet. Prince said this is evidence that the previous state of the SSL industry was broken – and for two reasons: price and complexity.

“There is no marginal cost to issuing a new certificate so you would expect the price of basic certificates to fall to zero over time,” Prince said. “Unfortunately, there are very few ways today to get a free SSL certificate that is trusted by a wide range of browsers. Even if you have a certificate, the process of installing it is best described as Byzantine. Cryptography today fundamentally has a [user experience] problem. It's too hard to deploy and too easy to screw up.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.