New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You should turn SSL into "Flexible" instead of "Full", the former one connect via:
Origin - (HTTP) - CF - (HTTPS) - Client
The latter one is:
Origin - (HTTPS) - CF - (HTTPS) - Client
Which will encrypt twice, slow down your website.
Contact page showing UK address.
I'm using it for several years now and it just worked like Cloudflare, had a free plan too.
I used StackPath when it was $10/mo for a single service, but I'm not using again since I discontinued the service using SP and they increased the price for new orders.
But otherwise, it's a great service.
Please don't do that unless 1) you don't serve customer information on your website or 2) you have an authentication back-end hosted on external domain. It's no difference by just sending your content over HTTP.
And it also tricks your customers to think your website is secure to send over sensitive informations. This is not what HTTPS is meant for.
OP,
let me make a (feeble) attempt to translate the above for you. And the below list is woefully incomplete, but a good starting point for taking a look Under the hood.
etc.
Indeed, too many variables to comment on the question as @jar mentions.
Cloudflare knows what data transferred by course, hackers can break into your website whether it use HTTPS or not, it's just a tunnel between server and receiver. Origin IP limitation can be used by both HTTP and HTTPS.
Using Full SSL between origin and Cloudflare can only prevent Provider or Government wiretap contents. However they can setup an intermediate SSL alternatively and make all your traffic transparent, it make no sense.
Unless you upload your origin SSL into Cloudflare and turn on side to side authentication, but I bet only a few people do it. Simply turn on Full SSL is practically the same as Flexible.
What makes you ensure MITM attacks between your server and CF will never happen? You're not hosting content on a local Cloudflare network, right?
For some reasons, It is not faster than Full SSL. I tested. Just use Full SSL. Cloudflare is not recommending it too. Some also experience issues (503,etc) when turning Flexible on.
As I said even you turn on full SSL there would be MITM attack either. These kind of attack happens on route server between origin and CF unless the owner use Full(Strict) then configure origin certificate (generate cert through CF then apply to origin server). But how many know / would do that? Most people just turn on "Full" SSL, even use a self-signed cert on origin. In this way it will not improve a little bit of security compare to flexible, slow down the speed on the other hand.
Optimize / configure issues. Btw if you forced https on origin the "flexible" method will be the same as "full".
As far as I know, it is not the exact same. Yes, someone could still do a MITM on Full mode (as there is no CA checking), but they'd have to put something in between that decrypts the traffic and re-encrypts it to read it instead of just logging all traffic and be done with it. Because HTTPS (even self signed) is still encrypted, while HTTP will be plain text.
And the attacker does not know if you are using full or full strict beforehand (as it's encrypted). So if they'd intercept it using their own certificate and you were using full strict, that would give "Could not verify TLS certificate" errors to your clients and expose that someone is doing a MITM on the network between Cloudflare and your server. That would be a pretty big risk to take for a network provider, government, etc. as they'd expose what they are doing there.
In a perfect world everyone would use Full (strict) + Client certificate checking. But recommending to use Flexible and saying its the same as Full is not true as far as I know.
The Flexible method will connect to port 80. If you force redirect it to HTTPS it will just cause an infinite loop as Cloudflare keeps connecting to port 80 and the server keeps redirecting you to 443.
I agree with what you said above, however in my mind security issue either "safe" or "not-safe", I prefer use Full (strict) + Client certificate checking in stringent specifications, otherwise the faster one. In my test "flexible" would improve about 20% respond speed then "full", so I used it in all my personal websites.
Perhaps I've got the wrong memory
There is a big difference between sending traffic in plain text, where anybody who watches it can see it clear as day aka Flexible mode.
Or when you use self-signed certificates, where everything is still encrypted. But an attacker can intercept it by doing a MITM (that is risky as they don't know if you are using strict mode and requires a lot more then just listening) aka Full mode.
Sending self-signed traffic over networks is not preferred, but is A LOT more secure then doing it in plain text. Anyone who you pass might capture it without much effort when sending data in plain text, while doing a MITM on a encrypted connection does require effort.
Recommending using Flexible mode as a measure to speed up things while saying that it is the same in terms of security on a public forum that others might read that do not understand what it means is not a good idea.
Security is not "safe" or "not-safe". Nothing is 100% secure. I see the three options as follows:
Flexible: Leaving the door wide open at night. Anyone who wants to take something? They can, anyone who wants to look? They can.
Full: The door is locked, anyone who has the skills (lockpicking or something) and is willing to take the risk can do it still
Full (strict): I'm in a bunker.
There are still ways to get through Full (strict). Like getting a CA to sign a valid certificate, it happened in the past - But only for very high value targets (like google.com) and after it happens that CA will pretty much seize to exist as nobody will trust them.
You can take security as far as you want. You can create a CAA record to specify what CA's may issue certificates. You can create DANE records to whitelist certificates. It's not "safe" or "not-safe". There are always ways to attack something.
Since there is an extra handshake when using HTTPS, it's obvious that Full SSL is slightly slower on TTFB. However, it doesn't make that much performance differences after that.
Also, since CF reuses SSL sessions, it doesn't really make that much differences unless you're website is accessed only like several times a day.
In practice, using Argo tiered cache along with Full (Strict) SSL has made the delay a non-issue.
for dynamic pages, Railgun is the answer. Here some LE providers have enabled Railgun with cloudflare. So it caches the rest part of your webpage, including header, footer, scripts, side-bar, navigation menus, etc, and just pings origin server to get dynamic updated content (in the background) so your pages are served from cloudflare + railgun cache server at your origin.