October 7, 2014 at 16:02Cloudflare has enabled free SSL for all sites
This happened on September 29, but the news went unnoticed by Habr.
According to the company’s blog , “Yesterday, there were 2 million sites that support SSL on the Internet. Today we will double that number. ”
What is offered in brief: free wildcard certificates, SPDY support, the ability to encrypt traffic between cloudflare and your server as well. Interested, I ask for cat.
So, the new option from Cloudflare is called Universal SSL. It involves the issuance of a certificate that is valid for both the root domain and all subdomains of the first level. Certificates are issued by GlobalSign and Comodo.
(Let me remind you, if anyone is not aware that Cloudflare is one of the content delivery networks (CDNs), popular due to the availability of a free tariff plan).
From now on, 4 schemes of the website’s operation are offered to choose from: without encryption over the entire length of the request and 3 new options:
The first of them does not require any changes on the server side, while traffic is transmitted between the proxy servers and your resource in the clear.
The Full SSL option allows the use of any self-signed certificate, which is not much more reliable than the first scheme and protects traffic only from passive listening. Therefore, the third option is called as the recommended option, which requires the server to have a valid certificate from recognized CAs.
In the future, it is planned to use its own Cloudflare CA, which allows protecting the channel between the server and the proxy (in this case, Cloudflare CA certificates will not be recognized in browsers, the scheme is planned solely for official purposes). In addition, in the future it is planned to introduce certificate pinning support.
With all the above advantages, Universal SSL technology has several differences from using SSL on Cloudflare paid plans. This simultaneously allows the company to maintain its business model and solve a number of restrictions related to the mass of SSL-solutions and the corresponding increase in the load on proxy servers:
Using ECDSA creates a significantly lower load on the server than the use of "traditional" RSA algorithms. SNI technology, in turn, allows you to host more than 2 million network-managed sites on a limited number of Cloudflare IP addresses. In this case, the host name is transferred as part of the TLS negotiation (and not after the establishment of a closed channel, as in the traditional scheme requiring a dedicated IP or port), which allows the proxy server to immediately select the desired certificate and establish a connection with the required resource.
Unfortunately, these technologies are not supported by a number of older operating systems and browsers. Among them, IE / WinXP (including earlier OSs) and Android up to Ice Cream Sandwich have the strongest positions. If you need to support the largest possible number of devices / operating systems, it is proposed to use paid tariffs, which include more complete cipher suite's (which is logical, you need to pay for the additional load on the server).
A complete list of supported clients for Universal SSL is as follows:
However, any version of Internet Explorer on Windows XP does not support SNI.
Read more: cloudflare blog , origin security
Despite the above disadvantages, the technology looks quite interesting (considering the cost). Many sites that have not yet used HTTPS have the opportunity to fix this “omission” :) What do you think?
UPD: In the user's browser, server certificates look like this:
According to the company’s blog , “Yesterday, there were 2 million sites that support SSL on the Internet. Today we will double that number. ”
What is offered in brief: free wildcard certificates, SPDY support, the ability to encrypt traffic between cloudflare and your server as well. Interested, I ask for cat.
So, the new option from Cloudflare is called Universal SSL. It involves the issuance of a certificate that is valid for both the root domain and all subdomains of the first level. Certificates are issued by GlobalSign and Comodo.
(Let me remind you, if anyone is not aware that Cloudflare is one of the content delivery networks (CDNs), popular due to the availability of a free tariff plan).
From now on, 4 schemes of the website’s operation are offered to choose from: without encryption over the entire length of the request and 3 new options:
The first of them does not require any changes on the server side, while traffic is transmitted between the proxy servers and your resource in the clear.
The Full SSL option allows the use of any self-signed certificate, which is not much more reliable than the first scheme and protects traffic only from passive listening. Therefore, the third option is called as the recommended option, which requires the server to have a valid certificate from recognized CAs.
In the future, it is planned to use its own Cloudflare CA, which allows protecting the channel between the server and the proxy (in this case, Cloudflare CA certificates will not be recognized in browsers, the scheme is planned solely for official purposes). In addition, in the future it is planned to introduce certificate pinning support.
With all the above advantages, Universal SSL technology has several differences from using SSL on Cloudflare paid plans. This simultaneously allows the company to maintain its business model and solve a number of restrictions related to the mass of SSL-solutions and the corresponding increase in the load on proxy servers:
- Only ECDSA cipher suite supported
- using SNI ( Server Name Indication )
Using ECDSA creates a significantly lower load on the server than the use of "traditional" RSA algorithms. SNI technology, in turn, allows you to host more than 2 million network-managed sites on a limited number of Cloudflare IP addresses. In this case, the host name is transferred as part of the TLS negotiation (and not after the establishment of a closed channel, as in the traditional scheme requiring a dedicated IP or port), which allows the proxy server to immediately select the desired certificate and establish a connection with the required resource.
Unfortunately, these technologies are not supported by a number of older operating systems and browsers. Among them, IE / WinXP (including earlier OSs) and Android up to Ice Cream Sandwich have the strongest positions. If you need to support the largest possible number of devices / operating systems, it is proposed to use paid tariffs, which include more complete cipher suite's (which is logical, you need to pay for the additional load on the server).
A complete list of supported clients for Universal SSL is as follows:
Desktop browsers
- Internet Explorer 7 and later
- Firefox 2
- Opera 8 with TLS 1.1 enabled
- Google Chrome:
- Windows XP: Chrome 6 and Beyond
- Vista and Beyond - Full Support
- OS X starting with 10.5.7: Chrome 5.0.342.0 and later
- Safari 2.1 and later (starting with OS X 10.5.6 or Windows Vista).
However, any version of Internet Explorer on Windows XP does not support SNI.
Mobile browsers
- Mobile Safari for iOS 4.0+
- Android 3.0 (Honeycomb) +
- Windows Phone 7+
Read more: cloudflare blog , origin security
Despite the above disadvantages, the technology looks quite interesting (considering the cost). Many sites that have not yet used HTTPS have the opportunity to fix this “omission” :) What do you think?
UPD: In the user's browser, server certificates look like this:
Only registered users can participate in the survey. Please come in.
Do you have HTTPS on your site?
- 17.3% no, and I'm not going to introduce 165
- 21.6% no, but I plan on the traditional option 206
- 16.1% no, but I will use Universal SSL 154
- 11.2% is, I will now switch to Universal SSL in order to save 107
- 33.6% is, I will not change anything 321