Before I finish the cutover process and change nameservers to Cloudflare, are there any potential gotchas in store? GoDaddy recommends that we use their nameservers (of course, they would).
For context, we’ve begun having TLS problems with Chrome (as anticipated) on our website and were advised by our service to use a CDN, Cloudflare recommended. I’ve paid and configured Cloudflare and only need to switch GoDaddy config to the new Cloudflare nameserver records.
I have limited expertise in these areas, and I just want to make sure I’m not opening us up to any problems with an otherwise stable business environment. GoDaddy is our domain registrar and has been providing DNS. We use MS 365 GCC for mail and a separate web host. The change is needed only to fix Chrome access, though we may accrue other advantages.
I’ve searched for help in this community but haven’t found a good match.
The fundamental issue is that our site doesn’t work with Chrome, which shows an SSL Protocol Error. It’s fine with other browsers. This began after the latest Chrome update. The message from our wed service provider is:
"We are proactively addressing issues arising from the recent Chrome Browser update released today, October 3, 2023. The new Chrome ver. 117 requires a higher level of Transport Layer Security (TLS) then some of our servers currently supports moving from 1.2 to 1.3. Any visitor using Chrome with the latest update will receive a message that it could not establish a secure connection with the website. All other visitors using any other browser at this time will not receive this connection error.
We have previously recommended to our longstanding clients the shift to adding a Content Delivery Network (CDN) to enhance security, performance and load times of their website. Cloudflare, in particular, stands out as a top-tier choice that’s straightforward to integrate for hosting on their network. An added benefit is the automation of the SSL renewal process with Cloudflare, eliminating the need for you to bear the annual renewal cost and installation costs."
The reason your site is not working any longer with Chrome is that they dropped support for some older SHA1 server signatures since v117. Looking at a scan of your server (https://www.ssllabs.com/ssltest/analyze.html?d=www.summittech.us) it seems like the server is using SHA256 (which is SHA2) but for some reason Chrome doesn’t work with it anyway. The only possibility to see the site in Chrome was to switch chrome://flags/#use-sha1-server-handshakes to enabled.
In that regard the explanation you got from your supporter isn’t entirely correct, since Chrome didn’t drop support for TLS1.2 as Laudian pointed out. We can also rule out an ECH problem as your server doesn support TLS1.3 and TLS1.2 doesn’t support ECH at all.
So yeah, if GoDaddy can’t help you making those changes on the server, using Cloudflare as a workaround or switching hosters entirely is a valid option.
But apart from that, this must be one of the least secure webservers I’ve ever seen. Not only do they still support TLSv1.1 and TLSv1.0, but even SSLv3???
@kenstewart , if you look at the reports we both linked, you can see that your server is quite vulnerable - the report @moritz2 linked has it vulnerable to an attack that was found 7 years ago. GoDaddy just doesn’t give a ■■■■ about security and instead recommends that you mask their problems bei putting Cloudflare in front of your site, which is just absolutely ridiculous.
I can only recommend you find yourself a new hosting provider. Chrome has disabled this antique behaviour for a very good reason, and others will certainly follow in time.
One point I should clear up, we’re not using GoDaddy for any web services, which we get as part of a bundle from a small local company. They sub the webhosting to another provider. We’ll definitely be looking at a new source.
Our immediate aim in engaging Cloudflare, though, is to get a quick fix while we look at alternatives.
Wow, that’s a really nice website tester! I’ll bookmark that one. Thanks for making me aware…
And yeah, it makes sense that it’s the indeed the signature of the key exchange. I misinterpreted that one but the report clears it up…
@kenstewart Yeah, putting Cloudflare in front is a good bandaid. Traffic between Cloudflare servers and your origin will still be succeptible to the found vulnerabilities but it will be a lot harder for a malicious actor to exploit them. And traffic between Cloudflare and your visitors will be a lot more secure.
Best of luck in your endeavours
–edit-- can’t include links, not even when quoting other posts…