Cloudflare SSL certificate not in use but all features work?

Is that possible? I’ve used Cloudflare on so many sites and every time I test using this checker: SSL Checker

It always displays this below, I’ve never once seen it display anything else.

I checked under Edge Certificates and you were right - it’s Let’s Encrypt. I check a handful of other sites we manage in the account and none of them mention a Certificate Authority.

It was the combined fact that Siteground use Let’s Encrypt and I’d never seen Cloudflare do so that led to me challenging it.

Solved!

1 Like

Thank you for this, that’s really useful to know! Just so I’m clear, why would anyone ever use Full?

The article addresses that

Ok thanks but why does it even exist if it’s of no use and you get the SSL warning? What scenarios are there where Full is suitable? Thanks again for the help :slight_smile:

Did you read the article?

Yes but I guess I’m unsure why Cloudflare would offer to ‘front sites and feign a valid HTTPS connection’. Why not jump from flexible straight to Full Strict. Perhaps if you could describe a real world use where Full is the best/only option for a website (and Full Strict would not work) then I would understand why they have it as an option. Thanks

It is not a good option, but people use it with a self-signed or expired certificate on the server. It should just be replaced by a valid one to use Full Strict and shouldn’t ever be the only option. For any site that needs HTTPS, it should be available from the origin with Full Strict.

Because it’s a nice marketing stunt and allows them to offer free SSL when there’s actually no encryption at all in the background, but the visitors will never find out about it.

It’s actually quite a security issue and millions of sites on Cloudflare use those settings without us having any idea which sites exactly are insecure but we do not need to expect a fix any time soon.

More sites are still on HTTP than we actually know.

In the real world, there are only two options: Off, and On. Anything else would throw a browser warning. Then you’ve got “black market” (flexible) and “grey market” (full/not strict). Where do you prefer to shop?

2 Likes

So it’s for users that have self signed or it could keep your website still using SSL in the browser (cosmetically) should your certificate expire. Ok understood, thank you :+1:

Should this happen, the certificate should simply be renewed, but unfortunately that is where it is used, yes.

1 Like

Self-signed or expired? Replace it with a Cloudflare origin cert.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

3 Likes

Bluntly put, it’s for users who can’t be bothered to take the ten minutes and configure a proper certificate and don’t really care if they deceive their visitors or not.

Cloudflare opened a huge can of worms with these modes and undid a lot of what domain registries and browser vendors were trying to establish with SSL requirements.

1 Like

I’d be interested to hear someone from Cloudflare comment on this thread - a chance to offer some explanation and/or reasoning to the comments made.

What explanation or reasoning would you expect apart from what was mentioned already?

I’m just saying that perhaps someone who works at Cloudflare thinks differently about these comments. While not disregarding your helpful advice and points, it’s important to hear it from both sides :slight_smile:

That was my question, what other explanations or reasoning would you imagine?

The whole thing is to allow site owners to feign a secure site when they actually do not have a valid certificate nor encryption.

I am imagining they either agree with you, or they do not agree with you, on the points made that it’s a stunt and a bad feature to offer.

But that’s exactly my question :slight_smile: what explanation would you expect here?

Considering they offer this feature, have always offered it and show no signs of removing it, I expect they’d defend it. Which would be interesting to read, as well as your replies off the back of it!