Detecting non-strict SSL setups

dash-crypto
#1

Hello,

I’m concerned about the security of websites using free Cloudflare SSL certificates.
While I think it’s amazing that Cloudflare offers the ability to secure any websites using SSL even when the host is incapable of offering SSL, as a visitor I feel deceived when a website doesn’t let me know that the website is being transported insecurely. Now I understand that CloudFlare needs to have the content decrypted regardless but when I connect to my website (that has HSTS and Full (Strict) setup) I’d like to be able to verify that that connection was indeed securely encrypted from my client all the way to the server and that no malicious actor intercepted it at any point (other than by hacking CloudFlare itself).
Is there, for example, an HTTP header or field in the certificate that can tell me: Hey, this SSL connection uses the Flexible / Full method or some other way I can verify that my connection is fully encrypted?

Thanks in advance for your reply,

Kind regards,
Alice

2 Likes
#2

Please join me :slight_smile:

Honestly, I am not too amazed :slight_smile:

Yep

3 Likes
#3

Hi @AliceDTRH,

Some of us on the community definitely agree with this, you can see this request from @sandro:

And also this tutorial from me on the subject:

Edit:
@sandro got there before me!

3 Likes
#4

I am actually a strong proponent of Cloudflare phasing out Flexible altogether.

1 Like
#5

And I tend to take the approach of

make the customer completely aware of what they are agreeing to when they select Flexible, keep reminding them that they should install a cert on their server and definitely have a header so visitors can check or make them aware some other way

1 Like
#6

I personally don’t think Full without strict is much better than Flexible but I believe it’s still better than no encryption at all.
But it is very important for me that visitors have a way to find out whether the connection was fully encrypted (and whether there is a valid certificate) from Cloudflare to the server so we can choose not to enter sensitive information on sites like that. Even for my own websites, it makes me feel uncomfortable as it kind of makes HSTS meaningless because if my account got hacked, someone could just turn it to Flexible or Full and temporarily do a man in the middle attack and I would literally have no way of knowing it ever happened. Obviously, I use 2-factor authentication but still…

1 Like
#7

Agreed, simple Full still has attack vectors but it still is better than what Flexible does to the connection. Simple Full requires at least an active attack, whereas Flexible is literally breaking encryption and an attacker doesnt need to do anything other than listening to the wire.

Yes!

1 Like
#8

Fair point.

Thank you all for discussing this issue with me. I hope Cloudflare decides to do something about this soon. :slight_smile:

#9

“do” possibly, “soon” probably not so much.

I have been pushing this subject for a while now, but things are moving slowly :slight_smile:

I would already consider it a first victory if we actually got that header. Phasing out Flexible, let alone removing it, is probably asking too much at this point.

closed #10

This topic was automatically closed after 30 days. New replies are no longer allowed.