Discussing Flexible

They seem to charge $25/yr. for that: https://www.arvixe.com/linux_web_hosting - I would be reluctant too to pay for something that has a true value of $0/yr.

I wouldnt say a certificate has a value of $0, but that might be a subjective impression. But if one is not willing to pay that the logical consequence has to be to change host.

…or… to put Cloudflare in front of you. I know it won’t make it truly secure. But if the purpose is Google’s SEO algorithm… I can understand people doing it.

I’ll try it thanks so much!

I am afraid that is not an option. Either you have a secure site or you dont. If you want HTTPS, install a certificate. If you dont, switch to “Off” and dont bother about SSL.

Cloudflare thinks different than you. Hence the “Flexible” option they’ve bothered to develop and let people to use, up to this second.

So this IS an option. It’s not secure, but it’s an option. Telling people otherwise is… I don’t want to use a strong word.

1 Like

Yeah, that has been discussed way too many times and it doesnt need addressing yet one more time.

Flexible is insecure, deceiving to users, should never be picked, and no, it is not an option.

You really need to look up the word “option” in the dictionary, as you’ve obviously got it wrong.

Just because Cloudflare is offering an improper feature doesnt make it a viable option. Flexible is not such a viable option and I would like to invite you not to make such suggestions to people who are not all that familiar with the subject at hand, as that puts their site’s and their visitor’s security at risk. Thank you.

Because plain HTTP from their possibly-country-MITMed-ISP is more secure than at least transit until some Tier-1 network?

Deceiving to the users, yes. Less secure than plain HTTP which you’re advocating? Probably not.

Again, that has been discussed way too many times, please use the search. My previous appeal still stands.

Also, slightly unrelated, I am not sure how much @stephdedman appreciates that you posted her origin’s IP address here publicly. You might want to edit that.

I don’t need to use the search, I’ve been explaining this to people myself. Still, it’s their option.

People not using the search very often is the reason for many problems here :wink:

Anyhow, Flexible is an insecure mode that should never be selected. We can leave it at that I presume.

People who don’t know and don’t use the search. Thankfully, networking and security is my bread and butter. And I feel the same as you about Flexible. Further, I think web hosts that don’t give free TLS certs should go out of business by popular demand. However, I don’t think it’s less secure than staying with HTTP. Users should not use the same passwords on multiple sites. If they do, it’s really their problem. Barring that, the only person who can actually be damaged by not going full-strict is the site owner: The site owner still owns the site, and could make all data sent to it by user - public - at will. TLS is not replacement for trustworthiness IMHO.

We can leave it at that I presume.

This has been split off, as this is blatantly off topic in regard to the original topic at this point.

SSL is purely about the transport, has nothing to do with what the site owner can do or access. Flexible essentially transfers the data eventually without encryption, rendering any possibly applied SSL pointless.

But, dont get me wrong, that has been addressed way too many times, there is even a dedicated support tutorial on that which explicitly states one should not use Flexible, and I have now actually written way more than I intended to.

Yes, we can leave it at that.

Technically, it says, and I quote:

Source: https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options#h_4e0d1a7c-eb71-4204-9e22-9d3ef9ef7fef

Which is… pretty much exactly what I’ve been saying.

That is not the article I was referring to. I was referring to #Tutorials.

But again, I think we can leave it at that there is not much new we are going to say.

With that I agree. As long as future visitors can see that there’s more than one opinion in the world.

There are plenty of opinions out there. Many right, many wrong.

True. And yours isn’t necessarily what you believe it is.

For example, as mentioned before, the company under whose auspices we’re writing these words, did make the option available. Thankfully they understand how it is to be in countries where the Internet is censored, which you obviously don’t.