Flexible SSL, how secure is the backend if website is managed by Cloudflare also

My website hosting company (Yola) uses Cloudflare. They don’t allow me to install an SSL certificate on the website if I’m using a domain managed by someone else, therefore I am using Flexible SSL

My query is related to the back end , from Cloudflare to the website which is not TLS encrypted. If the website is also managed by Cloudflare will this http traffic stay internal to CLoudflare and be relatively protected or will it flow ‘publicly’ ?

That is not good. In that case you should either switch back to your provider’s nameservers or change to a host which allows you set up a secure site nonetheless.

Your site is essentially still insecure.

What do you mean by “managed by Cloudflare”? Apart from Workers Cloudflare does not do any hosting, hence there always will be an origin connection, which in your case is not secure.

I was actually thinking that myself, it was Yola who said “managed by Cloudflare”. I suspect they use them for caching etc.

If I understand you correctly, there will be public http traffic from where it leaves Cloudflare to the origin

Precisely, that’s why your site is essentially still on HTTP and not encryped.

The best advice in your case is to either fully move to your provider (so they issue the certificate) or to switch provider altogether.

Yola uses a single IP for all their hosted domains 184.72.229.176 and internally map their hosted websites to this IP.

I have a couple of follow up queries:

  1. If Yola were to install an SSL certificate on this IP , could I then change from Flexible to Full (because as far as Cloudflare is concerned it is seeing the origin )

  2. Is there a way I can look at the hops (client to cloudflare, cloudflare to origin) and see what is https and what is http

  3. If Yola doesn’t install an SSL certificate on their gateway IP (184.72.229.176) am I correct that anyone snooping on traffic to and from this IP will see passwords etc in clear text

A certificate valid for your domain or any? In the first case you could switch to “Full strict”, in the second you could switch to “Full” but that does not make things much better as the site would be still vulnerable.

The hops are rather irrelevant. And as far as connections are concerned, the first leg will be what the browser shows and the second leg will be whatever you set.

I already addressed this in my first response. As long as you do not have a valid certificate which Cloudflare can verify (and that happens only on “Full strict”) your site is not secure. So, yes.