Question:
can anyone explain to me the effects of an expired SSL certificate in cloudflare’s full encryption mode (not strict) when connecting between server and cloudflare
What is the current SSL/TLS setting?
Full (NOT strict)
can anyone explain to me the effects of an expired SSL certificate in cloudflare’s full encryption mode (not strict) when connecting between server and cloudflare
Full (NOT strict)
Assuming you mean your origin certificate has expired, then this is insecure. As you are using “Full” and not “Full (strict)” Cloudflare doesn’t care that the certificate is invalid and so carries on with the connection, which is now at risk of being intercepted or diverted to anywhere that can present any SSL certificate even if not for your domain.
Your users are unaware that their data is at risk as nothing is flagged when they connect to your site through Cloudflare. If you weren’t using Cloudflare, the users would get a warning.
Update your origin certificate and use only “Full (strict)” or “Strict” SSL modes.
This is interesting. I’m gonna ask three dumb questions:
It is encrypted between the 2 ends, but the certificate from what is accepting the connection isn’t doing anything to prove that it is what it is expected to be, so the encryption is useless at that point.
If you weren’t using Cloudflare, your users would be warned about this. Hiding behind Cloudflare using “Full” is deceiving them about your connection security. It’s not about “harder”, it’s about being secure.
This is a very common type of attack called man in the middle attack.
I’m not fooling any one, and if I were I would not be asking.
so in conclusion.
The connection is encrypted but anyone can claim to be my server and read everyone’s data… right?
can you explain to me how someone might do this attack? how can someone intercept traffic between AWS and Cloudflare?
The data is end to end encrypted, but end to end encryption is useless if you don’t know who sits at the other end. That’s what certificates are for, they prove who is sitting at the other end.
Full mode on Cloudflare still encrypts the data, but by not verifying the certificate, it is just as secure as if it was not encrypted.
There are cables running between AWS and Cloudflare somewhere. Anyone with access to these cables can essentially intercept the traffic.
This might not be a job for your neighbourly hacker, but the lengths many governments go to to spy on their own and other people/businesses are well known.
The thing is, installing a valid certificate costs you nothing but a few minutes to set up, so the only reason for using Full mode can really be laziness.
I promise I will change the current config, but I care that I know what I’m talking about. You mean to say, if someone was in between, they could pose as me since my certificate is expired and read, change or cut the data totally.
They could pose as you because Cloudflare is set to “Full” and will accept any certificate, even if it is expired, not for your domain, not trusted, self signed or otherwise.
Set your Cloudflare setting to “Full (strict)” and see what happens while your certificate is expired.
you mean: “even if it’s not expired”?
Also I will not enable strict mode until I assign a certificate myself. since I assume the connection will not be enabled unless my certificate is not expired.