Full SSL vs Flexible SSL - any speed andvantage?


#1

I am currently using Flexible SSL for an information only Wordpress website. My hosting provider recently has added AutoSSL capablity. Both use SNI. I am wondering if there is a speed advantage to using Full SSL/AutoSSL or Flexible SSL.


#2

There would be a very slight performance hit as CloudFlare processes the SSL connection to your server. I think it’s totally worth it to have that fully encrypted connection all the way to your server.

There’s also a small chance that by enabling SSL on your server, it may enable HTTP/2 which would more than make up for the difference. However, I don’t know if Cloudflare uses HTTP/2 when hitting an HTTP/2-capable server.


#3

If you want to pick nits, it would nearly double the time taken by SSL processing. Right now you have CF encrypting and browser decrypting, and contemplating adding server encrypting and CF decrypting. I can only assume CF can do more than one thing at a time, so maybe not really doubling the time.
But we’re nearly in 2018… I don’t think users will perceive a performance hit.


#4

I didn’t think that CF would do any SSL processing, and just pass encrypted data back and forth between server and browser. Is that not the case?


#5

Definitely not the case. CF has to decrypt the content from the web serevr, optimize/secure the content, re-encrypt, then finally send to the browser. It’s a completely separate SSL operation.


#6

That makes sense. Thanks for the xplabation. I guess the only speed advantage might be if HTTP/2 would be used between my server and CF.


#7

You’ll have to check with your host if they support http/2 or spdy.
Full SSL is ‘the right thing’ to do. Don’t deceive your viewers.


#8

Cloudflare doesn’t do http/2 between our edge and the origin. Technically the connection might be incrementally slower but we do have SSL session reuse and 0RTT to minimize that.

In general we recommend not using flexible whenever possible. For the customers I work with none of them use flexible even for sites w/o sensitive data. They use SSL all the time, every time for consistency and overall security.