Is my website vulnerable to a man-in-the-middle attack?

Website, Application, Performance Security Center
1

What is the name of the domain?

arbel.gr

What is the issue you’re encountering

no issue (so far)

What are the steps to reproduce the issue?

To my understanding, when someone makes a request to my site the connection looks like this:

Client <—> Cloudflare <—> Web server (hosted on EC2)

Between the client and Cloudflare, I’m confident that the connection is strongly encrypted, but Cloudflare and the web server are speaking to one another using unencrypted HTTP 1.1 (since that’s the only protocol my server understands).

Is it safe to send sensitive data over this type of connection, or is there a risk of a man-in-the-middle attack where someone intercepts packets passing between Cloudflare and the web server?

2

Check your SSL/TLS setting is set to “Full (strict)” or “Strict” in your dashboard here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls

Do not use “Flexible” or “Full”.

1 Like
3

That’s not going to be secure. Can you use a tunnel?

4

@sjr Well, doing that immediately triggered error 521 so I assume that I’ll have to implement TLS on the origin, right?

5

Correct.

1 Like
6

Hello

To ensure secure communication, it is crucial to implement HTTPS between Cloudflare and your web server. Without encryption, data sent between them could be intercepted, posing a potential security risk. By enabling SSL/TLS on your EC2 instance, you can establish end-to-end encryption, protecting sensitive data throughout the connection. This measure significantly reduces the risk of man-in-the-middle attacks.

7

Hello!
Are you able to install a TLS certificate on your server?

origin-server-certificate
origin-server-certificate1914×738 143 KB

Nevertheless, if you could use Tunnel as @epic.network said, it would be even better.

1 Like