JOINED year ago, Free, what did I get compared to free now?

A consultant put my sites on Cloudflare Aug. 2018. Mostly we did this for SSL, but also, little speed bump.

Was there a Pro plan back then?

I now see Pro is $20 month ( seems expensive) is this new?

Questions: Was I getting more for free then than the free program now?
I think I remember the CDN was free, and maybe few other things that are now on Pro? Or maybe I don’t remember/ paying attention.

I’m a commercial artist and my site is definitely not a personal site/ business.

Boy, I hate these bait and switch things, so hoping for good news here.

(Crashplan did that to users, well $5 to $10), but free to $20 is even more egregious.

IN short, what was the free plan last August when I singed up that is not free now. Thanks!

Are you saying you dont have a certificate on your server? If so your site is still as insecure as before I am afraid. Time for a new consultant :smile:

As for your question, there shouldnt be any difference. You should have the same features now as when you signed up.

2 Likes

Hi @ken4,

From last year to now, there was no change in the pricing of Cloudflare plans. It used to be the case, up to June 2016, that Pro Plans for additional websites would be charged $5, instead of $20, but for your first paid Pro Plan you’d have to pay the full, painful $20 per month.

Imgur

Since October 2018, all plans now have the powerful Firewall Rules, with 5 rules allowed in the Free Plan.

There were other changes in the paid plans (including Pro), as recently as last week, which you can check by browsing recent posts on https://blog.cloudflare.com.

2 Likes

Thanks guys, yes SSL is on all sites, that was the point.

Anyway, this is good to hear. Why do I somehow remember CDN, which speeds up sites was a great benefit, but seems like that is only on Pro?

You mean directly on your servers? If that is the case why was Cloudflare “mostly the reason for SSL”?

Back then there was no Let's Encrypt and choices for a free SSL were self-signed and CF.

1 Like

Lets Encrypt is online since 2015.

Yes and CF provided SSL years before Let's Encrypt so one of main reasons to use CF in old days was free SSL another was DDoS which still is.

The point is Cloudflare should not be used primarily for SSL. If there is no certificate on the server, the site is still as insecure as ever.

This is true now but having a SSL on your domain was a luxury option then and CF was the only way to get a free valid certificate. For your point servers used self-signed to secure connection but still used CF for a valid SSL.

Sorry, but again, Lets Encrypt has been available since 2015 and even before I would not agree that a paid certificate was something luxurious (basic ones already went for $10 a year).

Anyhow, I just would like to ensure that @ken4 is aware of the necessity to have a certificate on the server.

I found you surprised for someone using CF just for SSL and it was the case for many in old days. Even after 2015 many didn’t know about let’s encrypt for years and for SSL it was not just the price, but setting it up specially for small businesses using shared hosting.

1 Like

:wave: @ken4

Yes.

Not new. I guess expensive depends on your perspective.

No.

Bait and switch is almost as bad as someone wanting free art in exchange for exposure. In the last 10 months Cloudflare has rolled out a number of new features to free customers, added over 20 new PoPs and taken away nothing.

-OG

4 Likes

Thanks SAQ and Sandro for info; “necessity to have a certificate on the server.”.

Not even aware of this, All I cared about is SSL would shows up in the URL with the padlock etc… That seems to be what Google was requiring. This was mainly done for Google and SEO.

Over my head. I’m not in touch now with the consultant, who was a smart guy, and put a lot of work into this, and did a good job, but now has become a flake. The green padlock is on all web pages, so I’m happy, Google is happy with that , no?

Thanks Oliver, good points, did not know.

I looked at Let’s encrypt last August, again, it was way over my head how to install all that, so I hired him to do the 8 sites I have (one is a main, others are mostly now just forwarding), and there was a ton of complicated redirects etc. many old html pages, force redirect.he did a good job,-- I could have never done it, and and he suggested Cloudflare of which I had never heard of at that point. (Godaddy wanted $$ to do it) He did not mention anything being on the server or not. I think he just stated that Cloudflare is free SSL and great company. And Cloudflare rep wrote me that the certs just roll over every year, no need to renew.

That said, as small fry commercial artist, Do I really need certs on the server? (and then if that is needed who says the site is SSL?)… again, my apologies, I’m total non techie. (I don’t sell anything online)

It was a big panic at the time as it was said that Chrome was going to start a warning that sites are “not secure” to potential clients.

Oddly, I watch, MSNBC, and they still don’t have SSL even now, and they are a million dollar company with lots of enemies.

Yes, otherwise your site is still as insecure as before Cloudflare.

If your consultant seriously suggested to use Cloudflare to save him configuring a certificate, I am afraid I’d question his competence. Sorry for being blunt :slight_smile:

In short, if you want a secure site you need to configure SSL on your server too, otherwise simply disable SSL on Cloudflare and run the page on HTTP only. There is not much inbetween.

As it is now, your site is (presumably) still insecure and any data transmitted can be intercepted and tampered with by third parties.

If that’s how you feel, sandro, maybe you should direct that advice to Cloudflare.

Because what you’re saying is that the SSL “Full” and/or “Flexible” settings are “just as insecure” as “Off”. Only “Full (Strict)” will do. Right?

Which, BTW, I disagree with, as I’m sure many others, as certainly Cloudflare does (or they wouldn’t provide those options). Using proper SSL even at just the edge is useful, because it protects you against your ISP, which might be a coffee shop. Same as using an encrypted DNS resolver.

Also, you can use Cloudflare origin certificates which make the whole thing secure. And, I’ve argued this in the past, Cloudflare could usefully check CNAME’d origin certificates against the CNAME. That’s a feature request they never implemented, because origin certificates are technically better. But it’d cover a few cases (like Google Cloud Storage buckets as origins) securely. Also, these days, you can make some of those use cases secure simply by using Workers.

So, it’s really not as cut and dry as, if you’re not getting a valid certificate for your origin, your SSL setup is insecure. At a minimum it’s better than nothing, and it can be perfectly secure.

And you think that hasnt happened?

Precisely. Full is still a lot better but only Full strict offers proper security.

You can feel free to disagree, but I doubt many others (let alone people who are actually familiar with the subject) will do and Cloudflare made that decision solely for business reasons, in stark contrast to their usual approach to security.

The moment you compromise on security you already lost.

You’d be right, if you only want to protect against random third party wifi connections. In these cases Flexible would be better than plain HTTP, but that is not the point of HTTPS. The point of HTTPS is to provide a secure end-to-end tunnel between the user and the server. The fact that Cloudflare is decrypting on their side is already questionable, but that comes down to trust in Cloudflare and most of their services would not be possible if they only tunnelled.

I am sorry, it is as cut and dry and no, Flexible is never perfectly secure.

2 Likes

:wave: @nuno.cruces,

That depends. I would never enter my credit card number on a site that was only accessible via HTTP. However in flexible mode it appears that the site is using SSL and I have no way to know that the majority of my transaction transits the public internet in plain text. As much as I think in general the risks of Flexible are being overstated, the general premise is not incorrect and where ‘it matters’ Flexible is a shitty solution.

No, not even a little. Sure the traffic may be encrypted in the coffee shop, but you have no idea where that origin server sits or who has access to the bytes on the wire. If you’re running a food blog does it matter? Probably not.

It depends on the application/use. There are scenarios where “Full (Strict)” is absolutely the correct (and only) answer.

However the statement below is also incorrect in that it is overly broad and the impact of the less than optimal security configuration really depends (however the paragraph after that about the consultant is probably true enough).

-OG

I am afraid it is not. Flexible is sugarcoated HTTP. Either you have a secure page or you dont. Dont deceive your users.

Incidentally, that is something you cannot know on a domain on Cloudflare. I welcome everyone to vote at Header indicating encryption status of the origin connection :wink: