SSL options on the free package


#1

Hi all

I currently have an ecommerce website with Heart Internet. It uses their Simple SSL option - see https://www.heartinternet.uk/ssl-certificates

Ive just transferred the domain to Cloudflare using Cloudflare’s free package. Does the free SSL options give the same security as Heart’s Simple SSL option? Are any of Cloudflare’s free SSL options suitable for an ecommerce website, or are they just ok for small basic websites?

Thanks


#2

Cloduflare’s Universal SSL uses (as far as I’ve so far seen) only EC (Elliptic Curve) certificates, which many consider more secure than RSA certificates (where the key lengths discussed are 256bit EC vs. 2048bit RSA). You can read more about that, here: https://blog.cloudflare.com/why-are-some-keys-small/

Having said that, some very old clients (i.e. from 10 years ago… Windows XP, Android <= 4, and the like), haven’t heard of EC certificates, and will likely never will; Their only way to access sites secured with EC certificates is to use Mozilla Firefox, which does their crypto by themselves, not utilizing the OS’ ancient code. For all those people, your site will simply not load (it won’t be “not secure”, it will just fail).

Finally, on the CN of the certificate, your users will see Cloudflare’s domain, and not your hostname.

There is however a way around this: Dedicated Certificates in Cloudflare. If you buy that ($5/mo. assuming all your hostnames are only 1-level deep under the domain, e.g. www.domain.com, www2.domain.com, but not www.blog.domain.com) - on the free plan as well - you’ll get a set of 3 certificates: EC, RSA (modern) and RSA (ancient), in fact probably getting your more compatibility to really really old clients (though less secure…). You’ll also see your domain in the CN of the certificate.

However, all the certificates, including the paid ones, still require your clients to have SNI support, because you’re not alone on your Cloudflare IP address. That excludes clients from … 2006, I think? and older. This limitation may also exist in heartinternet’s implementation, I do not know. Not many hosts provide you with your unique IP for free…


#3

Thanks shimi.

I think I understand most of what your esaying.

What should I use: Flexible, Strict, Strict (Full) which gives the same level of security for an ecommerce site as the Heart’s Simple SSL?

Also - whats SNI support? :wink:


#4

You should install an SSL certificate on your server (you can generate one in the Crypto tab of your Coudflare dashboard) and set it to Full (Strict)

Also:

https://www.google.com/search?q=sni


#5

Thanks, Im learning a lot here! :slight_smile:

Ill explain what my current situation is and what it is Im wanting to achieve:
I currently have a shared server with Heart. I register all my domains and SSLs with Heart. However, recently I heard about Cloudflare and have started adding sites and renewing domains with Cloudflare. Im looking for a cheaper alternative to Heart’s SSLs, so handling these through Cloudflare seems the obvious thing to do.

So Im looking for a (hopefully!) easy and (hopefully!) free way to add SSL/TLS to all my websites. How can I achieve this?

Heart Internet dont support free or self-signed SSLs, so not sure if this scuppers my plans?

Many thanks


#6

Do they support you being able to upload / add your own custom certificates?


#7

Unfortunately not. :confused:


#8

Hi. Just picking this thread up again.
Because Heart dont support/allow own custom certificates, I cant use any of Cloudflare’s SSL options? (Flexible, Full etc…).
Also (and excuse my ignorance!) if I purchase an SSL on Heart for a domain, why would I then want to set up SSL with Cloudflare?
Thanks


#9

What do they support? Do they support HTTPS? If not I’d strongly suggest to find a better host.

Cloudflare is not supposed to be used primarily for SSL in the first place.


#10

Yes, heart supports SSL certs - https://www.heartinternet.uk/ssl-certificates - but Im looking for a cheaper alterantive. (Heart doesnt support Letsencrypt or free SSLs). I thought Cloudflare would be a cheaper alternative, but it doesnt look like Ill be able to get this to work.


#11

If a paid certificate is not an option I’d consider changing host. There are plenty of hosts who offer LE/custom certificates for free.


#12

Thanks. Yes - Ive just been looking st some other hosting providers. Cloudflare has some recommended suppliers.


closed #13

This topic was automatically closed after 30 days. New replies are no longer allowed.