There’s always an alternative. Bottom line is, your current choice refuses to provide you with a secure solution. If you do not change provider you’ll have an insecure site. I am afraid that’s it. @domjh already elaborated on the technical details.
I can’t really add more than what @domjh said. It’s a really good reply. Just change provider, immediately.
Don’t do what they are saying and they should really be ashamed of asking credentials. That’s a very big no-no.
It’s a really terrible thought that they have other customers doing anything, especially regarding payments, with that set-up.
Considering they are around here, maybe @pabbly can elaborate why they keep their customers on broken encryption and what they plan to address that.
Ok thank you for perfect explanation @domjh
it really helpful
Now I’ve give another cloudflare account with unused domain connected, so they cannot use we-must-have–access-to-your-cloudflare-account reason to escape from this situation
With this, i hope they can get some time to solve this problem,
or… maybe is there anyone in this forum can help them doing that?
Its really weird the way they solve my problem. Even not tech savvy guy like me understand they are doing nothing to solve this problem
I’m think maybe technical guy who understand SSL in their side already left the company or something so they don’t have capable person to solve this.
It can be opportunity to you guys to offer them services?
This is still a very bad idea.
They don’t want to solve the issue. They want to run with their non-secure setup as it’s cheaper to maintain. Relatively, as it costs little to nothing regardless, but it has some configuration to create it.
I understand you gave them a dummy account but generally speaking I can only emphasise what @domjh and @matteo already wrote, to never ever hand out your access credentials to anyone. Not only on Cloudflare, everywhere and to no one.
That being said, I highly doubt they will configure a secure environment for you, even now that you gave them your data.
Once they are “done”, check your encryption mode. If it is not “Full Strict”, you’ll be still on an insecure setup
Hope they get me new update, if they can’t do that, i will try offer them to get help from expert. I’ll let you know once they give me update.
Hello! finally i got update from Pabbly and here is the SSL they’ve configured
Here the SSL they’ve succeeded configured for me by request the credential
I’m not sure is this SSL is safe or not
Could anyone check for me? Im not quite understand why for this domain they can, for my other domain si.co.id they can’t.
Thanks for help
Hi again @j3project,
The way to check this is to log into the account with that domain, go to SSL/TLS → Edge Certificates and see what mode it is set to.
Unless it’s Full (Strict) then it’s not fully secure.
It should look like this:
Not secure, and especially bad for a payment provider. Cloudflare is not validating the server certificate, so you would be vulnerable to an attack there as any certificate would be accepted, whether it’s for your domain or not.
Pabbly need to get their SSL setup sorted properly instead of getting Cloudflare to mask their lack of certificate for your domain.
Precisely what I said earlier.
And it’s precisely what we have been mentioning for the past few days so far and what @domjh and @matteo already addressed. Your provider is unable to provide a secure environment and wants to hide that behind Cloudflare.
Ok thanks for your help and advise guys. Glad found this community. Hope i can find alternative better solution in the future, hope someone can give me suggestion regarding subscription tools and payment gateway in the future
So you are staying with your current provider and its insecure mode?
Yes, I’ve no choice right now. I’m figuring out an alternative solution.
Find a payment gateway services that can be integrated with local payment services in Indonesia, and offers LTD with affiliate module included is not quite easy. But now I’m still doing research and looking for alternatives.
By the way, could you give me some examples of what’s bad things can happen to me using their unsecured setup?
I want to know some worst possibilities
Attackers can perform a MITM attack on the connection between Cloudflare and the origin server, which can cause leakage of data such as credit card number, username and password.
@erictung already mentioned the main part. Essentially what I already described at the link I posted
Would you continue loading a site if you get a certificate warning? That’s the setup you currently have.
Cloudflare does not validate the certificate and will accept any it is presented with. Anyone who has access to the line to your server will be able to present their own certificate (which Cloudflare will gladly accept) and intercept and record your traffic along with all payment related data.
Your transport encryption is now essentially as good as any random self-signed certificate and has the same level of “security”.
Apologies for putting it in such a blunt fashion, but your encryption is basically worthless at this point. You have some “encryption” but that could be “encrypted” by anyone and you won’t even notice.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.