Don’t have another for now
I completely agree. Their screenshot guide does reference an onder version of the Cloudflare dashboard, but how the products work has not fundamentally changed. Purchasing a new domain won’t help in this case, nor does the domain need to be transferred to Cloudflare.
Based on the messages I have seen, I would have to agree.
Let me try to explain this, please just ask if you want me to clarify something.
Cloudflare is a proxy service, this means that if you use Cloudflare, they sit between your customers and your website. If I visit a website using Cloudflare, I will connect to Cloudflare and then Cloudflare will connect on to your website and pass the data back to me.
For HTTPS to work on a site, an SSL/TLS certificate is required. This essentially authenticates your website and is really important. Because of the way Cloudflare works, two SSL/TLS certificates are needed. As I mentioned earlier, there are two parts to the connection and a certificate is needed for each. One to secure the connection between the customer and Cloudflare (That’s the Cloudflare certificate) and one to secure the connection between Cloudflare and your server (That’s the server/origin certificate).
That’s represented by the two green lock icons here:
The way certificates work is that they are tied to a particular domain/hostname. This means that if I visit
example.com, the certificate needs to be issues to
example.com otherwise it is invalid. If the certificate was issued to
provider.com instead, the certificate would be invalid and the connection would not be secure.
The way Pabbly is trying to get you to set this up would theoretically work, however it is not secure. This is because the certificate they present is for
This is the certificate they present:
Going back to the diagram I showed earlier:
What it should be:
What Pabbly are suggesting:
What they are essentially wanting you to do is remove that second lock between Cloudflare and them. So your customers data would be secured as far as Cloudflare, but then unsecure between Cloudflare and Pabbly because they present an invalid certificate. This is never advisable and is terrible practice, especially for a payment provider.
P.S. Just to clarify, based on pabbly’s message, we aren’t Cloudflare staff, just other users experienced with using Cloudflare who are MVPs here on the community.
There’s always an alternative. Bottom line is, your current choice refuses to provide you with a secure solution. If you do not change provider you’ll have an insecure site. I am afraid that’s it. @domjh already elaborated on the technical details.
I can’t really add more than what @domjh said. It’s a really good reply. Just change provider, immediately.
Don’t do what they are saying and they should really be ashamed of asking credentials. That’s a very big no-no.
It’s a really terrible thought that they have other customers doing anything, especially regarding payments, with that set-up.
Considering they are around here, maybe @pabbly can elaborate why they keep their customers on broken encryption and what they plan to address that.
Ok thank you for perfect explanation @domjh
it really helpful
Now I’ve give another cloudflare account with unused domain connected, so they cannot use we-must-have–access-to-your-cloudflare-account reason to escape from this situation
With this, i hope they can get some time to solve this problem,
or… maybe is there anyone in this forum can help them doing that?
Its really weird the way they solve my problem. Even not tech savvy guy like me understand they are doing nothing to solve this problem
I’m think maybe technical guy who understand SSL in their side already left the company or something so they don’t have capable person to solve this.
It can be opportunity to you guys to offer them services?
This is still a very bad idea.
They don’t want to solve the issue. They want to run with their non-secure setup as it’s cheaper to maintain. Relatively, as it costs little to nothing regardless, but it has some configuration to create it.
I understand you gave them a dummy account but generally speaking I can only emphasise what @domjh and @matteo already wrote, to never ever hand out your access credentials to anyone. Not only on Cloudflare, everywhere and to no one.
That being said, I highly doubt they will configure a secure environment for you, even now that you gave them your data.
Once they are “done”, check your encryption mode. If it is not “Full Strict”, you’ll be still on an insecure setup
Hope they get me new update, if they can’t do that, i will try offer them to get help from expert. I’ll let you know once they give me update.
Hello! finally i got update from Pabbly and here is the SSL they’ve configured
Here the SSL they’ve succeeded configured for me by request the credential
I’m not sure is this SSL is safe or not
Could anyone check for me? Im not quite understand why for this domain they can, for my other domain si.co.id they can’t.
Thanks for help
Hi again @j3project,
The way to check this is to log into the account with that domain, go to SSL/TLS → Edge Certificates and see what mode it is set to.
Unless it’s Full (Strict) then it’s not fully secure.
It should look like this:
Not secure, and especially bad for a payment provider. Cloudflare is not validating the server certificate, so you would be vulnerable to an attack there as any certificate would be accepted, whether it’s for your domain or not.
Pabbly need to get their SSL setup sorted properly instead of getting Cloudflare to mask their lack of certificate for your domain.
Precisely what I said earlier.
And it’s precisely what we have been mentioning for the past few days so far and what @domjh and @matteo already addressed. Your provider is unable to provide a secure environment and wants to hide that behind Cloudflare.
Ok thanks for your help and advise guys. Glad found this community. Hope i can find alternative better solution in the future, hope someone can give me suggestion regarding subscription tools and payment gateway in the future
So you are staying with your current provider and its insecure mode?
Yes, I’ve no choice right now. I’m figuring out an alternative solution.
Find a payment gateway services that can be integrated with local payment services in Indonesia, and offers LTD with affiliate module included is not quite easy. But now I’m still doing research and looking for alternatives.
By the way, could you give me some examples of what’s bad things can happen to me using their unsecured setup?
I want to know some worst possibilities
Attackers can perform a MITM attack on the connection between Cloudflare and the origin server, which can cause leakage of data such as credit card number, username and password.
@erictung already mentioned the main part. Essentially what I already described at the link I posted
Would you continue loading a site if you get a certificate warning? That’s the setup you currently have.
Cloudflare does not validate the certificate and will accept any it is presented with. Anyone who has access to the line to your server will be able to present their own certificate (which Cloudflare will gladly accept) and intercept and record your traffic along with all payment related data.