Unencrypted & unverified connections
Imagine you open Paypal and suddenly get that warning
Would you continue? Probably not. For decades leaders in IT security have advocated that people upgrade their sites from unencrypted HTTP to secure HTTPS. And for a reason, everything you send via an HTTP connection is sent in plain text and can be intercepted at any point between you and the server.
Equally, you’d probably not proceed if you got such a warning, right?
That’s when there is a certificate but it has not been signed by a certificate authority which is trusted by your browser. It essentially means the connection is technically encrypted but without verification anyone could have provided that certificate and will be able to intercept your data.
Unfortunately, many site owners are not aware of that and these two setups are common on Cloudflare. Millions of sites on Cloudflare have one of those two insecure configurations and are essentially left with no security.
Why don’t you get more warnings, you ask? Because the Cloudflare proxies front these sites and feign a valid HTTPS connection to the visitors when, in the background, things are still being transmitted in mentioned insecure fashion.
In either case, third parties will be able to intercept, record, and manipulate these connections without you, Cloudflare, or your visitors having the slightest idea that an unauthorised third party is accessing your very private communication.
Full Strict
This is where the encryption modes from https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls come in
Make sure you have “Full Strict” selected here. Only when you have that mode selected you’ll have a guarantee that Cloudflare will verify the connection and will not allow third parties to take over your data. Anything else and it will be as if you had no certificate or one that can’t be verified (-> certificate warning) and will put your data and the data of your visitors at risk.
Origin certificate
This also brings us to the next step of securing your server, making sure you have a proper certificate on your server in the first place.
There are plenty of providers who will sell certificates and while these certificates are perfectly fine, you should know that there are quite a few free options these days as well. Check out letsencrypt.org for that, respectively Cloudflare also offers their own free certificates for installation on your server. More information is here and you can get one issued straight from your TLS screen.
Once you have the certificate and the private key you just need to install them on your server (please talk to your host or refer to the documentation of your web server for details on that) and you’ll be good to go and have a properly secured connection on Full Strict.