We chat to CloudFlare about its 'EVERYBODY GETS SSL' venture CloudFlare boss Matthew Prince is hoping the firm's project to roll out SSL support to customers who use its free cloud-based web hosting service will inspire other internet firms to build out a fully encrypted web. The Universal SSL program from CloudFlare allows its customers to encrypt and secure web traffic between …
Just wanted to post that I'm a happy customer and run all my domains through Cloudflare now. Quite apart from the SSL stuff, the fact that my server's IP address is obfuscated from every tom dick and harry script kiddie out there is a big bonus, and benefits all of my domains on the free plan as well as the ones on a paid plan.
I'm running a few sites through Cloudflare as a test. Seems to be going okay, although so far as I can tell it doesn't seem to be forcing https on every request, just if you ask for it specifically.
This is a useful step, but 4 million sites out of a billion leaves a lot to go. If one of the big hosting providers (1&1 etc) could take the step and encrypt every one of their millions of sites automatically, then things would really start moving (until NSA start launching drone strikes against them!)
Another benefit of Cloudflare is your IP address is obfuscated from spam trackers. That, plus Cloudflare's rather...relaxed attitudes toward spam and malware, make Cloudflare the content delivery platform of choice for really aggressive hardcore spammers and malware distributors.
I keep track of who's hosting/serving the spamvertised domains in all the spam I receive. Right now, Cloudflare's serving a bit over a third of the domains for all the spam landing on my spamtrap addresses.
SSL* by default is inevitable.
Though this is a good first step (well done CloudFlare!), eventually these base SSL certificates will be so cheap as to be ridiculous. Hell, I bought 5 years of SSL certificate for my domain for something like $50. If you have any reason to have SSL, even a popular forum requiring login, then SSL is a drop in the ocean against hosting, bandwidth and even just simple management costs.
The certification authorities wouldn't allow this (specifically the wildcard domains) without knowing that the money they get from them is going to plummet soon anyway. That's pretty much why they want to push EV and like it when Chrome drops support for 1024-bit, etc. They can give the old stuff away for free while pushing the stuff that won't be warning in your browser next year.
And there are already "free" SSL certificates out there on this level, you just have to dig for them.
And, to be honest, where we need to worry is things like SSL on email, etc. which is disgustingly easy to configure nowadays if you own any domain SSL certificate (or even a self-signed one). I'm pretty sure my SSL cert is running not only my domains, but my email, DKIM signature and things like SSH etc. (with different passphrases in some instances, granted).
(*Please replace SSL throughout with TLS etc. as I'm pretty sure my servers don't accept SSL 2.0, 3.0 or anything else nowadays).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
