How secure is CloudFlare's basic SSL

CloudFlare's basic SSL package provides SSL encryption for you site, but only between your customer's browser, and the CloudFlare server where SSL is terminated. The connection between CloudFlare and your own server is not served over SSL.

How safe is this? And what infomration would you not want to send using this system? And how easy would it be for someone to snoop on your CloudFare -> Server connection?

CloudFlare also offer a full SSL service which allows you to install your own cert, and encrypt the entire route, but its 10x the price.


Ultimately for clients the best security is too have end to end SSL. It does look like you can get 'Full-SSL' on just their Pro account, and you can do it with self-signed certificates on your own personal server if you'd like.

For an attacker to intercept traffic while using their 'Flexible-SSL' (SSL only between clients and Cloudflare), that attacker would need to be in the middle of Cloudflare and your server. The easiest place for this too take place is more likely than not on your local network by using a MITM technique like arp poisoning or by sniffing the traffic right off the wire if they get access to a hub or switch with a monitor mode.

It's reasonable to expect that an attacker won't be able to MITM or sniff connections between your ISP and Cloudflare's unless your attacker is either one of the ISPs or a larger state-actor (such as the NSA).

At a minimum if you're going to use any SSL you mind as well throw a self-signed certificate and open up port 443 on your webserver so that the information isn't going across the wire plaintext. I don't know if cloudflare watches for changes to the certificate but it will at the very least prevent sniffing the traffic and forcing the attacker to use a noisier, more aggressive, and potentially easy to notice attack.

Edit: The only thing the Business and Enterprise levels of their service provide you in regards to SSL is the ability for you too upload your own custom SSL certificate that will be facing clients. For example if you wanted an extended validation certificate.