How secure is CloudFlare's basic SSL

ssl cdn cloudflare

CloudFlare's basic SSL package provides SSL encryption for you site, but only between your customer's browser, and the CloudFlare server where SSL is terminated. The connection between CloudFlare and your own server is not served over SSL.

How safe is this? And what infomration would you not want to send using this system? And how easy would it be for someone to snoop on your CloudFare -> Server connection?

CloudFlare also offer a full SSL service which allows you to install your own cert, and encrypt the entire route, but its 10x the price.


Ultimately for clients the best security is too have end to end SSL. It does look like you can get 'Full-SSL' on just their Pro account, and you can do it with self-signed certificates on your own personal server if you'd like.

For an attacker to intercept traffic while using their 'Flexible-SSL' (SSL only between clients and Cloudflare), that attacker would need to be in the middle of Cloudflare and your server. The easiest place for this too take place is more likely than not on your local network by using a MITM technique like arp poisoning or by sniffing the traffic right off the wire if they get access to a hub or switch with a monitor mode.

It's reasonable to expect that an attacker won't be able to MITM or sniff connections between your ISP and Cloudflare's unless your attacker is either one of the ISPs or a larger state-actor (such as the NSA).

At a minimum if you're going to use any SSL you mind as well throw a self-signed certificate and open up port 443 on your webserver so that the information isn't going across the wire plaintext. I don't know if cloudflare watches for changes to the certificate but it will at the very least prevent sniffing the traffic and forcing the attacker to use a noisier, more aggressive, and potentially easy to notice attack.

Edit: The only thing the Business and Enterprise levels of their service provide you in regards to SSL is the ability for you too upload your own custom SSL certificate that will be facing clients. For example if you wanted an extended validation certificate.

Related

Timeout error in all my apps for every call to smtp servers
How can I sort a List<T> by multiple T.attributes?
Is it possible to define a broadcast receiver as an inner class in manifest file? [duplicate]
How to set Azure WebJob queue name at runtime?
What is the defined execution order of ES6 imports?
Instance variables declared in ObjC implementation file
Performance of dynamic_cast?
Android M weird shared preferences issue
Simultaneous accesses to 0x1c0a7f0f8, but modification requires exclusive access error on Xcode 9 beta 4
How to dismiss AlertDialog in android
Twitter API error 215
Empty an array in Java / processing