BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News CloudFlare Universal SSL - Free Web Security for All

CloudFlare Universal SSL - Free Web Security for All

This item in japanese

Bookmarks

CloudFlare have made SSL available to all free subscribers to its content delivery network (CDN) with Universal SSL. The move addresses both cost and complexity issues that have previously confronted web site and application owners wanting to deploy SSL. CloudFlare takes care of issuing a certificate at no cost to the end user, and enabling SSL becomes a selection from a dropdown menu.

Secure Socket Layers (SSL), or the more modern Transport Layer Security (TLS), have traditionally been premium features for CDNs and other web based services. This has been because SSL required a dedicated IPv4 address, and the issue of a certificate from a certificate authority (CA). SSL also presents a higher compute overhead to the hosting infrastructure in order to perform cryptographic operations used to establish secure sessions. CloudFlare have sidestepped some of these issues by making use of server name indication (SNI), which allows HTTPS URLs to be virtually hosted in the same way as HTTP URLs. The problem with SNI is that it’s only supported by newer browsers (with newer being a very relative term): Firefox 2, Chrome 6, or Internet Explorer (IE) 7 (on Windows Vista) or later versions. No versions of IE on Windows XP are supported. Worldwide more than 90% of browsers in use are SNI capable.

Once enabled, which can take around 24 hours whilst a certificate is issued, Universal SSL can be used in a number of different modes. Flexible SSL only encrypts communications between the browser and CloudFlare, leaving the connection back to the web server vulnerable to interception, but its the simplest to configure as it requires no web server reconfiguration. Full SSL needs a certificate to be installed on the web server so that traffic from CloudFlare is encrypted, but it can make use of self signed certificates, which are free to create and don’t have to be cycled every year. Finally Full SSL (strict) makes use of a valid (CA issued) certificate on the web server, bringing with it all the same complexity (and potential cost) of implementing SSL before Universal SSL was available (though still bringing all of the benefits of using a CDN such as caching, global points of presence and distributed denial of service [DDOS] mitigation).

CloudFlare have partnered with Comodo and Globalsign to issue certificates for Universal SSL. The certificates for each site are issued to sni12345.cloudflaressl.com, where 12345 will be a unique number for a group of CloudFlare subscribers. The certificates then have subject alternative names of *.subscriber.com and subscriber.com. As multiple subscribers are grouped together a somewhat random list of valid subject alternative names is presented. The availability of free wildcard certificates is an improvement over previous free CA services such as StartSSL, which only issued sub domain specific certificates (e.g. www.mydomain.com and mydomain.com but not *.mydomain.com). It’s worth noting that CAs like StartSSL can be used along with CloudFlare’s Universal SSL to achieve the Full SSL (strict) level of end to end encryption.

Another part of the Universal SSL offering is the SPDY protocol, which optimises the network traffic between the browser and CDN by bundling together objects that would otherwise need individual network conversations. CloudFlare’s John Graham-Cumming describes this as ‘The little extra that comes with Universal SSL’.

From a customer perspective Universal SSL represents the opposite end of the spectrum from those that might use Keyless SSL, which was also recently launched by CloudFlare. Between those extremes there are subscription tiers for companies that want more control over their certificates (e.g. for extended validation) or that need to ensure that their sites still work securely with older browsers. CloudFlare started out as a DDOS mitigation service (and was once described as an ‘accidental CDN’) where free users provided valuable intelligence that could be used to help protect paying subscribers. The company now seems to be moving its mission to securing as much of the web as it can reach. CEO Matthew Prince says:

Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world. Together we can do great things.

Rate this Article

Adoption
Style

BT