Cloudflare “Flexible” SSL Misleading
Cloudflare Flexible SSL mode encrypts traffic between the client and Cloudflare but it forwards that data to the origin server unencrypted over the public internet.
Isn't this misleading? The client thinks their traffic is safe, but it ends up being exposed? Doesn't this defeat the purpose of SSL and browser certificate validation?
3 comments
[ 3.6 ms ] story [ 17.5 ms ] thread1. It protects the privacy of the client still. Nobody can tell which page a given IP address is looking at on a site, since once the traffic is decrypted, it's no longer associated with the originator.
2. Most snooping and MITM attacks happen towards the client end of the connection, which this would protect from.
It's definitely not appropriate for sending sensitive data like credit card numbers, though.
(2) - have to concur, though sadly, you will obviously be exposed (and identifiable) to institutional meddlers with no warning.
Regarding CF, traffic to an origin server that's set as flexible might still go through a secured tunnel (e.g. Argo).