Nice catch. I believe everyone who saw the past blog posts can easily guess "the big thing" they are going to announce on Monday. I was thinking "free SSL" since the 2nd/3rd paragraph.
Even better! One-click cert gen and installation would be magical!
StartSSL is nice because you don't need create a csr. But Cloudflare could make it simpler still, since you've already got domain-level verification through them implicitly. And if you need a better trust chain for your certs, then you can provide your own.
StartSSL's <keygen> for SSL is good but it's not great - mainly, you have to give your computer access to the SSL key and your server, as opposed to only your server storing the key (and you providing StartSSL a CSR)
I think CloudFlare "free SSL" is CloudFlare-issued instead of Custom Cert, which I think it is good enough. If their "free SSL" allow free plan customers to upload Custom Cert, that is even awesome.
> Finally, for people who like puzzles we've left a clue to our announcement right here on this page. With a little lateral thinking you may be able to figure it out.
CloudFlare is the biggest MITM attack in the history of the internet. Why are we putting this much power in the hands of a few US citizens, who are legally obliged to record all that unencrypted data passing through their servers?
I'd be interested in a source pointing out the origin of that obligation. I very much agree that end-to-end encryption is superior for transactions that need it. Some don't need it though, and MITM'd encryption does at least protect the end user from any untrusted parties on their local subnet like in coffee shops, which are far more untrusted than upstream operators.
Most sites which are not on HTTPS now are static sites like blogs etc. Google recently announced HTTPS will be determining SERP so many webmasters are going to use it anyway even with a MITM.
who are legally obliged to record all that unencrypted data
They may be compelled to do that. It was actually a European directive, and subsequent regulations in each member state, that forced providers to retain data pre-emptively, and even that didn't require them to record all traffic.
CloudFlare has solved the DDos problem for us. Because we constantly fight with phishers, before we switched to CloudFlare, we would get hit by massive DDos attacks at least once a year, and that would result in downtime and in getting kicked out of a dedicated server provider or being asked high fees to put us on on a dedicated network. After moving to CloudFlare, we are not even aware of it if we get hit by a DDos.
We are very thankful to CloudFlare! Happy birthday!
Wonder why DDOSes have been getting worse lately? DDOS groups are putting their sites behind Cloudflare so they cannot be DDOSed off the internet by rival groups, thus their "services" become a lot more accessible, and they have grown bolder.
This is a grave conflict of interest for Cloudflare, they have no incentive to stop them, after all, it generates more business for Cloudflare.
It is because many DDoS websites sitting behind Cloudflare are FBI run. See titaniumstresser[0] as an example. One of their sub-domain's IP address is allocated to the FBI[1]. Seems like the longest lasting sites peddling stolen info, child pornography, or malicious services are all run by feds.
Hostname: direct.titaniumstresser.net
IP Address: 153.31.25.12
Organization: FBI Criminal Justice Information Systems
LOL, that's just so someone (of a rival group) who tries to get their real IP address (to ddos them), finds that subdomain, and doesn't look closely, and goes to ddos the FBI.
Many automated scripts script kiddies use to DDoS will do a basic check for subdomains like "direct.domain.com" and "direct-connect.domain.com" if the target domain is behind Cloudflare, and the scripts are naive and immediately assume that's the server's real IP.
Setting it to the IP of a site they dislike is also a popular choice.
Those services have existed for years before Cloudflare came around. They'll continue to exist even after they're welcome on Cloudflare.
Censorship-resistant networks are an incredibly powerful tool, for good and bad uses alike. We shouldn't criticize the tool just because some choose to use it in a way we disagree with.
Going to be interesting how they've solved this - my guess is an intermediary cert they've obtained. Must be pretty recent though, as it's not in my intermediary database[0].
GlobalSign also has an unlimited SSL cert offering, but it doesn't come with SANs (they could have arranged something though).
They offers SSL with CloudFlare-issued cert for non-free plan already. I assume they use the old method of obtaining cert. Also, I think at their scale they can get special plan from CA.
They pay GlobalSign roughly $4000 (most are 3 yrs in length, that's for all three), which is only used to power SSL for about twenty domains (this obviously varies but it's what I've seen before, and it should be able to support 50 or 100 total domains).
Free SSL would not be practical with their old method.
No offence, but considering that their Pro plan which include SSL starts at $20 for first, and $5 for the rest per account. At 50*$20 it's only $1000. That doesn't sound right.
If they created their own root instead of partnering with another CA, which is what I assume you meant, then they would need a lot of time (2 yrs just to be included in apple+msft+mozilla) and the process would be public.
An intermediary created by a partner would solve the problem but would require a partnership.
It's great that they're finally coming out with free SSL for everyone. They planned to come out with it in early 2014 but ran into a number of technical issues.
41 comments
[ 3.0 ms ] story [ 91.4 ms ] threadStartSSL is nice because you don't need create a csr. But Cloudflare could make it simpler still, since you've already got domain-level verification through them implicitly. And if you need a better trust chain for your certs, then you can provide your own.
This just got even more exciting!
You should though.
> Finally, for people who like puzzles we've left a clue to our announcement right here on this page. With a little lateral thinking you may be able to figure it out.
Seriously? So now I have to buy into the corrupt CA system in order to rank well in searches? :/
http://googleonlinesecurity.blogspot.com/2014/08/https-as-ra...
They may be compelled to do that. It was actually a European directive, and subsequent regulations in each member state, that forced providers to retain data pre-emptively, and even that didn't require them to record all traffic.
https://en.wikipedia.org/wiki/Data_Retention_Directive
We are very thankful to CloudFlare! Happy birthday!
This is a grave conflict of interest for Cloudflare, they have no incentive to stop them, after all, it generates more business for Cloudflare.
This absolutely needs to be addressed.
http://krebsonsecurity.com/2013/05/ddos-services-advertise-o...
Hostname: direct.titaniumstresser.net IP Address: 153.31.25.12 Organization: FBI Criminal Justice Information Systems
[0] http://titaniumstresser.net/
[1] http://direct.titaniumstresser.net.ipaddress.com/
Many automated scripts script kiddies use to DDoS will do a basic check for subdomains like "direct.domain.com" and "direct-connect.domain.com" if the target domain is behind Cloudflare, and the scripts are naive and immediately assume that's the server's real IP.
Setting it to the IP of a site they dislike is also a popular choice.
Censorship-resistant networks are an incredibly powerful tool, for good and bad uses alike. We shouldn't criticize the tool just because some choose to use it in a way we disagree with.
GlobalSign also has an unlimited SSL cert offering, but it doesn't come with SANs (they could have arranged something though).
0: https://github.com/iangcarroll/ca-intermediaries
Free SSL would not be practical with their old method.
Also updated my comment with a better estimate of the pricing (we've talked w/ GlobalSign about this before actually)
An intermediary created by a partner would solve the problem but would require a partnership.
http://www.theverge.com/2013/12/17/5217800/cloudflare-pledge...