41 comments

[ 3.0 ms ] story [ 91.4 ms ] thread
First letter of each paragraph = "SSL TLS FREE".
Nice catch. I believe everyone who saw the past blog posts can easily guess "the big thing" they are going to announce on Monday. I was thinking "free SSL" since the 2nd/3rd paragraph.
Time to go grab a cert from startssl.com for free. No more excuses for not having an SSL site.
CloudFlare will probably supply their own certificates so you won't even need to do that.
Shouldn't we all be glad with it? HTTPS-MITM-as-a-service... and authorized... awesome!
(comment deleted)
Even better! One-click cert gen and installation would be magical!

StartSSL is nice because you don't need create a csr. But Cloudflare could make it simpler still, since you've already got domain-level verification through them implicitly. And if you need a better trust chain for your certs, then you can provide your own.

This just got even more exciting!

StartSSL's <keygen> for SSL is good but it's not great - mainly, you have to give your computer access to the SSL key and your server, as opposed to only your server storing the key (and you providing StartSSL a CSR)
StartSSL is nice because you don't need create a csr.

You should though.

I think CloudFlare "free SSL" is CloudFlare-issued instead of Custom Cert, which I think it is good enough. If their "free SSL" allow free plan customers to upload Custom Cert, that is even awesome.
How on Earth do people spot things like this? <_<
(comment deleted)
The clue was in the text.

> Finally, for people who like puzzles we've left a clue to our announcement right here on this page. With a little lateral thinking you may be able to figure it out.

CloudFlare is the biggest MITM attack in the history of the internet. Why are we putting this much power in the hands of a few US citizens, who are legally obliged to record all that unencrypted data passing through their servers?
I'd be interested in a source pointing out the origin of that obligation. I very much agree that end-to-end encryption is superior for transactions that need it. Some don't need it though, and MITM'd encryption does at least protect the end user from any untrusted parties on their local subnet like in coffee shops, which are far more untrusted than upstream operators.
Most sites which are not on HTTPS now are static sites like blogs etc. Google recently announced HTTPS will be determining SERP so many webmasters are going to use it anyway even with a MITM.
who are legally obliged to record all that unencrypted data

They may be compelled to do that. It was actually a European directive, and subsequent regulations in each member state, that forced providers to retain data pre-emptively, and even that didn't require them to record all traffic.

https://en.wikipedia.org/wiki/Data_Retention_Directive

We are not recording the data that passes through our servers.
It's also Google's birthday today.
I think they celebrate on 1st April.
CloudFlare has solved the DDos problem for us. Because we constantly fight with phishers, before we switched to CloudFlare, we would get hit by massive DDos attacks at least once a year, and that would result in downtime and in getting kicked out of a dedicated server provider or being asked high fees to put us on on a dedicated network. After moving to CloudFlare, we are not even aware of it if we get hit by a DDos.

We are very thankful to CloudFlare! Happy birthday!

Wonder why DDOSes have been getting worse lately? DDOS groups are putting their sites behind Cloudflare so they cannot be DDOSed off the internet by rival groups, thus their "services" become a lot more accessible, and they have grown bolder.

This is a grave conflict of interest for Cloudflare, they have no incentive to stop them, after all, it generates more business for Cloudflare.

This absolutely needs to be addressed.

http://krebsonsecurity.com/2013/05/ddos-services-advertise-o...

It is because many DDoS websites sitting behind Cloudflare are FBI run. See titaniumstresser[0] as an example. One of their sub-domain's IP address is allocated to the FBI[1]. Seems like the longest lasting sites peddling stolen info, child pornography, or malicious services are all run by feds.

Hostname: direct.titaniumstresser.net IP Address: 153.31.25.12 Organization: FBI Criminal Justice Information Systems

[0] http://titaniumstresser.net/

[1] http://direct.titaniumstresser.net.ipaddress.com/

LOL, that's just so someone (of a rival group) who tries to get their real IP address (to ddos them), finds that subdomain, and doesn't look closely, and goes to ddos the FBI.
Correct.

Many automated scripts script kiddies use to DDoS will do a basic check for subdomains like "direct.domain.com" and "direct-connect.domain.com" if the target domain is behind Cloudflare, and the scripts are naive and immediately assume that's the server's real IP.

Setting it to the IP of a site they dislike is also a popular choice.

That's not how you think it works. You can point domains you own at any IP you like.
I could point my personal domain at the FBI in 3 seconds if I felt like it, completely legal and commonplace.
Those services have existed for years before Cloudflare came around. They'll continue to exist even after they're welcome on Cloudflare.

Censorship-resistant networks are an incredibly powerful tool, for good and bad uses alike. We shouldn't criticize the tool just because some choose to use it in a way we disagree with.

Going to be interesting how they've solved this - my guess is an intermediary cert they've obtained. Must be pretty recent though, as it's not in my intermediary database[0].

GlobalSign also has an unlimited SSL cert offering, but it doesn't come with SANs (they could have arranged something though).

0: https://github.com/iangcarroll/ca-intermediaries

They offers SSL with CloudFlare-issued cert for non-free plan already. I assume they use the old method of obtaining cert. Also, I think at their scale they can get special plan from CA.
They pay GlobalSign roughly $4000 (most are 3 yrs in length, that's for all three), which is only used to power SSL for about twenty domains (this obviously varies but it's what I've seen before, and it should be able to support 50 or 100 total domains).

Free SSL would not be practical with their old method.

No offence, but considering that their Pro plan which include SSL starts at $20 for first, and $5 for the rest per account. At 50*$20 it's only $1000. That doesn't sound right.
It's a yearly fee! :)

Also updated my comment with a better estimate of the pricing (we've talked w/ GlobalSign about this before actually)

They could be partnering with a root or intermediate CA for generation. But I don't see why they wouldn't get their own intermediate CA cert.
If they created their own root instead of partnering with another CA, which is what I assume you meant, then they would need a lot of time (2 yrs just to be included in apple+msft+mozilla) and the process would be public.

An intermediary created by a partner would solve the problem but would require a partnership.

Hoping for the automatic DNS fail-over feature to be implemented soon