Enforce Web Policy with HTTP Strict Transport Security (HSTS)

Published on by Ryan Lackey.

HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. Downgrade attacks (also known as SSL stripping attacks) are a serious threat to web applications. This type of attack is a form of man-in-the-middle attack in which an attacker…

Universal SSL: Encryption all the way to the origin, for free

Published on by Nick Sullivan.

Last September, CloudFlare unveiled Universal SSL, enabling HTTPS support for all sites by default. All sites using CloudFlare now support strong cryptography from the browser to CloudFlare’s servers. One of the most popular requests for Universal SSL was to make it easier to encrypt the other half of the connection: from CloudFlare to the origin server. Until today, encryption from CloudFlare to the origin required the purchase…

TLS Session Resumption: Full-speed and Secure

Published on by Zi Lin.

At CloudFlare, making web sites faster and safer at scale is always a driving force for innovation. We introduced “Universal SSL” to dramatically increase the size of the encrypted web. In order for that to happen we knew we needed to efficiently handle large volumes of HTTPS traffic, and give end users the fastest possible performance. CC BY 2.0 image by ecos systems In this article, I’…

Do the ChaCha: better mobile performance with cryptography

Published on by Nick Sullivan.

CC BY-ND 2.0 image image by Clinton Steeds CloudFlare is always trying to improve customer experience by adopting the latest and best web technologies so that our customers (and their visitors) have a fast and a secure web browsing experience. More and more web sites are now using HTTPS by default. This sea change has been spearheaded by many groups including CloudFlare enabling free SSL for millions…

End of the road for RC4

Published on by John Graham-Cumming.

Today, we completely disabled the RC4 encryption algorithm for all SSL/TLS connections to CloudFlare sites. It's no longer possible to connect to any site that uses CloudFlare using RC4. Over a year ago, we disabled RC4 for connections for TLS 1.1 and above because there were more secure algorithms available. In May 2014, we deprecated RC4 by moving it to the lowest priority in our list…

SSL Week Means Less Weak SSL

Published on by Matthew Prince.

I'm excited to announce that today kicks off SSL Week at CloudFlare. Over the course of this week, we'll make a series of announcements on what we're doing to improve encryption on the Internet. Inherently, for encryption to be the most effective, it has to meet three criteria: 1) it needs to be easy and inexpensive to use; 2) it needs to be fast so it doesn't tax…