Origin Server Connection Security with Universal SSL

by Nick Sullivan.

Earlier today, CloudFlare enabled Universal SSL: HTTPS support for all sites by default. Universal SSL provides state-of-the-art encryption between browsers and CloudFlare’s edge servers keeping web traffic private and secure from tampering.

CloudFlare’s Flexible SSL mode is the default for CloudFlare sites on the Free plan. Flexible SSL mode means that traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not be. To take advantage of our Full and Strict SSL mode—which encrypts the connection between CloudFlare and the origin server—it’s necessary to install a certificate on the origin server.

We made Universal SSL free so that everyone can use modern, strong encryption tools to protect their web traffic. More encrypted traffic helps build a safer, better Internet. In keeping with CloudFlare’s goal to help build a better Internet, we have some tips on how to upgrade your site from Flexible SSL to Full or Strict SSL.

Option 1: Full SSL: create a self-signed certificate

Dealing with Certificate Authorities (CAs) can be frustrating, and the process of obtaining a certificate can be time consuming. In the meantime, you can get started by installing a self-signed certificate on your origin server. This allows CloudFlare to encrypt the communication with the origin, protecting the communication against passive surveillance, but not against active attackers.

Our handy CSR guide for CFSSL describes how to generate a self-signed certificate. Using OpenSSL to create it is another option.

Once you have created a self-signed certificate and private key, you can install them on your origin server. Digicert has a guide for installing a certificate that covers the most popular server software.

Keep in mind that a self-signed certificate is not signed by a trusted CA. This means that you can change your SSL setting from Flexible SSL to Full, but not Full (strict). Full SSL won’t be able to provide authentication, but it will make sure the connection to the origin is encrypted and protected from passive snoopers.

Option 2: Strict SSL: get a certificate from trusted CA

Most CAs offer low-cost or even free certificates. A popular CA that offers free SSL certificates is StartSSL. Buying and installing a trusted certificate on your origin server is currently the simplest way to enable Strict SSL on your site.

To enable TLS on your server, you need both a certificate and a corresponding private key. The first step in obtaining a certificate from a CA is creating a Certificate Signing Request (CSR). A CSR contains your public key and a proof that you have the associated private key. The CA will verify it and give you back a certificate that you install on your web server. We put together a guide to creating a private key and CSR with CloudFlare’s CFSSL tool that you can use, or alternatively, there’s always OpenSSL.

Once you have a certificate installed on your origin server, you can change your SSL setting from Flexible to Full (strict) and have the added benefit of an authenticated and encrypted connection to your origin server.

Option 3: (sneak preview) The CloudFlare Origin CA/Certificate Pinning

Soon you will be able to send your CSR to CloudFlare to get a certificate instantaneously, speeding up the certificate acquisition process. This process will be like that of a regular CA, but much faster. These certificates aren't yet trusted by browsers, but will be trusted by CloudFlare, allowing the back end connection to be both encrypted and authenticated. This also protects your site if one of the publicly trusted certificate authorities is compromised by attackers and used to issue illegitimate certificates.

We’re also investigating the possibility of adding a feature called Certificate Pinning. Certificate Pinning would allow you to tell CloudFlare exactly which certificate to trust for your origin. This would allow customers to use hosting services that don’t allow custom certificates to have the benefit of a fully encrypted tunnel, or to simply use a self-signed certificate and get the benefit of both authentication and encryption.

comments powered by Disqus