Blog What we do Support Community
Login Sign up

End of the road for RC4

Published on by John Graham-Cumming.

Today, we completely disabled the RC4 encryption algorithm for all SSL/TLS connections to CloudFlare sites. It's no longer possible to connect to any site that uses CloudFlare using RC4. Over a year ago, we disabled RC4 for connections for TLS 1.1 and above because there were more secure

Origin Server Connection Security with Universal SSL

Published on by Nick Sullivan.

Earlier today, CloudFlare enabled Universal SSL: HTTPS support for all sites by default. Universal SSL provides state-of-the-art encryption between browsers and CloudFlare’s edge servers keeping web traffic private and secure from tampering. CloudFlare’s Flexible SSL mode is the default for CloudFlare sites on the Free plan. Flexible SSL

Introducing Strict SSL: Protecting Against a Man-in-the-Middle Attack on Origin Traffic

Published on by Nick Sullivan.

Update: Cloudflare now issues free certificates for the origin, see: for more details At CloudFlare, we are always looking for ways to improve the security of our customers’ websites. One of the features we provide is the ability to serve their website encrypted over

Killing RC4 (softly)

Published on by Piotr Sikora.

Back in 2011, the BEAST attack on the cipher block chaining (CBC) encryption mode used in TLS v1.0 was demonstrated. At the time the advice of experts (including our own) was to prioritize the use of RC4-based cipher suites. The BEAST vulnerability itself had already been fixed in TLS