No upgrade needed: CloudFlare sites already protected from FREAK
March 04, 2015 12:32AM
The newly announced FREAK vulnerability is not a concern for CloudFlare's SSL customers. We do not support 'export grade' cryptography (which, by its nature, is weak) and we upgraded to the non-vulnerable version of OpenSSL the day it was released in early January....
Continue reading »
End of the road for RC4
February 23, 2015 6:51PM
Today, we completely disabled the RC4 encryption algorithm for all SSL/TLS connections to CloudFlare sites. It's no longer possible to connect to any site that uses CloudFlare using RC4....
The Web is World-Wide, or who still needs RC4?
May 19, 2014 3:00PM
Two weeks ago we changed our TLS configuration to deprioritize the RC4 encryption method because it is widely thought to be vulnerable to attack. At the time we had an internal debate about turning off RC4 altogether, but statistics showed that we couldn't....
Killing RC4: The Long Goodbye
May 07, 2014 5:00AM
At CloudFlare we spend a lot of time thinking about the best way to keep our customers’ data safe. Despite recent troubles, HTTPS is still the best way to deliver encrypted content for the web....
Killing RC4 (softly)
January 29, 2014 12:00PM
Back in 2011, the BEAST attack on the cipher block chaining (CBC) encryption mode used in TLS v1.0 was demonstrated. At the time the advice of experts (including our own) was to prioritize the use of RC4-based cipher suites....
July 12, 2013 12:02AM
Staying on top of TLS attacks
CloudFlare makes extensive use of TLS connections throughout our service which makes staying on top of the latest news about security problems with TLS a priority. We use TLS both externally and internally and different uses of TLS have different constraints....