CloudFlare Free Full SSL; Not As Secure As You Think?

JeffTechnical Articles & Notes

CloudFlare offer the option to provide SSL for your website without the hassle or expense of obtaining an SSL certificate.

It really is quite a hassle and it’s definitely expensive (relatively) so this is brilliant, especially as Google do rate an SSL site higher than a non-SSL one.

All you have to do is put your site behind CloudFlare and turn on FULL SSL.

Bingo. Your site now can be requested as:

https://www.your site.com (or whatever)

And will appear in (most) visitor’s browsers with a green padlock.

But. Check the communication between your site and CloudFlare. Because although the traffic between your site visitor and CloudFlare is now secured – unless you’ve configured things correctly the subsequent traffic from CloudFlare to your website and back is completely un-encrypted!

An easy way to check if you have PHP running on your server is to upload a file called (say) ‘test.php’ with the following content:

<?php
	phpinfo();
?>

And then request it in your browser, over SSL:

https://www.your site.com/test.php

You’re now looking for this line (_SERVER[”HTTPS”] = on):

Is SSL on?

Is traffic served over HTTPS?

If it’s there, you’re fine. The traffic between your site and CloudFlare is indeed being encrypted. All is well.

If it’s not there that’s a big problem. And it genuinely might well not be. It wasn’t for me for two new sites I’ve recently added to my server.

What is happening is that CloudFlare is, for example, correctly receiving encrypted traffic from your visitor when they log in; their username and password. But it’s then sending that same data to your server completely unencrypted. So anyone on the network between CloudFlare and your server can see your site user’s username and password (or whatever else they’ve sent your way). It’s extremely misleading for the site visitor because they’re seeing the green padlock – there is no warning – it’s dangerous and it’s your responsibility!

Thankfully there’s a simple solution. Ensure your website has a self-signed SSL certificate (very easy to do on Parallels/cPanel etc), and then toggle (turn it off then on again) the SSL option on CloudFlare.

You can check if you’ve been successful by hard refreshing the PHP script and checking again for the presence of:

_SERVER["HTTPS"] = on

If it’s there, you’re good to go.