CloudFlare enabling free SSL by mid-October(blog.cloudflare.com) |
CloudFlare enabling free SSL by mid-October(blog.cloudflare.com) |
We don't comment on our customers unless they authorize us to, but based on the list of public ones, I would be pretty comfortable, even if I didn't work there.
Side note: Your announcement is really exciting.
http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...
"[The DDoS-for-pay] industry probably would destroy itself without Cloudflare’s protection, and furthermore ... some might perceive a credibility issue with a company that sells DDoS protection services providing safe haven to an entire cottage industry of DDoS-for-hire services."
(Aside: self signed certs don't protect the connection from active attacks unless CloudFlare pins the cert. I'm mainly concerned with passive eavesdropping though.)
http://blog.cloudflare.com/introducing-strict-ssl-protecting...
[1] https://news.ycombinator.com/item?id=7910849
[2] https://twitter.com/eastdakota/status/478369486643658754
[3] http://www.slideshare.net/cloudflare/running-secure-server-s...
http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-...
I.e. all your keys belong to us
EDIT: I didn't realize you represented cloud-flare. I'm genuinely curious how EV certs will work. Thanks!
Update: I have another concern I just found out.
For example, I do a lot of web scraping through my domain and I see that I was automatically opted in to use https://www.cloudflare.com/apps/scrapeshield, something that is supposed to block scraping.
There's a huge conflict of interest if it turns out that the cloudflare network actively aims to help block scraping.
I know you guys said you will be on the neutral side but if the cloudflare is helping Scrapeshield become more intelligent about scraping by monitoring my scraping actions, I really don't know if it's wise to stay with cloudflare, as much as I love it.
http://blog.cloudflare.com/introducing-scrapeshield-discover...
The full SSL price list is here: https://www.gandi.net/ssl/grid
Cloudflare's connection to your server is insecure
This isn't always the case. The connection can be secure.[1] http://www.washingtonpost.com/world/national-security/nsa-in...
Old android/mobile clients are another case. Mobile operators are moving towards transparent "4 in 6" NAT/encap on their edges. The server would see a layer 3 IPv6 client, while the actual layer 7 client is an old Android/java stack.