

CloudFlare enabling free SSL by mid-October - moonboots
https://blog.cloudflare.com/google-now-factoring-https-support-into-ranking-cloudflare-on-track-to-make-it-free-and-easy

======
nilved
Please note that using Cloudflare, even with free SSL, is not an increase to
the security and privacy of your users. On the contrary, Cloudflare records
information about your users (this cannot be disabled) and, by default, blocks
users who attempt to view your site through privacy-enhancing software. I
would suggest that people looking to install SSL on their website (this should
be everybody) instead get their free SSL certificate from gandi.net or
StartSSL, who do not spy on or block your users.

~~~
namidark
Gandi is free for a year and then expensive after - Namecheap may not be free
but renewals and initial costs are much lower. StartSSL is free but revoke-ing
costs money.

~~~
Ecio78
just checked now, Gandi is 40€/yr, not that expensive compared to big names
like Verisign & co. I have used in the past RapidSSL, but it is same price,
50$/yr. I've just checked Namecheap and it's reselling other SSL like Comodo
or Geotrust, but it looks less expensive, so yes, probably it's the best
price.

~~~
soulshake
At Gandi, a single-address standard SSL cert is $16/12€ per year. The $50/40€
applies to multi-address certs (3 addresses)

The full SSL price list is here:
[https://www.gandi.net/ssl/grid](https://www.gandi.net/ssl/grid)

~~~
Ecio78
you are right, I read the wrong line!

------
user3
Most of the websites wont encrypt the link from Cloudflare to the server,
ultimately defeating the purpose of SSL aside from a better search ranking.

~~~
guyht
Could you elaborate on this. My impression was that connections between data
centres (e.g. in the case of using an EC2 instance with Cloudflare) were
already very secure and therefore do not require SSL.

~~~
eli
Depends what you're trying to protect against. Those links are notably very
insecure against the NSA.

~~~
nly
It's reasonable to suppose that the NSA have a whole bunch of private signing
keys for a whole bunch of CAs, and will just MITM anyone they please
regardless of our puny efforts.

~~~
eli
I'm not sure that's a safe assumption and, regardless, an active MITM attack
is a much bigger deal than passively collecting traffic as it flows past you
in the clear.

------
donavanm
Are there more actual implementation details somewhere? Sounds like selecting
the ssl context based on the clients SNI request. This (obviously) would
predicate client SNI support, as opposed to anycast IPs or similar.

~~~
moonboots
CloudFlare's CEO says that free SSL will use SNI with ipv4 [1] and possibly
non-SNI with ipv6 [2]. A CloudFlare engineer has discussed splitting the SSL
handshake between servers so their many edge nodes don't need to keep customer
secret keys in memory [3]. However, this sounds slightly different than the
lazy loading behavior in the blog post.

[1]
[https://news.ycombinator.com/item?id=7910849](https://news.ycombinator.com/item?id=7910849)

[2]
[https://twitter.com/eastdakota/status/478369486643658754](https://twitter.com/eastdakota/status/478369486643658754)

[3] [http://www.slideshare.net/cloudflare/running-secure-
server-s...](http://www.slideshare.net/cloudflare/running-secure-server-sw-on-
insecure-hw-without-parachute)

~~~
asdfaoeu
Non-SNI over ipv6 seems pretty pointless since anything supporting ipv6 is
going to have sni anyway.

~~~
otterley
Not true; Windows XP supports IPv6 but not SNI.

~~~
p1mrx
While that's technically true, XP doesn't enable IPv6 by default, so virtually
no one uses it.

------
alanbyrne
Does it bother anyone else that when you try to visit the Google post
explaining that they are using HTTPs as a ranking signal via https it
redirects to http?

[http://googleonlinesecurity.blogspot.co.uk/2014/08/https-
as-...](http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-
signal_6.html)

------
curiousjorge
what I just paid 20/month for the SSL....

Update: I have another concern I just found out.

For example, I do a lot of web scraping through my domain and I see that I was
automatically opted in to use
[https://www.cloudflare.com/apps/scrapeshield](https://www.cloudflare.com/apps/scrapeshield),
something that is supposed to block scraping.

There's a huge conflict of interest if it turns out that the cloudflare
network actively aims to help block scraping.

I know you guys said you will be on the neutral side but if the cloudflare is
helping Scrapeshield become more intelligent about scraping by monitoring my
scraping actions, I really don't know if it's wise to stay with cloudflare, as
much as I love it.

~~~
eastdakota
We'll be adding some cool new features to our paid plans at the same time, so
I hope you'll decide to continue paying us the $20.

~~~
thoughtpolice
Good to hear - I just signed up and put in the $20 myself (not a very large
barrier), and I'm glad features like custom certificates (& other things) will
be available as mentioned elsewhere in this thread. CloudFlare seems like a
great product so far.

------
general_failure
Do not announce things until done. This is just shameless marketing stunt.

------
junto
I presume that customer private keys need to be stored on Cloudflare servers
to implement this. Has that just made Cloudflare servers a legitimate prime
NSA target?

I.e. all your keys belong to us

~~~
rdl
We have a product, "keyless ssl", which is used by some customers to retain on
premise custody of their asymmetric key material, actually.

------
taksintik
Cloudflare throwing it down with authority...well played. In the end the
consumer really doesn't give a hoot. They want simple.

------
tanglesome
Why are people up-voting an ad?

------
willu
Are EV certs going to remain Business/Enterprise-only?

~~~
eastdakota
No.

~~~
daveslash
I would have guessed EV certs to remain business only. Well, perhaps not
_business_ only, but still requiring additional validation. How do you believe
EV will be handled? Thanks!

EDIT: I didn't realize you represented cloud-flare. I'm genuinely curious how
EV certs will work. Thanks!

~~~
eastdakota
You'll have to supply your own EV cert, but you'll be able to use custom certs
(EV or otherwise) at the Pro ($20/mo) level.

~~~
daveslash
Thank you!

------
tuananh
CloudFlare is the coolest free CDN out there.

