

Now that CloudFlare offers free SSL, would a new HTTP header be helpful? - xPaw
http://security.stackexchange.com/q/68586

======
vtlynch
I agree that while Cloudflare's announcement is great, it does subvert the
visual indicator of the green browser padlock.

Yes, its possible for any implementation of SSL to use the same method
Cloudflare is using, and not provide end to end encryption. However by
doubling the number of encrypted sites in one day, Cloudflare has now made it
much more likely that you run into a partially encrypted site.

I would like to see some sort of way for interested parties to see if their
connection was via "Flexible SSL" or not.

------
0x0
HTTP header won't work, since the client must have sent the full request
before the server can respond with a HTTP header, it is already too late to
protect the data inside the client's request. If anything it should perhaps be
some kind of SSL handshake flag.

Also, not a single site will actually set the flag that indicates their SSL
implementation sucks.

