
Cloudflare's “Flexible SSL” Traffic Is Being MITMed by an Indian ISP - r1ch
https://medium.com/@karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98#.dniin5tz9
======
jswny
This "anyone can get SSL from CloudFlare for free" concept sounds great on the
outside but really it might do more harm than good giving the illusion of
security. The backend traffic needs to be SSL encrypted as well or else the
green lock icon is deceptive.

------
pfg
So The Pirate Bay is not using SSL for backend traffic. Just ... wow. _sigh_

------
predakanga
It's worth noting that "Flexible SSL" is the lowest security option available
- Cloudflare provide access to a free private CA
([https://blog.cloudflare.com/cloudflare-ca-encryption-
origin/](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/)) in
order to encourage people to secure their backend connections.

I wonder if they might help combat the illusion of security by providing a
response header, well-known image URL or similar to indicate the backend SSL
status.

------
cs2818
This is a good demonstration that the nice green padlock in a browser is a
symbol full of nuance.

