General Discussion > Web Programming and Design

Cloudflare offers free SSL to everyone

(1/5) > >>

alberthrocks:
https://blog.cloudflare.com/introducing-universal-ssl/

Dubbed Cloudflare Universal SSL, they are now offering free SSL to everyone, including free plans!
This includes if you are running a non-secured (no HTTPS) website, in which they will still give you HTTPS, but warn you that their server to your website will be unencrypted. (Do NOT try to run a e-commerce website if this is the case!)

The catch? For free users, they are deprecating support for older browsers by enforcing newer security standards - ECDSA and SNI.
(ECDSA is a newer and more secure encryption algorithm, and SNI is just a way to emit different SSL certificates from one IP!)

SNI support:

--- Quote ---Desktop Browsers
* Internet Explorer 7 and later
* Firefox 2
* Opera 8 with TLS 1.1 enabled
* Google Chrome:
 Supported on Windows XP on Chrome 6 and later
 Supported on Vista and later by default
 OS X 10.5.7 in Chrome Version 5.0.342.0 and later
* Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
* Note: No versions of Internet Explorer on Windows XP support SNIMobile Browsers
* Mobile Safari for iOS 4.0
* Android 3.0 (Honeycomb) and later
* Windows Phone 7
--- End quote ---
Source: https://www.digicert.com/ssl-support/apache-secure-multiple-sites-sni.htm

Warning: Technical jargon follows!

ECDSA support gets murky, though. According to Cloudflare, it is not available on Windows XP (and below), or anything older than Android 4.0 ICS.
To clarify, they're saying you MUST have Windows Vista (and newer), as well as Android 4.0 ICS (and newer).

...but wait! Does that mean everyone using Windows XP is screwed? Not quite.
According to https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites, SSL support for IE depends on the OS's SSL support. Running IE8 on XP means that the SSL support will suffer, since IE8 will use XP's SSL support, which doesn't have the new ECDSA. (Not totally sure about SNI, though.)

So what does Firefox and Chrome use? They use their own library called NSS, which is their own SSL stack that supports EVERYTHING - so as long as you're running a pretty recent version of Firefox/Chrome, you're fine! Safari/Opera support is still unknown though. Supposedly, Opera should be using NSS since they've moved to Chrome's core, but not too sure...

In Plain English
If you're on Windows XP and you use IE: regardless of version, you will NOT be able to access a Cloudflare SSL secured site.
If you're on Windows XP and you use the latest Firefox/Chrome: you WILL be able to access a Cloudflare SSL secured site.
If you're on Windows Vista and you use the latest browser: you WILL be able to access a Cloudflare SSL secured site.
If you're on Linux and you use the latest browser (with a recent OpenSSL): you WILL be able to access a Cloudflare SSL secured site.
If you're on Android and you use Android ICS 4.0 or later: you WILL be able to access a Cloudflare SSL secured site.
If you're on iOS/Mac OS X and/or using Safari/Opera: UNKNOWN. See the next section for more details.

Finding out if you have ECDSA/SNI:
A lot of websites run with Cloudflare (including Omnimaga) - however, many will probably wait to see whether SSL support is available yet for a good amount of platforms.

That said, if you're unsure (or wanna help us out), take our survey:
https://docs.google.com/forms/d/1tXP6uoqoZUQmvPV5tclc16Nlwuza2U60_xRCAJ4BL9g/viewform

In the survey, there is a website that will tell you everything - including whether you have ECDSA and SNI or not!

withgusto...
We're not too sure whether we want to adopt this yet or not - we'll probably make a decision once the migration is complete.

Eeems:
Still waiting on proper propagation for Omnimaga to make use of this.

Juju:
Sounds fun! I'd probably turn it on for my website, but make it optional (because they don't really need HTTPS).

DJ Omnimaga:
So basically this lets Omnimaga use the https that many people requested in the past without having to purchase an expensive certificate? Also, for unsupported browsers, would the site just error completely or just warns you that you have to accept the certificate? On TVA Nouvelles, for example, I get asked to accept some certificate thing when I browse the website via Android 2.2.2 browser or Opera 12.17 but not from any other browser.

Eeems:
https == http via an ssl connection.
To answer other questions about cloudflare these are good articles to read:

* https://blog.cloudflare.com/introducing-universal-ssl/
* https://blog.cloudflare.com/origin-server-connection-security-with-universal-ssl/
* https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/I'm not entirely sure if it will ask you to accept the cert or just error. I'd have to test since the articles don't really talk about that.
According to my testing you will just be prompted to accept the certificate.

Navigation

[0] Message Index

[#] Next page

Go to full version