14 DAY TRIAL // Starting today, CloudFlare provides all of its customers, even those who signed up for the free version of its service, with SSL certificates without any additional costs.
The operation is part of deploying a new free service, called Universal SSL. As the name suggests, it is designed to provide the benefit of an encrypted connection between the client and the web server.
It is expected that the process completes for all existing customers by the end of the day. New clients also benefit from the feature, which is available on the spot for paid plans, while in the case of a free one, a period of 24 hours is necessary for its activation.
SSL not available for traffic to the origin
“For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., example.com) as well as a wildcard entry for all first-level subdomains (e.g., www.example.com, blog.example.com, etc.),” Matthew Prince, CEO of CloudFlare, says in a company blog post.
Prince also adds that, for websites that did not use SSL before, the traffic from the client browser to CloudFlare will be automatically encrypted, but it will not be protected to the site’s web server; for websites with SSL enabled on the web server, all traffic (from visitor to CloudFlare and to the origin) is encrypted.
ECDSA chosen for increased performance and security
In order to set up Universal SSL, the company had to overcome technical challenges so that resources would not be consumed.
This is valid for large scale deployments such as this one, as the encryption used could impact on the CPU. As such, the ECDSA (Elliptic Curve Digital Signature Algorithm) cipher suite has been selected for the job because it has a lower impact on the systems than traditional cryptographic algorithms.
Apart from technical issues overcome with the adoption of ECDSA, the cipher suite also delivers performance benefits (faster termination of an SSL connection) and increased security thanks to support for Perfect Forward Secrecy (PFS); this is a feature in public key cryptography designed to ensure protection per communication session by negotiating new keys from public ones.
Another challenge is IPv4 termination because the original SSL implementation encrypted the host header, and as such, only one certificate per IP address would be available. The company cannot assign a unique address to each of its customers since the number of IPs at its disposal is limited.
Getting past these difficulties impacts on the free customers, who have to meet certain standards to benefit from the free Universal SSL. A modern browser (less than six years old) is required for ECDSA support and for SNI (Server Name Indication), a SSL protocol extension that permits returning different certificates for an IP address.
By running Universal SSL for its customer’s websites, CloudFlare manages to significantly increase the number of websites offering secure connection.
“Yesterday, there were about 2 million sites active on the Internet that supported encrypted connections. By the end of the day today, we'll have doubled that,” says Prince, referring to the fact that CloudFlare has two million websites signed up for the free version of their service.