It is almost always necessary and advised to secure your website via an SSL certificate. Not only does this increase your site’s SEO, but it also secures your visitors trust in your site. Here we explore what CloudFlare offers regarding SSL/TLS, and how you can take advantage of these options to secure your site and increase performance.
CloudFlare has innovated in the security space for many years, and has continually worked to make both the end-user and developer experience easier. One of the first companies to offer a free SSL certificate to any site, CloudFlare has also expanded upon their offerings, technological sophistication, and security settings.
CloudFlare SSL/TLS Packages
CloudFlare offers several different abilities. Just understanding which one will make the most sense for you is the first step.
One of the first SSL offerings and the most popular, Universal SSL is the free offering by CloudFlare. Provided that CloudFlare is your authoritative DNS provider (necessary to take full advantage of CloudFlare), a new Universal SSL certificate will be issued within 15 minutes of domain activation. There are limitations to the free offering:
- Not compatible with all versions of browsers and operating systems.
- Universal SSL offers a shared certificate, which means you might see other customers domain names on the Subject Alternate Names.
- Only covers first-level subdomains (i.e., dev.www.example.com will not work with SSL).
Advanced Certificate Manager (Previously Dedicated SSL)
Recently, CloudFlare rolled out the Advanced Certificate Manager. For $10.00 a month, you can generate your certificates with some unique features:
- Configurable Subject Alternate Names (SAN) to cover, for example, a second-level subdomain
- Removes CloudFlare branding from the certificate
- Adjusts a certificates lifespan and controls cipher suites
This can be enabled by navigating to the SSL/TLS tab from within a CloudFlare domain and clicking on Order Advanced Certificate.
Custom SSL (Business & Enterprise Customers Only)
This option lets a customer upload their certificate that they may have purchased or created separately. Typically, this is for customers with Extended Validation (EV) or Organization Validated (OV) certificates. Self-signed certificates that are not signed by a valid Certificate Authority will not work here.
Keyless SSL (Enterprise Customers Only)
Finally, the Keyless SSL option is an advanced configuration designed for companies that have policies restricting control of a certificates private key. This process adds some latency to the request, as the key is stored on a key server controlled by the customer that CloudFlare will need to contact to properly serve the content.
Origin Server Certificates
One of the benefits that Universal SSL had was that you were able to encrypt browser/client traffic to CloudFlare but not necessarily from CloudFlare to an Origin server (web host). This meant for many web hosts, which were not properly set up to manage certificates, that a website owner would still be able to serve encrypted traffic to a browser.
This is not perfectly secure, as traffic from CloudFlare to a web host would be unencrypted and could be read using a man-in-the-middle type attack. To mitigate this, you have a few options.
- Flexible – Default option with no Origin server encryption
- Full – Origin server encryption but using a self-signed certificate (i.e.. not purchasing a certificate)
- Full (Strict) – Validation that the Origin server uses a properly signed certificate
With the Full (Strict) option, there are a few additional ways to make this work properly”
- Let’s Encrypt Certificate – By using the free SSL certificates offered by Let’s Encrypt, you will have a valid certificate encrypting the connection between your Origin server and CloudFlare.
- CloudFlare Origin CA Certificate – Perhaps even easier is the ability to use the Origin Certificates feature of CloudFlare to create a certificate, which you can download and install on your web host, that CloudFlare will trust.
CloudFlare SSL/TLS Configurations
Now that you understand how CloudFlare SSL/TLS works for a given domain, let’s explore some of the available options to customize and secure a customer’s experience. These are subject to change but generally only have been added on over the years.
Always Use HTTPs
A simple toggle switch option forces all
HTTP requests to return a 301 redirect to the equivalent
HTTPS URL. This is domain-wide, and if you need a more targeted rule, use the Always Use HTTPS page rule to target a specific route.
HTTP Strict Transport Security (HSTS)
HSTS is a lengthy topic with many considerations, but this setting will add a header to a request that allows a website to specify and enforce a security policy in client web browsers. It helps to secure a website from many different attack types.
If SSL becomes disabled at any point, your visitors may lose access to your site for the duration of the cached
max-age headers, or until HTTPS is reestablished and an HSTS header with a value of
0 is served.
Minimum TLS Version
In this day and age, it is highly recommended that a minimum version of TLS
1.2 is used,as older versions are subject to attacks. The newest version,
1.3 is not widely adopted yet, so it is inadvisable to set that as the minimum version.
Not intended to be a replacement for HTTPs, this setting tells browsers that an encrypted version of the site is available for other protocols, such as HTTP/2. This should be used in conjunction with a regular SSL/TLS configuration.
This is the newest version of the TLS protocol, within which many enhancements are contained. This version is still not widely adopted and blocked by some countries, so it is wise to enable but not rely on this protocol version.
Automatic HTTPS Rewrites
To assist in fixing mixed content issues, i.e., a non-HTTPS link within an HTTPS page, you can use the ability for CloudFlare to rewrite page content before reaching a customer to fix those links. This is not perfect but does catch many inconsistent links. Ideally, the content itself should be fixed.
Certificate Transparency Monitoring
A newer beta feature, this sends email alerts to an account owner when a new certificate is issued for that particular domain. It helps to serve as an early warning system if a bad actor attempts to issue a certificate for your domain.
Disable Universal SSL
Finally, you have the option to disable Universal SSL altogether. This is generally not used unless you have a very specific need.
CloudFlare offers extensive features and abilities to securely and effectively manage site certificates. CloudFlare is constantly adding on new features, both to the free offerings and the paid options. For SSL and security needs, it is hard to beat CloudFlare, especially with their free offering!