[jephir]

The biggest thing for me is that you can use secure WebSockets (wss://) without having to setup TLS on your origin server. This greatly improves the ability to establish WebSocket connections across proxies.

[slrz]

So what you want to do is fooling clients into believing there is transport encryption while actually there is none and the communication with the origin server happens in the clear?

[matt4077]

From what I remember, CF actually requires an ssl certificate, but they'll accept a self-signed one (because they already validate ownership themselves.

[homero]

That can be mitmed but they fixed it https://blog.cloudflare.com/cloudflare-ca-encryption-origin/

[homero]

You're wrong now https://blog.cloudflare.com/cloudflare-ca-encryption-origin/

[pfg]

It's not wrong, given that it's a reply to this statement: "... without having to setup TLS on your origin server." Strict mode is optional. It's certainly possible (and highly recommended!) to use transport encryption in both directions with CloudFlare, but that's not what jephir described here.

[homero]

Why wouldn't you setup tls?? That makes no sense. By setup he means buying a cert

[pfg]

You don't need to buy certificates. There are at least four CAs offering free certificates, with at least two (Let's Encrypt and StartSSL) offering API-based issuance. Getting a publicly-trusted certificate from Let's Encrypt is roughly the same amount of work as finding out how to get the OpenSSL CLI to issue a self-signed certificate, or using CloudFlare's tool to get one from their CA.