|
|
|
|
|
|
by rarecoil
2657 days ago
|
|
|
> Sort of like how CloudFlare does with their "Flexible SSL". As an end user, I have no way of knowing if CloudFlare is proxying my credit card information over clear-text to an insecure origin server. Cloudflare should really message if this is the case when using their gateway. Small UI changes to note this would likely go a long way toward coercing better overall security. When I use Cloudflare as a proxy, I also configure authenticated origin pulls[1] for better endpoint hardening. This makes it a bit more difficult to find a way to bypass the CF proxy, since hunting around on shodan etc. to find the server in the IPv4 space echoing the same content will not work. [1] https://blog.cloudflare.com/protecting-the-origin-with-tls-a... |
|
|
I've always hoped that Cloudflare would add a HTTP header indicating the backend encryption status. I filed this issue back in 2015: https://github.com/cloudflare/claire/issues/17
In fact, Nick Sullivan, the Head of Cryptography at Cloudflare, stated a few years ago: "CloudFlare would be very happy to be able to indicate to the user the nature of how data is encrypted beyond the IP you are connecting to. Unfortunately there is no way to do that yet in modern browsers. Soon we will be sending an additional header down to the browser to indicate if a site is using strict SSL, it will be up to the browser to display it." However, as far as I can tell, this has not been implemented.
https://blog.cloudflare.com/introducing-strict-ssl-protectin...