[profmonocle]

I really wish CF would phase out flexible SSL or at least disable it by default. (And warn users of the risks when enabling it.) Same goes for any CDN offering HTTPS to HTTP proxying over the public Internet.

It made a bit more sense in 2014 when there were more barriers to getting a real cert for your personal blog / forum / whatever - the cost of the cert itself, hosting companies charging for a dedicated IP (because they hadn't gotten the memo on SNI), or the maintenance burden of manually renewing if you ran your own VM.

But Let's Encrypt makes it trivial to auto-provision a real certificate, and many (if not most) hosts support setting it up through their control panels. The HTTP-01 challenge (which is now the default) works fine behind Cloudflare.

If you don't want to (or can't) use Let's Encrypt, Cloudflare themselves offer certificates from a private CA that you can install on your origin. These certs are trusted by their proxies and can last a lot longer than publicly-trusted certs (10+ years I believe), so it's a good option if you're stuck with a server setup that makes you manually upload cert files.

There's just no good reason to proxy HTTPS traffic over HTTP anymore (if there ever was). Enabling it by default is encouraging awful security practices.

[acdha]

> There's just no good reason to proxy HTTPS traffic over HTTP anymore (if there ever was). Enabling it by default is encouraging awful security practices.

I'm a big fan of end-to-end encryption but I think a statement that broad should include a threat model. Not everyone is saving user credentials, credit card numbers, etc. and if you're primarily concerned about someone hijaacking the local network or untargeted national snooping, having HTTPS between the user and CloudFlare is a really big improvement because far more tampering happens at the edge rather than between the datacenter server serving your content and CloudFlare's network.

I do agree that this should be less and less acceptable as so much of the infrastructure has improved but there are still things like personal blogs and other content sites where you mostly don't want things like hostile ISPs injecting ads or malware onto your pages. That might make a good transition for Flexible SSL — start rebadging the UI to increasingly strongly emphasize that it's not suitable for sites with logins, PII, etc.

[tony101]

> "untargeted national snooping"

While I do not disagree with your sentiment, there have been cases of untargeted national snooping/censorship affecting sites with flexible SSL because governments can and often do sit between the local Cloudflare server and the origin.

https://medium.com/@karthikb351/airtel-is-sniffing-and-censo...

I've also been hoping that Cloudflare would add a header indicating the backend encryption status, so that we can look at how sites are configured and whether any "important" sites are using flexible SSL:

https://github.com/cloudflare/claire/issues/17

[grenadier21]

Seconding CloudFlare's private CA. It's simpler and arguably more secure (less people to talk to, fewer moving parts, and most importantly, no need for backward compatibility), so there's really no excuse.