Cloudflare “Flexible” SSL Misleading

[boomer918]

Cloudflare Flexible SSL mode encrypts traffic between the client and Cloudflare but it forwards that data to the origin server unencrypted over the public internet.

Isn't this misleading? The client thinks their traffic is safe, but it ends up being exposed? Doesn't this defeat the purpose of SSL and browser certificate validation?

[josephcsible]

Flexible SSL is basically equivalent to visiting a totally insecure site over a VPN instead of directly. There's a few advantages to it. Off the top of my head:

1. It protects the privacy of the client still. Nobody can tell which page a given IP address is looking at on a site, since once the traffic is decrypted, it's no longer associated with the originator.

2. Most snooping and MITM attacks happen towards the client end of the connection, which this would protect from.

It's definitely not appropriate for sending sensitive data like credit card numbers, though.

[labawi]

(1) - the source IP won't be in the IP header, but is usually added to the HTTP headers so endpoint and TLAs will see who is connecting.

(2) - have to concur, though sadly, you will obviously be exposed (and identifiable) to institutional meddlers with no warning.

[phillipseamore]

This isn't specific to Cloudflare. Many (most?) services only terminate TLS on their client facing servers and any request/response is in the clear to any backend servers (which might be located on other networks).

Regarding CF, traffic to an origin server that's set as flexible might still go through a secured tunnel (e.g. Argo).