| I think the ability to put TLS in front of a non-TLS'd website comes of a few properties: 1. It's probably better than nothing.
2. It's a legacy thing. A company like Cloudflare has to make a choice - how frequently do we break users who've set up their site in a way that is no longer in line with security best practices? It looks like the decision they've made is to break infrequently. Certainly the site I set up in 2014 when their free TLS was new still runs, and I haven't made changes. I believe that you can set up strict TLS between Cloudflare and the end host if you choose, but it's up to you. I think in that instance, your 'little control you get' is actually more control, no? And, if you look back even a few years, TLS was both uncommon and expensive. Cloudflare was a pioneer by offering free TLS certificates in I think 2014 (only 8 years ago!). LetsEncrypt started in 2015 and was niche for quite some time. I think even now you can find Linux distros preferring to ship their data over HTTP with GPG-keys recommended for the security. Of course in 2022 even simple sites should be TLS'd, but Cloudflare's existed for a while. And, TLS to the client but plaintext from CDN to site is still better than cleartext the whole way, because it (generally) stops the ISP from snooping on its customers. |