As you read in my last post, a source of free HTTPS is scheduled for summer 2015. BUT, there is another free TLS option available to you right now. I first tried CloudFlare (CF) in 2011 but didn't find that it was a good match for the script I was using with it.
A lot has changed there at CF since both its 2010 launch and from my previous look. I decided early this year to look at it again. I quickly found that HTTPS was not available for free accounts. I consider myself a "value" buyer. Meaning, I am willing to spend for goods and services where I see a good value. So, everything doesn't have to be free for me to use it – but free, does help when looking at my value ratio.
My merchant account requires me to use HTTPS for credit card transactions, so a free account was not an option for me. I decided to not invest the time looking at a product that I couldn't fully test without paying first. I liked what I saw about the distributed network but decided to stop looking at CF...until October. Then CF rolled out several HTTPS solutions for their free accounts.
Since this article is about free HTTPS at CF, I do not plan to discuss the other features and benefits of the CF product or to spend any time on installation details. I will warn you, you will be asked to make changes in your Domain Name Servers (DNS) for the account you are installing at CF. This is not a highly technical step and it is done by logging into your domain name provider (GoDaddy , network solutions, etc.) and making a few (probably two) easy edits.
CF calls their free HTTPS options Flexible SSL, Full SSL and Full SSL (strict). There are additional SSL options for paid accounts. I will be limiting this discussion to just SSL in free accounts. Enabling a Flexible SSL only requires that during the account set up, you select it from a drop down box and wait for 24 hours, that's it! Sometime after the Certificate is loaded (less than 8 hours for me), your site visitors will begin to see the padlock. But there are a couple of things you want to know about a Flexible SSL. First the Certificate is shared and second not everything is encrypted.
I know of no negative issues involved with the CF shared certificates. Note, all three certs offered for free accounts are shared. Sharing here is not like sharing certs in a hosting account where you can only use the host's domain name. The certificates issued for CF all have your domain name included in the Subject Alternative Name (SAN) file. When you click on the padlock (I'm using Chrome Version 39.0.2171.71 m), you will see your domain name and "Identity Verified;" but when you go to the Certificate information, you see the "Issued to" contains some form of the word cloudflare (something like acd10437.cloudflaressl.com).
Different browsers handled displaying the domain name in various ways. Some did not show the domain name until the SAN section of the certificate. But all the browsers I checked showed the padlock icon and stated in one way or another that the connection was secure. As info, along with Chrome I used Opera, Safari, Firefox and IE11 to view the cert.
Now to the "not everything" is encrypted part. The Flexible SSL protects the data between the CF server and your site visitor but NOT between the CF server and your server. Your visitor sees a lock icon in their browser because the data IS encrypted between the visitor and the CF server where the cert is installed.
Before you get too concerned about the unencrypted part of the network, there is an easy fix. The Full SSL option will eliminate the unencrypted part of the network. You can make the Full SSL work by installing a self-signed certificate on your server. It is pretty easy and it is free. Installation of a self-signed cert on a cPanel server can be completed in under 5 minutes. Google for "how to request and install a self-signed cert".
Then a logical question might be; "why didn't I just install a self-signed certificate on my server in the beginning and call it done?" That is a good question and it goes back to the basic reasons why HTTPS is beneficial. It's not just about encoding and secure data; there are other benefits like authentication to be considered. Your self-signed certificate is as secure as a $1,100 a year CA Issued cert but it provides no authentication or proof your server is who it says it is. It's this part of the self-signed cert that causes the frightening page saying this domain might not be what it says it is and blocks the perspective visitor.
But in our current scenario, we are talking about data between the CF server and our own server. No one should be there…unless they are a bad guy. The CF server will send and receive data with our server while disregarding any messages about a self-signed cert. Padlock icons appear everywhere they should and the network data is encrypted from start to finish. The mission of free HTTPS, today, is a complete success!
This leaves us with a loose end to tie up. What about the Full SSL (strict) option – when would that be used? This article is about free HTPPS so paying for a CA issued cert goes against the central theme. BUT what if you already have a paid SSL/TLS installed? You can ask the CA to reissue an existing cert to another site (usually at no or low cost) or you can use it for CF instead of a self-signed cert. It provides no extra security and when it expires, you can replace it with a self-signed cert.
So what is the take-away here? The take-away is you can use CF to provide a free cert and you can do it in the next 24 hours, or sooner. This leads to the logical question – should you use CF as a means for free HTTPS? My answer is yes, probably. If you are experiencing no technical issues caused by using CF, why not?