Comment by revelation

The only thing the end user has is the difference between http:// and https://. Cloudflare undermines that entirely. How can a user possibly ever know whether it's safe to enter their credit card number or medical information in a web form, in a world where CloudFlare "Flexible SSL" exists?

> A site using Flexible SSL is no less secure than one using http://,

It can be, in several ways. Most critically, it stops browsers from detecting the connection as insecure and applying mitigations.

Disagree. The point is that when people see that lock that tells you your connection is secure, when it's actually not, that causes more damage than if your connection was actually not secure (because then presumably you wouldn't be typing in credit card numbers and other sensitive info if you saw http:// in your address bar).

Yeah, if you're capable of MITMing traffic between CloudFlare and the server, you're most likely capable of stealing emails or HTTP requests to the server anyways and generating your own certificate for them anyways. It's a security loss, but probably a minor one.

The reality is, you're much more likely to get sniffed on public wifi or even your school or workplace network than someone running the server in a datacenter is, generally speaking if someone can sniff them at a DC they can do much more already. So it's still a respectably huge security gain for users.

And they do offer a good way to secure this connection too where you can do full SSL and use a certificate signed by them.

Would you be more comfortable if they offered another way to represent this to the browser? An X-Endpoint-Insecure header or something like that?

But it is secure. It's secure against the user being on an untrustworthy connection, it's secure against their ISP deciding to MitM their traffic, and it's also ~~secure against anyone passively sniffing the traffic between the website server and CloudFlare~~ (EDIT: No it's not, see [1]). The only thing it's not secure against is someone in a privileged network position who can MitM the connection between the website and CloudFlare.

So no, it's not 100% secure, but it's far far better than having an unsecured http:// connection.

As for the green lock, you can blame that on Chrome. I have no idea why they insist on using a green lock and green "Secure" text for DV certs. Safari only uses a green lock / green text for EV certs, which is a lot better (and I don't know offhand what Firefox or Edge do). Of course, you could have an EV cert and still use Flexible SSL, but anyone who cares enough to get an EV cert should know better than to use Flexible SSL anyway, and there's a great many ways to make your server insecure, using Flexible SSL is very far from the worst way.

All that said, it would be great if CloudFlare would just stop offering Flexible SSL in favor of the self-signed CSR approach. Any CloudFlare customer who can create their own cert to talk to CloudFlare can also create a CSR to get a cert from CloudFlare just as easily, so it's not clear to me why they still even offer Flexible SSL.

[1]: I thought Flexible SSL was the option to use an arbitrary self-signed cert on the origin server. gkop pointed out that, no, Flexible SSL means no encryption at all.