← Back to context

Comment by gkop

8 years ago

> it's also secure against anyone passively sniffing the traffic between the website server and CloudFlare

How is it secure? CloudFlare allows you to send this traffic in the clear. If they required this traffic be HTTPS, that would be far better for web security.

3 comments

gkop

Reply
eridius  8 years ago

My bad. I thought Flexible SSL was the option where you can use any arbitrary self-signed cert. But you're right, Flexible SSL means no encryption at all between the origin server and CloudFlare. I will edit my post accordingly.

  • compuguy  8 years ago

    What if the origin server forces https on the link between CF and the origin server?

    • gkop  8 years ago

      That would be much better. Also Cloudflare gives an option to require HTTPS on this link. What's so sneaky about Cloudflare is they call the insecure option "Flexible SSL" rather than what it is, "Insecure SSL". And a major issue is that the end user has no way of knowing the site's Cloudflare configuration and whether it is secure or not.