Comment by eridius

8 years ago

The use-case for Flexible SSL is when you're not handling sensitive data but still want to offer https:// because really every website should offer it. In fact the blog post that introduced Flexible SSL (https://blog.cloudflare.com/easiest-ssl-ever-now-included-au...) said basically that. The whole point of the feature was it was a simple one-click way to go from http:// to https://.

That said, now that we have Let's Encrypt, and as more tooling gains support for automatically handling that, the value of Flexible SSL is going down, and I do hope they retire it eventually.

3 comments

eridius

Reply
lmm  8 years ago

> The use-case for Flexible SSL is when you're not handling sensitive data but still want to offer https:// because really every website should offer it.

That's putting the cart before the horse. "Every website should offer" authentication and confidentiality, that's why we want every website to use HTTPS; having a URL that starts with https:// is not a goal in itself.

  • eridius  8 years ago

    Flexible SSL still protects the user from being on an untrusted network, from having their ISP read and/or modify their traffic, etc. It's much better than bare http://.

    Security is not binary, but you keep treating it like it is. Security is a continuum, and any progress you make towards perfect security is good.

    • lmm  8 years ago

      > Flexible SSL still protects the user from being on an untrusted network, from having their ISP read and/or modify their traffic, etc. It's much better than bare http://.

      I would strongly dispute the "much". If anything the local network is more likely to be trustworthy than the remote network - people keep talking about cafe wifi, but the user likely knows who's running the cafe wifi and can complain if they start injecting ads etc. Whereas the user has literally no idea who might be on the connection path between cloudflare and the website and listening in, MitMing or anything.

      http:// versus https:// is inherently binary; there's no way to display a connection as http⸵:// . If it doesn't mean "encrypted while transiting the public Internet" at least then what does it mean?