SSL certificates are to be issued to all users of CloudFlare, including the two million websites that user the free version.
In a blog post, CEO and co-founder Matthew Prince said it was rolling the service out to all users today. Saying that there was a mission to help build a better internet, one of the most important things it could do was enable Universal SSL for all paying and free customers.
He said: “Even if it does hurt revenue in the short term, it’s the right thing to do. Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the internet.
“Every byte, however seemingly mundane, that flows encrypted across the internet makes it more difficult for those who wish to intercept, throttle or censor the web.
“The internet is a belief system. At CloudFlare, we’re proud today that we’re playing a part in helping advance that belief system. And, having proven that Universal SSL is possible at our scale, we hope many other organisations will follow in turning SSL on for all their customers and at no additional cost.”
He acknowledged that the biggest problem is the use of old browsers which do not support the Elliptic Curve Digital Signature Algorithm (ECDSA), however more than 80 per cent of requests come from modern browsers (less than six years old), and he said that percentage is growing quickly.
He said he hoped that Universal SSL will encourage people to upgrade to a modern browser running on a modern OS. “Sometimes progress requires sacrificing some backward compatibility,” he said. “The good news here is that none of CloudFlare’s current free customers supported any version of SSL previously, so the encrypted web tomorrow is only better and no worse.”
Prince said that this move will double the number of users: “Yesterday, there were about two million sites active on the internet that supported encrypted connections. By the end of the day today, we’ll have doubled that.
“For a site that did not have SSL before, we will default to our Flexible SSL mode, which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site’s origin server will not. We strongly recommend site owners install a certificate on their web servers so we can encrypt traffic to the origin. Once you’ve installed a certificate on your web server, you can enable the Full or Strict SSL modes which encrypt origin traffic and provide a higher level of security.”
As well as browsers, Prince said that there were challenges with CPU load and IPv4 exhaustion.
Mike Janke, CEO of Silent Circle, told IT Security Guru that he felt it was a great move. Asked if others will follow their lead, he said: “We don’t feel other providers will follow suit, at least not until some pressure is put on them.
“However we do need more security-enhanced browsers. We like what Cloudfare is doing and they are leading the way to put user security first. Our hope is that enough pressure can be applied to communication and service providers to shame them into following suit.”
