Hacker News new | past | comments | ask | show | jobs | submit login

Clourfare provides free SSL - just proxy through them.



There are several problems with it:

1. the certificate is not generated by you (in the Free or the Pro plan) but by them and these certificates are for multiple domain names. So you end up sharing your certificate with other domains / websites of dubious nature that are also on CloudFlare's network.

2. CloudFlare only secures the connection between users and the CloudFlare network. It does not secure the connection between CloudFlare and your hosting service, unless your hosting service also supports TLS/SSL connections and you activate their Strict SSL option.

For the purposes of hosting a project website, secure connections are more important than ever due to the potential of external attackers, which could very well be a government institution, to infect distributed binaries or source code. Instances like XcodeGhost will become more common imho. And a secure connection between your user's browser and your hosting server is not 100% secure, but it's a good start. And towards that purpose CloudFlare Free in front of GitHub Pages isn't very good ;-)


Why is #1 an issue?


I've been wondering about this. I share mine with several shops that appear to be selling low-schedule drugs on the clearnet.

Don't know what the implications for that are, except that someone poking around the validity of my SSL certificate will establish that mine is a free tier Cloudflare one.


If a domain that you share your certificate with has their certificate revoked or is blacklisted for any reason this could have a negative impact on you.


It's a single certificate that never leaves CloudFlare's hands so revocation seems unlikely and they'd manage it for you if anything came up.


But the traffic after cloudflare's proxy is plaintext right?

I know CloudFlare has better thing to do than sniffing websites but I don't see the point of installing an SSL certification using clouflare or any other third-party which will handle traffic the way they do. You don't own the certificate, they do.


That's one option; they also offer strict SSL on both sides of the connection: https://www.cloudflare.com/ssl/


How would that work if Github pages don't support SSL?


GitHub supports SSL for *.github.io so you can have your custom domain with SSL on CloudFlare, and CloudFlare can proxy https://example.github.io/... on the other side.

eg: End User <--> https://example.com <--> CloudFlare <--> https://example.github.io


Rewriting the Host header in this way requires a non-free CloudFlare plan.


It won't. http://stackoverflow.com/a/28457335/239657

(1) Last I checked, cloudflare's "Strict SSL" mode only accepts from the backend a cert for the custom domain you're trying to serve, not accepting the github.io cert. A pity they don't let me configure what cert(s) to accept from the backend...

(2) In addition, Github have indicated their current github.io SSL is not actually end-to-end secure — it's only secure from their CDN (Fastly) but their link to the CDN is unsecure. So there is absolutely zero you can do — Cloudflare or anything else — to make GH Pages end-to-end secure on custom domains.


edit: disregard, I was wrong.

If I'm not mistaken, you have to change the DNS of the domain to something *.cloudflare.com to be able to use their service, so it won't work in this scenario.


It will. There is no need to change the nameservers of the domain for Github/Gitlab.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: