I often hear from developers that they use Cloudflare to secure their sites. The service acts as a CDN and DDoS protection and offers free HTTPS for your website. The only thing you need to do is moving your domain’s DNS servers to Cloudflare’s. But this isn’t the whole truth.
Note that this isn’t a particular problem of Cloudflare but a disclosure of a common misapprehension of their service.
“The Challenge” aka “Marking HTTP as insecure”
With recent moves from browser vendors to push secure connections between the browser and the server, they started “deprecating HTTP”. But while the intention is good, it forces people to make decisions. Decisions about topics they don’t know much about.
For many web developers, and for nearly all non-professional website builders, HTTPS is a tough challenge. It’s never been easy to get a SSL (today TLS) certificate. It’s hard to configure your server properly, and even hosting companies fail at this these days. For most people, it’s either a costly option to add a certificate to their shared hosting service or impossible.
Since December, Let’s Encrypt is in public beta. This is a great thing because it enables many developers to get and deploy TLS-certificates easily. But it’s restricted to having CLI access, which, for the majority of website owners, is a big burden that they’re unwilled to take.
Having discussed this topic over and over again with various developers and site owners it’s clear to me, that if HTTPS is not a default option that comes with the hosting service for free, most people won’t be able to provide it to users. My hope is that in 2016, service providers and browser vendors together will get this sorted out and HTTPS is painless for everyone—not just a few developers with CLI access on their servers.
A 3rd party can’t fix it
So why did I start this article with Cloudflare? Cloudflare is a website optimisation service that also offers a pretty good free tier. It’s probably the most used performance optimisation tool out there and with that, it achieved to be one of the biggest DNS service provider world-wide.
I used Cloudflare back when my website and wdrl.info were hosted on github pages. I used it for the same reason most people do and I did because I also didn’t understood the security implications. I’m now here to make clear what services like Cloudflare can do and what not.
What can a 3rd party service do for me?
- Act as a CDN to deliver content faster to your users and to save load and bandwidth on your origin server
- Optimise your assets (compression, concatenation, etc)
- Protect your origin server from DDoS attacks and from SQL injections or similar things
- Show you statistics of your users
- Provide HTTPS support (note the wording here)
What can’t a 3rd party service do for me?
- Protect your origin server against security issues in your application
- Provide a really secure HTTPS connection (in some cases it could)
The privacy and security problem of 3rd parties
Now, as cool as Cloudflare seems at a first glance, there is a problem with it. They collect statistics and you can’t control what they collect. You move the DNS to their servers and they basically route every request through their servers. Their security policy for example states that they “sometimes log these visitors’ interactions in order to provide a better service”. They say that they add cookies on the users’ browser to track users. They even state that they may provide all collected data to third parties (although they say to strip data from IP, name, email).
Is that a service you want to expose every visitor of your website to? Even if the company itself has only the best intentions, an attacker could still steals this massive data-set and expose it.
HTTPS = Secure Hypertext Transfer Protocol
Now back to HTTPS, our original topic here. Browser vendors have been pushing hard to ensure that a connection between the browser and the origin server is secure. Usually, you can achieve this with a TLS-certificate. It’s been the way for more than a decade now but only recently, a few problems have been discovered with the technique. Thankfully, smart people are fixing them.
Let’s say you host your website at a service provider that doesn’t give you an affordable option to enable HTTPS on your custom domain. Cloudflare gives you the option to upgrade your connection with SSL for free. Cool eh? Not so much. What happens is that the user requests the website and sees it uses HTTPS (the green lock icon in the browser). But the connection from your origin server to Cloudflare’s servers is still unprotected, exposing all the data that is shared there to the public. The result: The user thinks it’s a safe website but it simply isn’t.
Okay, let’s now assume you have a hosting service that has some kind of SSL (github for example) and you now use HTTPS via Cloudflare. Cool, eh? Not so much. The Full SSL option does not even validate the certificate at all, the Strict SSL option does this. But still, Cloudflare reads your content, analyses it, optimises it (unencrypted, it’s even unknown how they communicate internally between their servers), re-encrypts the content and sends it over to the browser with their certificate.
Let’s change that. Don’t just recommend a service to people, tell them about the implications. Reflect twice before you give your data to a third party.
I answered some more questions regarding HTTPS in this CSS-Tricks article. Check it out to understand some of the mentioned techniques here a little bit better.
Update 2 & 2.1
A reader of my article, Binyamin Laukstein contacted Cloudflare support and got some answers (Quote from email not altered by me).
1 - All internal cloudflare communication is encrypted.
2 - Our cached content is stored encrypted.
3 - We do provide separate encryption between our visitor <-> edge and from edge <-> origin. If we did not do this there would be no way to cache the resources our customers want, or provide many of the security benefits we provide.
4 - we do not provide re-encrypted data or origin content to third parties.
First, thanks for investigating and sending me the reply. However, I wonder why this is not written on the website anywhere. Unfortunately, the response from you doesn’t contain any details on what they encrypt how and what server logs they keep. I from their ToS that they cooperate with governments and its institutions and hand out all details they have to them if they need to (which at the minimum would be the server logs in this case).
But remember, as said in my article, Cloudflare is only one example. Another one could be Amazon Web Services that probably has the same issues. ;)
Appendix / Explanations
As said initially, this post is not a rant about a specific third party service but should only make people aware of some fatal misunderstandings of the used techniques. We’re all in this boat together to make the web more secure and I’m glad that Cloudflare does exactly that for thousands of sites. This post is about the thousands of sites that only make users believe a site is secure.
Here are a few more explanations to details in the article:
Some Details on HTTPS issues
You can use protocol downgrade attacks and cookie hijacking on HTTPS connections to get access to the user’s data. Today, this can be prevented with a technique called HSTS: HTTP Strict Transport Security. It tells the browser to never connect to a specific domain with any insecure protocol. Unfortunately, this only works starting from the second request to the site.
Clever thieves can get a fraudulent or mis-issued certificate to gain access. This can be prevented by using HPKP: HTTP Public Key Pinning. Unfortunately, this is also a Trust on First Use (TOFU) technique, as explained for HSTS. Browser vendors currently maintain a manually collected list of keys to avoid this, but you need to submit the information on your own and it’s pretty inefficient.
A couple of hardware vendors have sold devices with software that silently allows MITM attacks. That way, they can inject ads or any other content on HTTPS websites without the user noticing it. Gladly, Microsoft wants to prohibit this and all companies doing that yet, have been shit-stormed when it became public. Please note also the difference between this and a corporate proxy.