Cloudflare is one of several web infrastructure businesses currently offering SSLs (secure sockets layer) as part of their business. Like many other businesses in the internet infrastructure space, Cloudflare offers SSL security protocols along with their other core offerings, like content delivery networks, DDoS mitigation, and other security and performance technologies.
Today, we’ll focus on Cloudflare’s SSLs–what they are, how they work, and ways you can use them to protect your website visitors.
Why Use SSL Certificates?
The internet can be a scary place–SSLs are what make it safer, especially when sensitive information is involved. An SSL (secure sockets layer) is an encrypted web security protocol that shields/protect any information shared by website users and the website/server itself.
Meanwhile, the SSL certificate is digital proof that the website has an adequate level of security protocols in place to ensure its web visitors are safe while browsing the site. The SSL cert is a data file, encoded with information that authenticates the website. A visitor’s computer reads this data file (the SSL certificate) to confirm a website is safe for the User. This information may include the public key (type of encryption tool), website ownership info, location, other associated domains, and other documentation.
Any web visitor looking to browse a website using SSL protocols is protected because the website is now:
- PCI compliant (safe for financial transactions)
Is It Safe to Use Cloudflare SSL?
You may be wondering how Cloudflare stacks up against other companies. Here’s what you should know.
First, who is Cloudflare? Cloudflare is a sprawling website infrastructure company offering diverse solutions to web builders, including CDN and security and performance features like SSL. Some low-level services are offered at “freemium” pricing, but other professional and enterprise-level benefits and add-ons are offered at varying cost based on the service.
Your Questions About Cloudflare Safety
Regarding the service’s performance overall, though it has had data breaches in the past, there is nothing to indicate it is any less safe than other major networks offering this kind of service. However, according to many sources, including Fast Company, Cloudflare’s infrastructure is used by many prominent hate speech proponents, including many deemed so dangerous that other web companies have chosen to ban them from their services.
How SSL Certificates Actually Work
Cloudflare’s SSL certificates use both key and keyless encryption methods to authenticate websites. In one encryption style, public key encryption, the SSL protocol uses two digital “keys” to shield information as it is being shared online. One digital “key” encrypts or “scrambles” information that is collected or shared, while another may encrypt it. When this type of SSL security protocol is used, no one else can read the encrypted data sent from the Website to the End User, because the protocol ensures that only the intended recipient of the information has the key to decode the data.
- Legal documents
- Credit card/financial
- And more
Basically, with SSL security protocols in place, even if a cybercriminal is somehow able to gain access to these data files through hacking or some other method, they’re unreadable gibberish.
- An example: Let’s say you have a business website, and a potential customer fills out a Contact Form for more information. Any information they send you (name, address, phone number, etc.) is encrypted as soon as it is sent by the User, and only decoded when it reaches your server.
There are several variations that may affect exactly how SSL protocols but most work in a comparable manner.
What the SSL Certificate Does
This extra layer of protection, via SSL security protocols, only begin when the website purchase an SSL certificate. Websites that use SSL protocols, and have the certificate to prove it, can use HTTPS in their URL, a stronger website security standard. Only websites with the SSL cert are allowed to use the newer, more robust HTTPS encryption (hypertext transfer protocol.) Meanwhile, online interactions between consumers and businesses that don’t use an SSL must rely on an older web standard HTTP, which is much older and subsequently more vulnerable to cybercriminals. That’s why the SSL certificate is so important for personal and business websites.
Also, having an HTTPS site (and a valid SSL certificate) allows websites to display in their URL the padlock icon proving the website is authentic and safe. Web browsers and shoppers are familiar with the padlock icon and often look for it before sharing financial information like credit cards or other sensitive data.
What is a Certificate Authority?
A Certificate Authority (CA) is simply a trusted business that is authorized to sell SSL certificates. Though many website builders and other tech platforms offer their own SSL, often for free to their customers, website owners can acquire their SSL cert from a third-party source. Website owners may purchase from CAs to get better encryption and validation features than their website host or another service may offer.
Often, there are different levels of protection available from CAs. One common, entry-level form is the Domain Validated (DV) SSL certificate. Having the DV SSL cert proves that the website owner has verified their website ownership, but not much more. Other moderate to higher level certificates are available, providing better security and more proof, both to website Users as well as website owners.
Like other large-scale internet platforms or infrastructure services, Cloudflare works with SSLs sold by third-party Certificate Authorities but also sells its own Origin CA SSL certificate.
Common Validation Levels of SSLs
- Domain Validated (DV) SSL certificate (already mentioned, this entry-level option is the most basic security protocol, good for bloggers and other informational only websites)
- Extended Validation (EV) SSL certificate (middle level, good for those who collect some sensitive data, but not a lot)
- Organizations Validation (OV) SSL certificate (best for ecommerce, and for those who collect medical, legal and other sensitive data)
Cloudflare SSL Operating Modes
Cloudflare has different modes of operation depending on the amount of security that is required for your website (and the amount of configuration you’re able to do.) The level of encryption varies between each operating mode.
Flexible SSL mode
First, there’s Flexible SSL which encrypts traffic from your website to Users but not from your origin server. This is the easiest way to achieve HTTPS status because installation of a certificate is not required on your origin server. It offers protection to web visitors to many threats, like non-password protected Wi-Fi, but is not as secure as their other options.
Full SSL mode
This SSL solution offers more protection as it requires installation of the SSL cert on your origin server. In Cloudflare’s Full SSL mode, encryption flows starting from the End User to Cloudflare and then from Cloudflare to your website’s origin server.
You can choose from one of three options for cert installation on your server.
- Certificate issued by a Certificate Authority (Strict)
- Certificate issued by Cloudflare (Origin CA)
- Self-signed certificate
Cloudflare suggests setting your encryption mode to Full or Full (strict.) Full (strict) provides the most stringent levels of protection for certificates, unless you are an Enterprise customer.
Origin CA mode
This mode requires a Cloudflare-issued SSL certificate instead of one issued by a third-party Certificate Authority.
Cloudflare recommends that its clients use one of their Cloudflare Origin CA SSL certificates instead of third-party SSLs from CAs. According to their website, using one of their branded certs speeds up SSL config. If you use a Cloudflare CA on their platform, you can generate a signed cert directly through your Cloudflare dashboard.
Configuring SSL With Cloudflare
Because Cloudflare works with SSL certificates from entry-level to Enterprise-level, there are many ways to configure your SSL. Your setup and installation will vary depending on the encryption level you’ve selected, whether you’re manually configuring your SSL, using a Cloudflare Origin certificate that is automatically setup by their network, or something else.
For example, if you have SSL on your root domain already enabled, you may need to upgrade your current version of Cloudflare before proceeding.
But just to give you an idea of the process to configure your SSL certificate on Cloudflare, here are a few basic steps you’ll need to take.
If you’re purchasing a certificate from Cloudflare you’ll start by selecting which certificate works best for you. Learn more about Cloudflare SSL certificates here.
Once you have the SSL certificate of your choice (DV SSL, OV SSL, EV SSL, etc.) your Cloudflare desktop will walk you through these basic steps, again based on any customizations, encryption mode and more.
Overview of Cloudflare SSL Certificate Configuration Process
- Create a Cloudflare account if you don’t already have one
- Generate a CSR (certificate signing request)
- Get signed by a Certificate Authority
- You’ll install the SSL certificate of your choice on your origin server
- When the certificate expires, you’ll restart the process
How Long Does It Take for The SSL Certificate to Set Up?
Typically, SSL certificates can take a few minutes to a day or more to set up and Cloudflare is no different. According to the website, if Cloudflare is your DNS provider, SSL certificates can be issued within 15 minutes of activation. However, if using an outside Certificate Authority, an SSL cert can take 24 hours or longer for issuance.
Don’t Let Expired SSL Certificates Take Down Your Website
Once your SSL certificate is installed, the work isn’t over. Certificates are only good for a set period, often around 90 days. Let your SSL certificate expire—even for a few seconds—and your website goes down and you have to start the process all over again.
Get yourself a trusted SSL certificate and ensure you renew it on time. ElevenGuard is a fail-safe plan to Certbot automated certificate renewal so you can get notified of certificate expiration dates before errors start happening.