All of my supposedly unsubstantiated posts have spawned productive conversations. That they tend to be short skeptical responses is simply my service to foil the groupthink that forms around the saccharine content marketing and growth-hacked-to-death affiliate-linked nonsense that we're all staring at to fill compilation lulls.
Sometimes something short and pithy is more impactful than a big long explainer with citations. Here's a clever little comic that helpfully explains my rationale:
We offer free origin certificates on any plan level (yes, including FREE). It's not 'really insecure' and you seem to imply that encryption costs more with Cloudflare. That's not true.
Your data is in the clear within Cloudflare, and may even be in the clear between Cloudflare and the real host if you choose that option. You're trusting Cloudflare's security and Cloudflare's internal certificate authority. Hundreds or thousands of sites would be compromised if Cloudflare had a security breach. Like the one they had three months ago.[1]
Data is only 'in the clear' inside a machine. All machine to machine communication in Cloudflare is encrypted with mutually authenticated TLS. If a user chooses to not encrypt the back haul from Cloudflare to their origin then, sure, that's not encrypted, but we offer free certificates for origin machines so there's no reason to use that option. If you don't like Cloudflare's Origin CA then use Let's Encrypt on the origin server.
Even so, there's nothing preventing a LE or court order from compromising the confidentiality of your customers, no matter how hard you work on minimizing the scope of your cleartext domains.
I know that you, Prince, rdl, and others are serious about security and privacy, but let's be honest here: If the Feds come a-knocking, you will comply.
It's not that we don't trust you or your competence. You're just not immune to the jackboot threat model.
Actually, we'd fight like crazy legally — as we've demonstrated repeatedly and successfully — and have implemented our technical systems to make it difficult to reveal anything even if we were ordered to. Moreover, we've included warrant canaries in our Transparency Policy so you can know if anything has changed:
Just a heads up - it's the inventor of Nagle algorithm telling Cloudflare's CTO how Cloudflare works. This could be very interesting ;) (also stuff like that happens quite a lot on HN, I recommend using some user tagger extension)
That is the cloud icon. Make it gray and it is just a DNS. i.e. DOS protection armed and ready, but not active until you need it. That is how we use it.
