Are there any disadvantages to Cloudflare’s “Flexible SSL”?
Flexible SSL is NOT fully secure
CloudFlare's Flexible SSL provides encryption from the user to CloudFlare's servers, but not from their servers to the website server. This avoids the hassle of installing (and renewing) a certificate on your web server, but does mean traffic gets sent plain text over the 2nd half of the journey.
The benefits of this setup are:
- Easy to get started, no need to install certificates on your web server and deal with the periodic renewals
- Provides protection from eavesdropping on insecure WiFi connections (internet cafes) and others on your local network or at the ISP level.
- Users will see a green padlock in their browser and should not receive any security warnings
The inherent problems are:
- Traffic from CloudFlare to your server is not encrypted, meaning wholesale ISPs, trunk providers, and the NSA can still read all requests in plain-text
- The traffic is subject man-in-the-middle (MITM) attacks where another server can impersonate your server and receive its traffic (although this issue also applies to the "Full" SSL setting, you'll need "Strict" mode to avoid this).
- Because of the above, it provides a misleading and false sense of security to your web site visitors (but that's a rant not appropriate for this venue)
Comparison of the SSL settings
Not encrypting traffic between a proxy and backend server is common when the traffic is sent over a private, secured network. But in this case, you are routing traffic over the public internet.
CloudFlare recommends that you also install a certificate on your web server for true end-to-end encryption, and even provide free certificates via their dashboard for doing so (if you don't want to install a self-signed certificate). From the discussion on the CloudFlare Blog:
Actually, we'll be providing a free certificate that's pinned to the domain that you can install on your server for end-to-end crypto.
Whether "Full" or "Flexible" SSL is used, your users should not see a pop-up or other warnings.
This link explains what the CloudFlare SSL options are.
Flexible SSL, at least at this time, does not fully encrypt to your server. The issue being discussed on the blog by Matthew ("Actually, we'll be providing a free certificate that's pinned to the domain that you can install on your server for end-to-end crypto.... for free") isn't available just yet.
We'll most certainly update the content to reflect any changes when we roll out the free SSL option.