Author Topic: CloudFlare  (Read 8131 times)

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
CloudFlare
« on: September 07, 2011, 07:55:13 AM »
Any one used or heard of this service?

https://www.cloudflare.com/overview.html

It got some press recently because its used by some hackers to protect their own sites.  I'd previously never heard of this server.

Its basically a 3rd party firewall in that all your traffic goes through it first and they filter out malicious users (DoS attacks, SQL injections, etc) while also cacheing non-html assets to speed up load time AND, in the event that your site is down, displaying static content.  The free version seems to be feature rich enough and I'm considering trying it out. 

That said, using it means ALL you traffic goes through their system first which means theres one more failure point and one more set of hands on your sensitive data.  I'm sure they've thought security through but, I dunno, I mean every password, credit card number and e-mail address posted to your website goes through them first.  Seems like a concern at the very least.

Thoughts?
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14335
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: CloudFlare
« Reply #1 on: September 07, 2011, 09:22:34 AM »
Seems like you're exposing yourself to them for very little gain.  It might be good if you are a very high traffic site that is prone to attacks, but otherwise I'd avoid it.

Mike

  • Jackass In Charge
  • Posts: 11270
  • Karma: +168/-32
  • Ex Asshole - a better and more caring person.
Re: CloudFlare
« Reply #2 on: September 07, 2011, 10:00:50 AM »
I've looked at it.  You can basically use it as a front end CDN (vs the normal back end).  You can configure what traffic goes through them and what traffic goes directly to you.

My concern wasn't security so much as the fact that their free version doesn't state how much traffic or storage they provided.  When those numbers aren't provided I get concerned real quick.

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Re: CloudFlare
« Reply #3 on: June 16, 2015, 08:26:30 PM »
Sorry to bump and 4 year old thread but I just learned today that you can use cloudflare to provide free SSL between their intermediary server and your client's browsers. 

https://www.cloudflare.com/ssl

HTTPS FOR EVERYONE!
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Re: CloudFlare
« Reply #4 on: June 17, 2015, 10:24:57 AM »
So I set up their "Flex" SSL on my shared hosted sites.  The problem with this method is that its really only encrypting the data between the client browser and cloudflares intermediary reverse proxy.  The connection between my site and cloudflare is still open.  I feel like this is ok for basic security, where the concern is the end user having their data sniffed on their own network.  I assume that man-in-the-middle attacks are less likely between servers.  Does that sound right?  Cloudflare lets you use a self-signed certificate (usually flagged by a client browser) to send encrypted data to them then they apply their legit CA to the traffic going out to the client. This would give full end-to-end security but most (if not all) shared hosts don't let you install self-signed certs (and really cheap hosting doesn't give you a dedicated IP anyway which makes it impossible anyway)

Seems like having the Flex pseudo SSL is a pretty good work around for either sites still in development or sites that tradditionally didn't have any SSL but could benefit from because of things like log-in or contact forms.  But a legit site with real security needs (like taking credit card info or something) should still get legit hosting and buy a real Cert from a traditional CA.

Thoughts?
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14335
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: CloudFlare
« Reply #5 on: June 17, 2015, 08:15:15 PM »
I guess I'm not sure what you would use this for. I'd feel safer with a traditional cert personally