Recently I posted about how generally wonderful Cloudflare is and how it can help to make your site more speedy.
Well, Cloudflare is now offering something pretty AMAZING for free and it could help make the site much more secure.
At the end of September 2014 Cloudflare announced on their blog, that they will offer free Universal SSL for every site that uses their network! This is huge deal for the web, as in August 2014, Google said that they will now take whether a site has SSL/HTTPS as a part of their rankings as they’d ultimately like ‘HTTPS everywhere’.
HTTPS is what you get when you visit a ‘secure’ site like a bank, PayPal or e-commerce sites and you have the gold or green padlock in the address bar. Having HTTPS on a site makes it much more secure as your connection to the site is encrypted. SSL is the way you make websites use HTTPS connections.
Cloudflare offer three flavours of SSL, Flexible SSL, Full SSL and Full SSL ‘Strict’.
With Flexible SSL, which will be the default mode for sites on Cloudflare, the traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site’s origin server won’t be (but people will see the padlock on your site). With either of the Full SSL options, both sites of the connection to Cloudflare will be encrypted. To use Full SSL you need an SSL certificate on your hosting server (can be a self-signed certificate). For Full SSL ‘Strict’ the certificate needs to be signed by a trusted certificate authority.
As soon as Universal SSL was announced by Cloudflare, they started rolling it out to existing sites on their network and will also offer as default (in Flexible mode) for all new signups. Unsurprisingly, this announcement went down rather well with the web community—so much so that they had to post on their blog asking people for patience as everyone wanted their free SSL—NOW!
This might sound all a bit techy (and it kind of is!). For your average site, the Flexible SSL might be all you need. But if you hold any sensitive data on your site, then Full SSL really is the way to.
To help guide people through the, sometimes confusing, world of the SSL certificates, Cloudflare have also published a blog post explaining how to get them and install them so you can use Full SSL.
So if your site needs some SSL goodness, now is a great time to get it in and free and simple way!
[Image via Cloudflare]
Eric Dye says
This is so awesome! 😀
Brendan says
Are your feelings about CloudFlare’s SSL still the same today? We came across CloudFlare recently on our search for adding SSL to our church website.
James Cooper says
I still LOVE CloudFlare! There’s also a new system on the block for pretty easy SSL called “Let’s Encrypt”. More and more hosts are putting together easy ways of adding it. If your site happens to be hosted with SiteGround – then it’s extra simple as they have a really nice and easy what of getting SSL via that in a couple of minutes: http://www.siteground.com/tutorials/cpanel/lets-encrypt.htm
One thing to remember is that once you’re using HTTPS, you might will have to make sure that all the content on the site is being served over a secure connection (or you can get error/warning messages in the browser…); and you might want/need to setup redirects to make sure people use the new secure connection!
I hope that helps.
Brendan says
Thanks James! We just migrated our church site to a SiteGround VPS/Cloud setup. Our site was hacked while sitting on our long time shared host and their customer support was non-existent after a recent transfer of ownership. Anyhow, the site is so much faster on SiteGround and they respond to tickets!
Long term I think we’re leaning toward Pantheon. We run Drupal and are about to start a redesign in Drupal 8. Pantheon has a nice built-in dev, test, stage environment and some other nice features. They’re the reason I first heard about CloudFlare. With the lowest tier plan from Pantheon, you can’t setup an SSL the traditional way (I think because of a lack of static IP at that tier) but they had a tutorial of how to do it with CloudFlare.
We’ve been using self signed https for years on the admin side but would like to go ahead and route everybody through https soon!
Brendan says
*Meant to say “dev, test, live.”
James Cooper says
Sounds like a nice set-up! Let’s hope that Let’s Encrypt (and it’s newly released cPanel/WHM plugin), along with CloudFlare, will make many more sites https asap! 😉