CloudFlare gives Internet a present: free, no-hassle “Universal” SSL
In a bid to secure even more of the Internet’s websites through the use of secure connections, San Francisco-based content delivery network and Internet security provider CloudFlare has launched a new free service for both its paying and free customers: automatic Secure Socket Layer (SSL) encryption for any site, without the need to pay for or configure an encryption certificate.
Called Universal SSL, the service eliminates the need for organizations to deal with a Certificate Authority or configure their own server’s crypto. Instead, if a website is connected through CloudFlare, its owner can set up a certificate through a Web interface in 5 minutes, and it will be automatically deployed within 24 hours—providing the site’s traffic with Transaction Layer Security (TLS) encryption based on an elliptic curve digital signature algorithm (ECDSA).
In a release, CloudFlare security engineering lead Nick Sullivan said, “The cryptographic systems we’re rolling out as part of Universal SSL are a generation ahead of what is used by even the top Internet giants. These certificates use elliptic curve digital signature algorithm (ECDSA) keys, ensuring all connections with CloudFlare sites have Perfect Forward Secrecy, and they are signed with ECDSA and the highly secure SHA-256 hash function. This is a level of cryptographic security most web administrators literally couldn’t buy.”
By turning this service on, according to CloudFlare CEO Matthew Prince, the company will nearly double the number of websites on the Internet protected by SSL. “Yesterday there were about 2 million SSL-enabled sites active online,” he said. “By the end of the day today, CloudFlare will have rolled out free SSL to another 2 million.”
The complexity of SSL has been a major impediment to its adoption by many website operators, but it isn’t the only one. Sites that rely on advertising for revenue, for example (such as Ars), are hindered by the lack of adoption of SSL by those operations and their resulting requirement for both the presentation of unencrypted content and referral data. In the past, SSL has also been an issue for sites that use content caching, though this would not be an issue for sites front-ended by CloudFlare.
Another potential hindrance is that CloudFlare’s SSL technology isn’t universally supported. It relies on Server Name Identification (SNI), an extension to the TLS encryption standard. SNI is supported by 80 percent or so of existing web browsers. In a blog post on the release of Universal SSL, Prince said, “We also have plans to expand the universe of supported browsers slightly by taking advantage of connections that arrive over IPv6 for browsers that don’t support SNI. About 16% of unique IP addresses that connect to CloudFlare do so via IPv6 (note: that calculation takes only the first 8 bytes as unique in any IPv6 address connecting to our network). Since IPv6 addresses are virtually infinite, we don’t have the same limitations as we do with IPv4 and can therefore return a unique certificate for every IPv6 address.”
Universal SSL comes on the heels of another new service CloudFlare announced for those who already have enterprise certificates and guard them closely: Keyless SSL, a pass-through encryption service that lets companies take advantage of CloudFlare’s anti-distributed denial of service attack capabilities without hosting their encryption certificate in CloudFlare’s data centers. While that service is aimed at major enterprises, Universal SSL could be applied to nearly any website—which could also, consequently, lower the threshold for malicious websites to use SSL.