Cloudflare Automates SSL/TLS for Enhanced Security and Simplified Origin Server Connections
San Francisco, CA – September 10, 2024 – Cloudflare, the leading web performance and security company, has introduced a new automated SSL/TLS setup designed to simplify the encryption process between vendors and theirorigin servers. This feature offers automated configuration, ensuring security without the risk of site downtime.
The automated SSL/TLS leverages Cloudflare’s SSL/TLS recommendation system to strengthen the encryption between Cloudflare and origin servers. This recommendation system automatically executes a series of requests from Cloudflare to custom origins, each with different SSL/TLS settings, to determine if the backend communication can be upgraded toa configuration beyond the current one.
Ensuring proper certificate configuration on the origin server and informing Cloudflare how to communicate with the origin can be daunting, explained Alex Krivit, Product Manager at Cloudflare, along with Suleman Ahmad, Software Research Engineer, J Evans, Software Engineer, and Yawar Jamal, Systems Engineer. Misconfiguration can lead to downtime if not properly deployed or configured.
While Cloudflare has previously offered technologies like Authenticated Origin Pulls, Cloudflare Tunnels, and Certificate Authorization to aid customers in configuring communication with originservers, these solutions still required manual configuration changes on both the origin server and Cloudflare settings.
Cloudflare provides five options for SSL/TLS connections with origin servers: Off, Flexible, Full, Full (Strict), and Strict. In Strict mode, all requests from the browser to Cloudflare, whether HTTP or HTTPS, will always connect to the origin server via HTTPS and verify the origin server’s certificate.
A decade ago, Cloudflare launched Universal SSL and in 2022, they pledged to deliver the most secure automated connection from Cloudflare to origin servers. However, they acknowledged the challenges of configuring source SSLon a large scale.
We took more time to balance enhanced security with seamless website functionality, especially as the security configuration and capabilities of origin servers are outside of Cloudflare’s direct control, added Krivit, Ahmad, Evans, and Jamal.
As Cloudflare acts as an intermediary between clients and customer originservers, two separate TLS connections are established: one between the user’s browser and the Cloudflare network, and another between the Cloudflare network and the origin server. Unlike securing the connection between the client and Cloudflare, managing the security features of the origin server is more challenging.
In a popular thread on HackerNews, user amluto commented, Cloudflare is talking about the security advantages of Cloudflare Tunnels. They are likely very secure, but I wish Cloudflare would clean up their configuration system so that the configuration truly matches the behavior. The mapping setup from DNS names to routes shouldn’t be called DNS,and it absolutely shouldn’t pretend to be CNAME.
Other users discussed the availability of Zero Trust portals and expressed concerns about the increasing number of available options. User LinuxBender added, This will remove human intervention from the loop of certificate origins. I can see an opportunity to add a privacy-enhancing step before Encrypted Client Hello (ECH) becomes universally supported on all devices.
Cloudflare has begun rolling out this feature to customers with the SSL/TLS recommendation system enabled. The remaining free and Pro customers are expected to have it enabled starting September 16th, with Business and Enterprise customers following suit.
This new automated SSL/TLS setup represents a significant step forward in simplifying and securing communication between vendors and their origin servers. By leveraging Cloudflare’s expertise in web security and performance, this feature promises to enhance the overall security posture of websites and applications while reducing the burden on developers and system administrators.
Views: 0