Looks like Cloudflare has a feature called "Automatic HTTPS Rewrites" that avoids mixed content and presumably also rewrites internal URLs from HTTP to HTTPS. Not a bad offering, but again you'd come to depend on them and their connection with your server remains insecure.

"not secure | example.com" for some people looks like that the site is "not secure" (e.g. malware). However, just the communication is not secure. Several people will misunderstand the message and leave the site.

"not secure | example.com" for some people looks like that the site is "not secure" (e.g. malware). However, just the communication is not secure. Several people will misunderstand the message and leave the site.

It ends to be the same. When the connection is not secure, then it means the content of the page can have been altered between the sever and the client "Man-in-the-middle attack". Also, it means that all data exchanged between the sever and client are in plain text, and so anything along the path, can read these data.

^^ exactly ^^

Like POP3, IMAP and FTP, HTTP is insecure by definition, so the label seems appropriate enough. The other way around is a little more complicated: the "Secure" label can be interpreted too broadly, and I suspect they'll be phasing out the padlock and "Secure" label at some point, effectively making HTTPS the norm. Warnings for insecure HTTP, on the other hand, may only get stronger (but not obtrusive like an interstitial).

I just converted our biggest site to full https nearly a week ago (3-4 million uniques per month).

Our forum, with 225K users, has been https since last April or May I believe - but the rest of the site remained with http due to coding fixes that needed to be applied.

The rest of the site is on a framework, so it wasn't a simple switch. There was plenty of coding fixes to be done by my main developer.

That's why a lot of the major sites, like ESPN, TMZ, Dailymail, etc., are refusing to bow to Google's pressure, because those will be some serious recode jobs.

Once the coding was done on our site, I used Cloudflare to do the 301s and use their SSL certs so my servers don't have to issue the calls.

So far some of my major sections have lost a few places in rank, while other sections have had no effect so far and remain strong. Revenue appears the same more or less.

One thing I'll say, some of my competitors (who have logins on their main page), have had those "not secure" messages on their site for like a year it seems like, and they have felt zero effect in terms of traffic or revenue loss.

I think users pay very little attention to those "not secure" messages (especially on mobile) and it's really being overhyped that people will see it, get scared and run off.

However, I believe the Chrome warnings for http sites may get worse in the future or there will be other browser restrictions in the future. Rather than wait for that to happen, I just bit the bullet and made the switch.

I think users pay very little attention to those "not secure" messages (especially on mobile) and it's really being overhyped that people will see it, get scared and run off.

My experience is the opposite, especially on mobile. I'm seeing non-secure sites dropping all the time, especially in my niche.

Proactively, I removed an affiliate because of their cavalier attitude about user safety regarding HTTPS. User safety (including privacy) is high on my list and I won't do business with those who feel otherwise.

I also see this as "web cred" (similar to "street cred".) I've seen SEO types boast what miracles they can do with ranking and when I look at their site it's often non-secure or has a bad mobile look.

Please excuse my ignorance, but :

- why do you keep talking about SSL, Since 1999 this is TLS, the standard. And SSL has been banned from the face of the web in 2014/15 following the POODLE attack. So I hope you are not using SSL 1, 2 or 3 for your sites.

- everybody who says that they use Cloudflare, for their TLS, does it mean that your site/data are being transmitted in plain text between your server and the servers of Cloudflare, before being encrypted ? If so, isn't it "half" bad ? The data can still be altered and intercepted anywhere between Cloudflare and your server.

You have diffrent options at Cloudflare [support.cloudflare.com]

SSL and TLS are not technically synonymous, but they're often used as such in conversation (and marketing), especially in reference to certificates. "TLS certificate" has a different ring to it :-) Most don't need to worry much about the difference, big as it may be.

...Cloudflare, for their TLS, does it mean that your site/data are being transmitted in plain text between your server and the servers of Cloudflare, before being encrypted ? If so, isn't it "half" bad ? The data can still be altered and intercepted anywhere between Cloudflare and your server.

That's true for the sites that maintain their host and just put a CDN in front. This is probably worse for the user since it gives the illusion of safety while still putting them at risk.

That's true for the sites that maintain their host and just put a CDN in front.

Reading at all the comments here and there, I have the impression that most webmasters who are using Cloudflare to switch to HTTPS are using CF because they don't know how to do it themselves, which suggests that at the level of their host, their site is not using TLS at all.

This is probably worse for the user since it gives the illusion of safety while still putting them at risk.

Exactly.

Hackers can simply try to listen at cloudflare, and the day they find a security hole, they can absorb all the not-really-secured traffic.

@Travis, that would take some serious type of hackers and those types of hackers, in my personal experience, go after the big boys. I would say about 90% of the people I know using https are going through Cloudlfare for the certs.

An expert with over 20 years experience with encrypted data answered this question on whether there is a real risk of danger with a CDN handling the certs, which only poses to the "flexible" option of Cloudflare as the other two work with a cert installed on your server.

His answer was posted below.

Depends on your threat model. It would be challenging for most attackers to intercept your traffic between CloudFlare and your origin server (presuming that it's hosted at a well-connected ISP); attackers that can do that can probably just as easily intercept your traffic at your ISP or, if you were using a secure connection between CloudFlare and your ISP, at CloudFlare.

The most likely additional risk is DNS: if an attacker can change how CloudFlare resolves your origin server's DNS name, they could get the traffic sent to them (and possibly redirect it from there to your origin server); however, if they could do that, they could probably also get a certificate issued to them for your domain, because many cheap TLS certificates trust DNS to identify authorized domain owners.

Thus, I'm having difficulty identifying a likely threat model for an attacker who could intercept unencrypted traffic between CloudFlare and your origin server, but who would be thwarted by encrypting that traffic.

If you're security-sensitive, it's more secure to not use such a CDN, so you terminate your own TLS connections within your infrastructure: it reduces one threat (an attacker inside CloudFlare).

But I don't think "Flexible SSL" is that much less secure than CloudFlare's "Full SSL" or "Full SSL (strict)". If CloudFlare supports certificate pinning (via HPKP), that would add some security, but I don't think they do.

I would say about 90% of the people I know using https are going through Cloudlfare for the certs

That's one way of keeping them there. They haven't made their files secure at all, they just rely on CF. If they leave, they're faced with the added burden of getting HTTPS compliant.

My personal irritation with CF comes from the malicious behavior I constantly see in my server logs that points back to CF.

Granted, the bad behavior is comparable to some other hosts, but it is sometimes difficult to track down the source site with CF... that & their apathetic replies when I report the abuse and attempt to identify the culprit. Even AWS is more helpful in that regard.

@keyplyr

Very few care about keeping files secure, as far as their decision to go over to HTTPS. Just about everyone I know that went to HTTPS or going there, is only doing so in order to be compliant with Google, possibly snag a ranking boost and avoid those 'no secure' messages in Chrome.

As far as CF customers keeping secure, it depends on what plan they have. I've always had a business plan with some added features and it's not cheap, and I know the bulk of their users are under the free package that most hosts offer.

There are so many added features from a security aspect on the business plan that I would recommend it to anyone.

As far as HTTPS goes, that's why I had a developer recode our site to be compliant instead of using their URL rewrite feature. So if I leave, my only burden is to get my own certs which is very easy with my host.

And its very easy to find the source site with CF. There are hacks for doing so, but they are not widely out there because the hackers dont want CF to switch things up.

Very few care about keeping files secure... [they're] only doing so in order to be compliant with Google, possibly snag a ranking boost and avoid those 'no secure' messages in Chrome.

Yes, sadly that's the case. Just by participating in these forums, one sees that is evident. No matter, the result gets achieved.

Depends on your threat model. It would be challenging for most attackers to intercept your traffic between CloudFlare and your origin server (presuming that it's hosted at a well-connected ISP); attackers that can do that can probably just as easily intercept your traffic at your ISP or, if you were using a secure connection between CloudFlare and your ISP, at CloudFlare.

A compromised network equipment can be anywhere, this is why it's better that anything arriving and leaving your server be encrypted. Also,one day or another (if not already the case), hackers will succeed to get into CloudFlare, than they did with any big Internet companies.

@Peter,

Most hackers, torrent websites, etc. user Cloudflare and CF protects them, so they have a lot of backers from the dark corners of the web - from the highest hack teams down. That's why hackers don't focus on them and thats why CF has a lot of critics for protecting the hack crews. Almost every hack or torrent website, if not all, are using CF.