On Thursday 23 October 2014 14:30:59 John Nagle wrote: > On 10/23/2014 02:00 PM, Richard Barnes wrote: > illa and the CA/Browser Forum. > > > And I suspect it is related to this: > > http://blog.cloudflare.com/introducing-universal-ssl/ > > You're probably right. What Cloudflare provides by default is > "Flexible SSL", in which Cloudflare acts as a MITM: > "For a site that did not have SSL before, we will default to our > Flexible SSL mode, which means traffic from browsers to CloudFlare will > be encrypted, but traffic from CloudFlare to a site's origin server will > not." > > It's a form of security theater. Just enough to turn on the lock > icon.
To use Cloudflare you need to transfer the domain to Cloudflare. So it's hardly a MITM. It's a forward proxy service. And while it doesn't tell you if the servers themselves are securely configured, it does help against skriptkiddies riding on your local coffee shop wifi. -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy