Interview CloudFlare boss Matthew Prince is hoping the firm's project to roll out SSL support to customers who use its free cloud-based web hosting service will inspire other internet firms to build out a fully encrypted web.
The Universal SSL program from CloudFlare allows its customers to encrypt and secure web traffic between visitors and websites cached by CloudFlare's content delivery network. Prince told El Reg that Universal SSL was a culmination of a three-year project that was originally pencilled in to take 12 months.
More and more sites are moving towards SSL-by-default in the wake of the ongoing revelations about mass surveillance of internet activities exposed by former NSA sysadmin-turned-whistleblower Edward Snowden.
CloudFlare's project long predates the Snowden leaks and was initially driven by the fact that the latest web protocols coming down the pipeline (such as HTTP/2 and Google's SPDY) are TLS-based. Google's recent decision to begin giving secure (https) sites a higher search engine ranking became another factor pushing the project forward.
"There were a number of factors, all of which were pushing towards a more encrypted web," Prince, co-founder and chief exec of CloudFlare, explained. "Over time the project has gained more and more importance."
Many small website owners lack the technology knowledge needed to set up a secure websites and, in some cases, the funds to pay for a $60-a-year SSL certificate. Universal SSL was set up to overcome these obstacles.
CloudFlare is providing SSL certificates that are valid for root domains and first-level subdomains at no charge to customers. These certificates are sourced from a number of third-party certificate authorities. CloudFlare was able to obtain these certificates at low cost thanks to a contra-deal involving the supply of content delivery services to its CA partners.
"We're helping CAs to handle the load for CRL [Certificate Revocation List] and OCSP [Online Certificate Status Protocol] lists," Prince explained. "This has become more of an issue within the digital certificate business because of the Heartbleed vulnerability."
The response to the infamous Heartbleed vulnerability in an OpenSSL library back in April involved the reissue of site certificates and revocation of old certificates as well as patching servers.
CloudFlare's hosting helped some CAs deal with the extra load as well as putting them in a better position to deal with the next crisis but by no means all were prepared to partner with CloudFlare on Universal SSL, mostly for business reasons. "I had to convince them that it was inevitable that low grade certificates were eventually going to go free anyway," Prince explained.
The Universal SSL service encrypts the traffic between CloudFlare's data centres and surfers visiting hosted sites. This was previously a paid-for feature. Prince admits that CloudFlare is likely to see a short-term revenue decline as a result of introducing the service, but says the longer term gains will more than make up for this short term hit.
"Universal SSL has already brought benefits in goodwill and customers," Prince said.
CloudFlare wants to be part of the movement pushing to encrypt the whole of the web.
"Robust crypto is the future of the web. The answer to most of the security and technology problems of today is encryption," Prince explained.
There were about 2 million sites active on the web that supported encrypted connections at the start of September. Rolling out Universal SSL more than doubled this figure within days. This figure is being boosted still further by 5,000 new customers signing up to CloudFlare's services every day, according to Prince.
"My hope is that other organisations will follow suit," Prince told El Reg. "We've had positive feedback for Universal SSL from the likes of Amazon and Google - natural places to push forward the effort to build an encrypted web. Hosting partners can also act to enable SSL by default. Mozilla has an interest to push a more encrypted web."
CloudFlare initially hoped to complete the Universal SSL project within 12 months but the project eventually took three years to complete because of technical obstacles it encountered along the way. Designing backend systems that handled the load without slowing down site performance was one challenge, along with making sure Universal SSL did not become a vector for distributed denial of service attacks.
Solving these problems led to the contribution of enhancements to various open-source projects by CloudFlare that others will be able to use and further develop.
Universal SSL encrypts web connections between surfers and sites hosted on CloudFlare's cloud. Website owners must install their own certificates on their own servers to ensure traffic between Cloudflare's CDN and their servers are encrypted. One additional caveat is that CloudFlare's Universal SSL service does not support legacy browsers. SSL connections will not be available to surfers running Windows XP editions of Internet Explorer and pre-Ice Cream Sandwich Android devices, or to those who still rely on a variety of other, older browsers.
Introducing Universal SSL has led to an increase in support requests for CloudFlare "even if for the most part if you turn on it just works," Prince explained.
The biggest problems have been content warnings, mainly due to ad networks feeding in unencrypted pages.
"We'll have nailed all the challenges we have by the end of the year," Prince explained. "Including solve ad network delivery and doing it at scale."
CloudFlare's release of Universal SSL in September came days after it rolled out its KeyLess SSL security option. KeyLess SSL, designed primarily for security-sensitive customers such as banks, allows SSL keys to be stored on private servers while still being available in secure connections running through CloudFlare's network.
The technology has knock-on benefits for the roll-out of Universal SSL as well as CloudFlare's more general expansion plans.
"KeyLess SSL across data centres helps CloudFlare expand it regional networks," Prince explained. "We're planning a massive expansion from presence in 30 to 100 data centres in the next year." ®