CloudFlare offers web encryption up the wazoo
Don't sweat your mixed content, promises web whacker
CloudFlare is promising to bring about the encrypted internet by adopting the latest web security protocols and offering a solution to the horror of mixed content.
Just over a week since Google warned it would start labeling HTTP websites as "not secure," CloudFlare promises to help the many, many website owners who have a mix of both secure and insecure content on their sites, through what it is calling "automatic HTTPS rewrites."
It is also adopting the latest version of TLS (transport layer security) – 1.3 – and offering "opportunistic encryption" by encrypting the connection between someone's browser and CloudFlare.
In short, the company – which makes its money from sitting inbetween a company's website and the broader, nastier internet – is making cutting-edge encryption readily available.
You have to sign up with CloudFlare of course, whose services range from free for tiny websites to hundreds of dollars a month for big corporate sites. It's a pretty compelling offering, especially for those without their own IT departments.
The "automatic HTTPS rewrite" service helps tackle probably the most widespread security problem with websites – mixed content. And it should help many get that little green padlock in browsers.
By embedding third-party videos, images or ads hosted elsewhere, a webpage's security is effectively compromised and use of SSL is lost. CloudFlare's solution to this is to search your site for non-secure HTTP links and compare the domains against two lists of secured domains (Chrome's HSTS and Electronic Frontier Foundation's HTTPS Everywhere list). If the link goes to a domain that supports HTTPS, CloudFlare will rewrite the URL to HTTPS.
This isn't a perfect solution, because your site may still host links to domains not on that list, but the idea is that as more and more of the internet moves over to secure connections, it will have a knock-on effect.
The TLS 1.3 spec is a good one in that it optimizes encryption and, CloudFlare claims, "makes encrypted connections just as fast as unencrypted." Well, we'll have to see, but it will be undeniably faster than previous versions, especially over phones.
CloudFlare head of cryptography, Nick Sullivan, says that the company has seen a 20 per cent decrease in page load times using 1.3 over 1.2. That's in large part because the spec reduces the number of handshakes required from 3 to 2.
There is a "but," however – TLS 1.3 is not yet fully supported by any browser, so you won't see those gains until browsers incorporate the new spec; something that both Mozilla and Google say they intend to do soon. You can enable it now if you want to tweak your browser settings.
And lastly, the "opportunistic encryption" that will see CloudFlare do your encrypting for you. It currently only works with Firefox but it will allow the far greater use of HTTP2, so it's a good bet that Google is looking at incorporating the standard into Chrome soon.
In short, CloudFlare is offering – incorporated into its existing services for no additional fee – a cutting-edge level of encryption that is mildly useful right now but should become increasingly useful as the drive to move to an encrypted internet becomes a reality. And you can be reasonably certain that CloudFlare has done a solid job in its introduction.
The company has some lively language describing it of course: "When it comes to browsing, we've been driving around in a beat-up car from the 90s for a while," it says in its PR bumpf. "Little does anyone know, we're all about to trade in our station wagons for a smoking new sports car."
The move may also undermine criticism of the company from individuals like alleged sex pest Jacob Applebaum, who argued earlier this year that CloudFlare "runs untrusted code in millions of browsers on the web for questionable security gains." Those gains are less questionable after today.
You can find out more about the tech in a CloudFlare blog post. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Let's Encrypt
- Palo Alto Networks
- Trusted Platform Module
- Zero trust