Why I Decided to Leave Cloudflare

A few months ago I decided to stretch my security legs and dip into the world of HTTPS and SSL certificates. At the time and for some time, I’d been using Cloudflare for my DNS server and for the obvious performance and security improvements offered. A free account was sufficient at the time.

I saw the options regarding SSL and what was offered seemed good and I liked that the Full (Strict) option existed. However, what I didn’t know at the time is that I’ll be sitting my self down on their DNS server with a bunch of other people/sites I’d never know.

Utilizing the Full (Strict) mode of mode of SSL required one to have their own properly signed SSL certificate, which I had so I assumed their end handled their cert and once things reach my site my SSL will take over and all is well.

One day I was doing some work on the site and click on the green lock in the URL bar and saw what I had expected. A cipher I’d setup was in use and everything was green for go. I click on certificate information and instantly saw that the “Issued to” field was defiantly not the expected value of “nobreaks.ca” but rather, a randomized Cloudflare subdomain…

So right away I wondered what the hell was going on. I never gave anyone permission to change my source of SSL certificate information. But apparently with DNS, comes much power.

This initial shock of not really “owning” the SSL certificate I had paid for and the constant thought of, “Has my data really been going where I thought it was?” loomed over me.

I quickly jumped deeper into the mystery of the hijacked certificate.

What. The. Hell.

Who are these people and what sites are there and more importantly, why am I sharing what should be a private and secure certificate that safely facilitates communication my users and my website?

Well for the low low cost of (starting) 200$ a month I could pay Cloudflare and finally upload my own certificate information which would be utilized as expected. Until then, it was a slice and dice on the certificates and I’m not gonna go the NSA route, but lets just say I don’t really trust a third party with things like site specific security certificates.

As a result I immediately disconnected my site from the Cloudflare service and switched back to my original name server source of 1and1. After 20 hours of delegation and propagation throughout the world, Nobreaks.ca slowly came back to life and visible to the world by more than a string of numbers forming and IP address that didn’t match it’s certificate.

Now, comfortably back to security, and just to be sure…

 

 

This isn’t to say that Cloudflare’s services have no validity or merit but people that are specifically concerned with security should opt to manage things in a more direct way rather than passing the buck to a third party. Given I admit that I should have done that from the start, there were many appealing optimizations including a free Content Delivery Network.

Even if you don’t opt to use their SSL certificate services, they should respect the decision you have made and not impose external certificate information upon users.

At least if even a “Pro” tier subscription offered the option to upload ones own SSL certificate information to be utilized were available I would not be opposed to paying for this. But to require 200$ a month to even make this an option really distances the company from a lot of potential business.

LightSpeedTaco