CloudFlare-signed SSL Certificates, or "Use This One Crazy Trick To Decrypt SSL"
CloudFlare, this post is directed to you.
A few months ago, I wrote a post challenging Google to start issuing free SSL certificates. You have taken this challenge seriously and I commend you.
Now that you have implemented Free Universal SSL, you should start signing CSRs for your customers, so that you can support full SSL without compromising any security. Currently, the only free SSL certificates are issued by StartSSL, but it would greatly reduce the barrier to entry for Universal SSL if you were to issue certificates solely for the purpose of the transport between cloudFlare and the origin server. It would once-again turn on the authorization feature of SSL that you have so far -- silently -- turned off.
I have read numerous blog posts and reddit posts warning about using Flexible SSL due to possible MITM attacks between CloudFlare and the origin server. I can imagine such a theoretical attack taking place on an IAAS provider such as AWS. More seriously than that, it breaks the implicit trust of an end-to-end encryption that the little green padlock offers.
CloudFlare, you should partner with Let's Encrypt or just use their heroku-acme module to serve up free-range, locally-signed, organic, grass-fed, low-sodium certificates. An added bonus would be to let the end-users know somehow. You could put up a cloudflare-strict-ssl.com page, which shows the percentage of your free users who are still using flexible ssl. It would function like the IE6 Countdown page. It would still protect the anonymity of your flexible ssl customers, but it would offer transparency and garner additional user trust.
Did you promise just this after announcing Universal SSL last August? Has this just fallen down in priority?
It's time to complete the vision. You have taken care of all the hard hurdles already. What are the technical hurdles in issuing certs signed by your own internal CA?
Update 1/17/2015: Cloudflare has responded.
@gregcochard working on it. Want to make sure we properly setup the infrastructure of our own internal CA. Not trivial, but a priority.
— Matthew Prince (@eastdakota) January 17, 2015@gregcochard expect the CA infrastructure in place this quarter and we'll start issuing certs for origins early in Q2.
— Matthew Prince (@eastdakota) January 17, 2015@gregcochard and then we'll start working on getting our certs trusted even outside our network. :-)
— Matthew Prince (@eastdakota) January 17, 2015Awesome!
Update 5/3/2016: Cloudflare has rolled out their CA.
https://blog.cloudflare.com/cloudflare-ca-encryption-origin/