CloudFlare “Flexible SSL” less secure than “Off”?

0 投票
最新提问 用户: (120 分)

On the "support" section of the CloudFlare website there is an article about SSL options: What do the SSL options mean?

... and the author of the article suggests that it's less bad to have the SSL option set to "OFF" than to Flexible SSL:

but it is less secure than any other option (even Off), and could even cause you trouble when you decide to switch away from it: How do I fix the infinite redirect loop...

I know that with the Flexible SSL there is no secure connection between CloudFlare and your web server. Is this the only reason why the author suggested that it is even less less secure than Off, or there is more? Are there any additional risks & vulnerabilities when using Flexible SSL (compared to OFF)? Note that I am just comparing these two options:

  • OFF
  • Flexible SSL

2 个回答

0 投票
最新回答 用户: (29.8k 分)

Having some SSL/TLS is worlds better than not having it at all. After the repeal of FCC Privacy Requirements for ISPS, all websites on the entire internet need to be HTTPS, and HTTP should be disallowed entirely. An adversary can now access the browsing habits of users visiting any website or webservice. Even StackOverflow.com would greatly benefit from enforcing the use of HTTPS.

Consider enabling HTTP-Strict Transport Security (HSTS).

0 投票
最新回答 用户: (320 分)

The only way I can see Flexible being less secure than Off is... malicious folks looking for those flexible connections (http) between known cloudflare servers and your web server. Having SSL on the client side suggests you have important/private/financial data, so it might be worth their efforts to looks for insecure transfers between CF and your server.

Aside from that conjecture, I'd consider Flexible as dangerous, a liability, false sense of security, or simply lieing to your clients. They think their connection is secure, when it's really not.

It's odd to me that CF even offers Flexible.

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...