Author

Topic: Cloudflare sites relinquishing SSL private keys? (Read 1482 times)

b!z
legendary
Activity: 1582
Merit: 1010
December 01, 2013, 03:22:12 AM
#5
You don't need to install a CA cert, you just paste your ssl private key to cloudflare.

That is my point. Cloudflare then sees the unencrypted data. Apparently this is of no concern?


I guess many websites trust Cloudflare enough to share their SSL keys.
newbie
Activity: 26
Merit: 0
Why this was moved to "Off-topic" I do not understand. I originally posted Economy/Marketplace. Many Bitcoin sites use Cloudflare.
newbie
Activity: 26
Merit: 0
You don't need to install a CA cert, you just paste your ssl private key to cloudflare.

That is my point. Cloudflare then sees the unencrypted data. Apparently this is of no concern?
newbie
Activity: 38
Merit: 0
You don't need to install a CA cert, you just paste your ssl private key to cloudflare.
newbie
Activity: 26
Merit: 0
Is it correct that in order for a site to utilize Cloudflare to protect them from DDOS on port 443 (SSL), that site must install their CA signed cert (private key) on Cloudflare's servers? I think Cloudflare did a deal with a CA to even stream-line this process.

Regardless of how data between Cloudflare and the site's real IP is subsequently proxied, does this effectively mean that said site must implicitly trust Cloudflare and any parent it may be answerable to? Is this a MITM scenario?

Due to the nature of SSL and CA infrastructure in general, I don't think there is a way around this natively. Is there a way for a third-party to filter (ie from flood) your SSL data securely? If not, perhaps some JS crypto could fill the gap between site and user? Of course, secure JS delivery has its own problems under such a scenario..
Jump to: