I don't think I'm switching to Automatic SSL/TLS

I received an email from cloudflare concerning the new SSL/TLS mode. and honestly I think it's pretty redundant and maybe harmful if you know what you are doing. since suppose you used this feature and it detected that full (strict) mode is the best option for you. and then you decided you wanted to use self signed certificates for whatever reason. it will take a bit of time until it switches to the correct mode full mode (not strict) (until the schedule is reached). which will mess up your service. I want to hear your opinion on this.
31 Replies
Idle
Idle4mo ago
:confusedpixeljoe: how about you read the description of the ssl modes before you start switching things around...?
penny
pennyOP4mo ago
you mean this?
No description
Idle
Idle4mo ago
mhm
penny
pennyOP4mo ago
yeah, does not contry to anything I said?!
Idle
Idle4mo ago
ssl recommender recommends upgrades in security not downgrades this would be a fundamental flaw, if cloudflare decided to downgrade client to origin traffic security by itself lol
penny
pennyOP4mo ago
doesn't it recommend the best option for you?
Idle
Idle4mo ago
yes which is the most secure not least secure
penny
pennyOP4mo ago
if you can't support full strict mode aymore, why would it stay? shouldn't it downgrade to the best possible? (which can work)
Idle
Idle4mo ago
it's literally in the first line of the product description
Automatic SSL/TLS uses the SSL/TLS Recommender to identify and apply the most secure encryption mode for your website
if you have it set to full or flexible, and it can't detect a cf/public cert then it won't suggest an upgrade anyways??? very confusing
penny
pennyOP4mo ago
Brother here is my story 1. Penny was using a CA certificate which is signed by let's encrypt. 2. Penny was using automatic SSL/TLS, which recommended Full strict mode. (best option penny can support) 3. Penny decided to use a self signed certificate. 4. Automaic SSL/TLS took a lot of time to switch for the best thing penny can support since the schedule run is a bit late. 5. Penny continued using full strict mode on a self signed CA certifiacte 6. No request can reach penny's server until another scheduled check is done. is this a valid story? please tell me what you think what I think you're saying is that it runs only once?
Idle
Idle4mo ago
No description
Idle
Idle4mo ago
it tells you when the next scan happens
penny
pennyOP4mo ago
yeah which is in like a day at least
Idle
Idle4mo ago
if you decide to downgrade your origins security for whatever reason, then you need to manually lower your encryption level
penny
pennyOP4mo ago
which means my service will be totally screwed until the next scan yeah so, I don't really need it... right?
Idle
Idle4mo ago
I think you completely missed the point of the ssl/tls recommender which is to automatically improve connection security not reduce it this is especially useful for people who are not familiar with ssl/tls
penny
pennyOP4mo ago
here is what I think the use case of this is: the first run is the most important one, anything else is on you
Idle
Idle4mo ago
:shrugpepe:
penny
pennyOP4mo ago
so in other words, for the first scan keep it as automatic, see what it recommends, use it and switch to manual
Idle
Idle4mo ago
I recommend you read through the product description of the tls recommender
penny
pennyOP4mo ago
good idea :blobhaj: splosjh
Idle
Idle4mo ago
No description
penny
pennyOP4mo ago
I missed this, good one
Chaika
Chaika4mo ago
"decided to use a self signed certificate" really isn't a sane/valid option Full (Strict) (or Strict) or Off are the only valid options you should ever be picking. Using a self-signed cert opens yourself up to mitm attacks, anyone can mitm the connection and present any cert
penny
pennyOP4mo ago
what if it expired and I didn't wanna bother... you know?
Chaika
Chaika4mo ago
plenty of us who think at least Flexible or Full should not even be options I don't know, no. That opens you up to mitm just the same, it's not really an acceptable option. Browsers wouldn't accept it, the fact that CF lets you subvert those sane security stuff doesn't make it secure
penny
pennyOP4mo ago
also some people told me that using full mode (not strict) with or without a valid TLS certificate is the same lol
Chaika
Chaika4mo ago
It's not the same, the reason being under Full anyone can present any certificate, even self-signed and it'd be accepted It's using SSL/HTTPS but it's not verifying the destination, so you'd have encryption to the person mitming/attacking
penny
pennyOP4mo ago
ok great so full mode is not really secure, since people like my ISP can present them self as me, and its not a sane thing to dwitch from trusted certificate to self signed did I get it right? full mode (strict) is the only secure option
Chaika
Chaika4mo ago
exactly. If certs or cert renewal is the issue, CF offers 15 year long Origin Server Certs under SSL/TLS -> Origin Server, trusted by Full (Strict). Some security trade off with not renewing for way longer but you can pick the exact duration and ensure the private key stays safe With this new selector free has access to the previously Enterprise only "Strict" as well, which is User -> HTTP -> CF -> HTTPS -> Origin, whereas with Full Strict it'd be HTTP -> origin if User -> Cf is HTTP. But if you have Always use HTTPS/redirecting all requests to https (which you should), then it makes no difference
penny
pennyOP4mo ago
alright, many thanks
Want results from more Discord servers?
Add your server