I don't think I'm switching to Automatic SSL/TLS
I received an email from cloudflare concerning the new SSL/TLS mode.
and honestly I think it's pretty redundant and maybe harmful if you know what you are doing.
since suppose you used this feature and it detected that full (strict) mode is the best option for you. and then you decided you wanted to use self signed certificates for whatever reason. it will take a bit of time until it switches to the correct mode
full mode (not strict) (until the schedule is reached).
which will mess up your service.
I want to hear your opinion on this.31 Replies
:confusedpixeljoe:
how about you read the description of the ssl modes before you start switching things around...?
you mean this?
mhm
yeah, does not contry to anything I said?!
ssl recommender recommends upgrades in security
not downgrades
this would be a fundamental flaw, if cloudflare decided to downgrade client to origin traffic security by itself lol
doesn't it recommend the best option for you?
yes which is the most secure not least secure
if you can't support full strict mode aymore, why would it stay? shouldn't it downgrade to the best possible?
(which can work)
it's literally in the first line of the product description
Automatic SSL/TLS uses the SSL/TLS Recommender to identify and apply the most secure encryption mode for your websiteif you have it set to full or flexible, and it can't detect a cf/public cert then it won't suggest an upgrade anyways??? very confusing
Brother here is my story
1. Penny was using a CA certificate which is signed by let's encrypt.
2. Penny was using automatic SSL/TLS, which recommended Full strict mode. (best option penny can support)
3. Penny decided to use a self signed certificate.
4. Automaic SSL/TLS took a lot of time to switch for the best thing penny can support since the schedule run is a bit late.
5. Penny continued using full strict mode on a self signed CA certifiacte
6. No request can reach penny's server until another scheduled check is done.
is this a valid story?
please tell me what you think
what I think you're saying is that it runs only once?
it tells you when the next scan happens
yeah which is in like a day at least
if you decide to downgrade your origins security for whatever reason, then you need to manually lower your encryption level
which means my service will be totally screwed until the next scan
yeah so, I don't really need it... right?
I think you completely missed the point of the ssl/tls recommender
which is to automatically improve connection security
not reduce it
this is especially useful for people who are not familiar with ssl/tls
here is what I think the use case of this is:
the first run is the most important one, anything else is on you
:shrugpepe:
so in other words, for the first scan keep it as automatic, see what it recommends, use it and switch to manual
I recommend you read through the product description of the tls recommender
good idea
:blobhaj: splosjh
I missed this, good one
"decided to use a self signed certificate" really isn't a sane/valid option
Full (Strict) (or Strict) or Off are the only valid options you should ever be picking. Using a self-signed cert opens yourself up to mitm attacks, anyone can mitm the connection and present any cert
what if it expired and I didn't wanna bother... you know?
plenty of us who think at least Flexible or Full should not even be options
I don't know, no. That opens you up to mitm just the same, it's not really an acceptable option. Browsers wouldn't accept it, the fact that CF lets you subvert those sane security stuff doesn't make it secure
also some people told me that using full mode (not strict) with or without a valid TLS certificate is the same lol
It's not the same, the reason being under Full anyone can present any certificate, even self-signed and it'd be accepted
It's using SSL/HTTPS but it's not verifying the destination, so you'd have encryption to the person mitming/attacking
ok great so full mode is not really secure, since people like my ISP can present them self as me, and its not a sane thing to dwitch from trusted certificate to self signed
did I get it right?
full mode (strict) is the only secure option
exactly. If certs or cert renewal is the issue, CF offers 15 year long Origin Server Certs under SSL/TLS -> Origin Server, trusted by Full (Strict). Some security trade off with not renewing for way longer but you can pick the exact duration and ensure the private key stays safe
With this new selector free has access to the previously Enterprise only "Strict" as well, which is User -> HTTP -> CF -> HTTPS -> Origin, whereas with Full Strict it'd be HTTP -> origin if User -> Cf is HTTP. But if you have Always use HTTPS/redirecting all requests to https (which you should), then it makes no difference
alright, many thanks