In a move that will essentially double the number of SSL-protected sites on the Web in the space of 24 hours, CloudFlare on Monday said that it was enabling SSL for all of its more than two million customers for free.
The new service is called Universal SSL, and the company is making it available to both its paid and free customers. Company officials said that the move is designed to play a part in preventing ISPs, governments and attackers from throttling or censoring the Internet. CloudFlare’s service is designed to protect and accelerate the Web sites of customers and the company’s decision to turn on SSL for all of its customers could make a significant difference in the security of large amounts of the Internet’s traffic.
“The team behind Netscape first introduced SSL back in February 1995, originally intended to facilitate ecommerce online. As the Internet grew in importance, governments, ISPs, and hackers began to intercept, throttle, and censor traffic as it flowed across the network to serve their ends. In response, SSL’s importance expanded beyond ecommerce to help ensure a free and open web. As Google and the IETF work on the next generation Internet protocols like SPDY and HTTP/2, it’s no wonder encryption is at their heart. And so, in order for CloudFlare to fulfill its mission of helping build a better Internet, we knew one of the most important things we could do was enable Universal SSL for all our customers — even if they don’t pay us,” Matthew Prince, CEO of CloudFlare, said.
“Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world.”
In practical terms, Universal SSL means that CloudFlare will provide an SSL certificate for every customer and will accept HTTPS connections for the main domain and first tier subdomains. Prince said that the decision to turn on SSL for all of CloudFlare’s customers was not one that the company took lightly. SSL traffic has a higher overhead in terms of performance and server load, and to help address that problem Prince said the company decided to use ECDSA (elliptic curve digital signing algorithm), which is less taxing than RSA.
Another challenge for CloudFlare with this plan is that the offering of SSL is one of the things that entices free customers to become premium customers, so Universal SSL could result in reduced revenue. Prince said the company’s board of directors decided the risk was worth it.
“We went over our plans for launching Universal SSL and how doing so may hurt our revenue given that SSL is one of the reasons people upgrade to a paid plan. But everyone on CloudFlare’s Board was unanimous: even if it does hurt revenue in the short term, it’s the right thing to do,” Prince said.