CloudFlare Rolls Out Free SSL

In a move that will essentially double the number of SSL-protected sites on the Web in the space of 24 hours, CloudFlare on Monday said that it was enabling SSL for all of its more than two million customers for free.

The new service is called Universal SSL, and the company is making it available to both its paid and free customers. Company officials said that the move is designed to play a part in preventing ISPs, governments and attackers from throttling or censoring the Internet. CloudFlare’s service is designed to protect and accelerate the Web sites of customers and the company’s decision to turn on SSL for all of its customers could make a significant difference in the security of large amounts of the Internet’s traffic.

“The team behind Netscape first introduced SSL back in February 1995, originally intended to facilitate ecommerce online. As the Internet grew in importance, governments, ISPs, and hackers began to intercept, throttle, and censor traffic as it flowed across the network to serve their ends. In response, SSL’s importance expanded beyond ecommerce to help ensure a free and open web. As Google and the IETF work on the next generation Internet protocols like SPDY and HTTP/2, it’s no wonder encryption is at their heart. And so, in order for CloudFlare to fulfill its mission of helping build a better Internet, we knew one of the most important things we could do was enable Universal SSL for all our customers — even if they don’t pay us,” Matthew Prince, CEO of CloudFlare, said.

“Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world.”

In practical terms, Universal SSL means that CloudFlare will provide an SSL certificate for every customer and will accept HTTPS connections for the main domain and first tier subdomains. Prince said that the decision to turn on SSL for all of CloudFlare’s customers was not one that the company took lightly. SSL traffic has a higher overhead in terms of performance and server load, and to help address that problem Prince said the company decided to use ECDSA (elliptic curve digital signing algorithm), which is less taxing than RSA.

Another challenge for CloudFlare with this plan is that the offering of SSL is one of the things that entices free customers to become premium customers, so Universal SSL could result in reduced revenue. Prince said the company’s board of directors decided the risk was worth it.

“We went over our plans for launching Universal SSL and how doing so may hurt our revenue given that SSL is one of the reasons people upgrade to a paid plan. But everyone on CloudFlare’s Board was unanimous: even if it does hurt revenue in the short term, it’s the right thing to do,” Prince said.

Suggested articles

Discussion

  • Brian m on

    Not totally convinced that it should be forced on customers, it makes browsers slower ( think mobile especially), bandwidth and the hassle of mixed sites. Just hope they have an off switch!
    • Khürt Williams on

      The performance impact is insignificant for the added security provided to the end user (the visitor to the web site).
  • JP on

    I suspect Cloudflare will provide customers the option to opt out of default SSL protection...so customers that affirmatively don't want the protection aren't forced to take it as part of the package of services being offered.
  • brian m on

    @khurt agree if security is an issue but most pages don't need it! Just use SSL when you need to! There really is a speed penalty.
  • awood on

    Serious @brian? I fail to understand why people spread BS about performance. Is there a hit? Sure. Will you notice your stupid animated gifs rendering slower? Please! If you have that much traffic, you better be load-balanced with multiple servers, if for nothing else than redundancy. AND, if you haven't been paying attention, Google is going to start lowering search results of sites that don't use SSL. There is no excuse. I live in a nice neighborhood, but I still lock my door and windows. If nothing else, just do it just to piss off the NSA.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.