A couple of weeks ago Cloudflare began offering SSL with their free plan. This is a pretty generous thing to do. It means that I can host this blog on Github, who are also being very generous, and get SSL and content delivery network features from Cloudflare--all for free!
The team at CloudFlare is excited to announce the release of Universal SSL™. Beginning today, we will support SSL connections to every CloudFlare customer, including the 2 million sites that have signed up for the free version of our service.
Further, recently Google said that they would give a small ranking increase to SSL enabled sites:
adding a SSL 2048-bit key certificate on your site — will give you a minor ranking boost.
Many people took that to mean "get your site SSL enabled or else" and for technical blogs like this one, about the only way people find the posts is via Google.
I setup my domain in Cloudflare and had it scan my current DNS settings. Then I pointed my domain's DNS servers to use the Cloudflare nameservers.
Next, in Cloudflare's web GUI, I changed my root domain to use "CNAME Flattening" setup my domain to be an alias of the flatsec.github.io URL (which was previously setup properly, using a CNAME file and such).
CloudFlare uses CNAME Flattening to present a CNAME as an A record.
After about 24 hours Cloudflare was working and had created a shared, or universal as Cloudflare calls it, SSL certificate for
I also enabled and configured two-factor authentication.
Like technology, information security is complicated. Very complicated. Often I encounter situations in which there is no clear cut answer, and no way to make everyone happy and secure. I try to do what's reasonable. Implementing "resonable security" means performing some due dilligence with regards to risk; it means getting a good understanding of what's actually going on; it means thinking about what you're doing and why you're doing it, and that is what I like about infosec.
These are some of the thoughts, goals, and concerns I have about using Cloudflare and their free SSL:
For me, as an individual technical blogger, I think it's reasonable to use Cloudflare's free SSL service. However, what's reasonable for me in this particular situation might not be reasonable for you or your business.
Basically, I'm availing myself of several free services, including Google Analytics, Google Fonts, Disqus comments, etc, and all those services, while not costing me anything, do provide valuable information for the vendor in terms of data. At some point in the future it might make sense for me to host this site elsewhere (I do like Digital Ocean), but for the time being I'm Ok with how it's setup.