|
Title: Cloudflare sites relinquishing SSL private keys? Post by: agent13 on November 30, 2013, 08:30:05 PM Is it correct that in order for a site to utilize Cloudflare to protect them from DDOS on port 443 (SSL), that site must install their CA signed cert (private key) on Cloudflare's servers? I think Cloudflare did a deal with a CA to even stream-line this process.
Regardless of how data between Cloudflare and the site's real IP is subsequently proxied, does this effectively mean that said site must implicitly trust Cloudflare and any parent it may be answerable to? Is this a MITM scenario? Due to the nature of SSL and CA infrastructure in general, I don't think there is a way around this natively. Is there a way for a third-party to filter (ie from flood) your SSL data securely? If not, perhaps some JS crypto could fill the gap between site and user? Of course, secure JS delivery has its own problems under such a scenario.. Title: Re: Cloudflare sites relinquishing SSL private keys? Post by: TheoryOfBitcoin on December 01, 2013, 06:20:56 AM You don't need to install a CA cert, you just paste your ssl private key to cloudflare.
Title: Re: Cloudflare sites relinquishing SSL private keys? Post by: agent13 on December 01, 2013, 06:41:57 AM You don't need to install a CA cert, you just paste your ssl private key to cloudflare. That is my point. Cloudflare then sees the unencrypted data. Apparently this is of no concern? Title: Re: Cloudflare sites relinquishing SSL private keys? Post by: agent13 on December 01, 2013, 06:43:12 AM Why this was moved to "Off-topic" I do not understand. I originally posted Economy/Marketplace. Many Bitcoin sites use Cloudflare.
Title: Re: Cloudflare sites relinquishing SSL private keys? Post by: b!z on December 01, 2013, 08:22:12 AM You don't need to install a CA cert, you just paste your ssl private key to cloudflare. That is my point. Cloudflare then sees the unencrypted data. Apparently this is of no concern? I guess many websites trust Cloudflare enough to share their SSL keys. |