6

I was reading about the offerings of the Cloudflare and then I read about the working of Cloudflare. Based on my understanding, the domain name of my website(alice.com) is resolved to the IP address of Cloudflare Data Center which communicates with the user and deliver the static content. In the scenario where the dynamic content is required the Cloudflare Data Center communicates with my web server and delivers the content to Cloudflare Data Center which in turn delivers the content to the user. This makes my server invisible for the external world thus providing the overall security.

The thing triggering in my head is how the SSL handshake is happening when Cloudflare is used. As per my understanding there will be two handshakes happening

  1. User<->Cloudflare

  2. Cloudflare<->alice.com

If this is true then Cloudflare must be having access of all the traffic in the plain-text. As the initial handshake happens with Cloudflare which allows Cloudflare to decrypt the traffic. In this scenario, we are letting third party(Cloudflare) access to user's sensitive information such as user credentials, PII etc. Does this makes sense?

Also, if the aforementioned statements are true how is the hostname verification happening during initial SSL handshake?

Shiv Sahni
  • 965
  • 9
  • 16

1 Answers1

2

You would need to provide your private key to Cloud Flare to have them create a valid SSL/TLS connection with your clients on your behalf. This gives them full plain text access to all content exchanged between your clients and you. This is one of the tradeoffs of using them.

MikeSchem
  • 2,361
  • 2
  • 14
  • 37
  • 1
    There is a new option where you don't need to give them your private key, but you still need to terminate the encryption on their servers, giving them full plaintext access to the traffic. The only difference is that you get to keep your private key. – forest Sep 10 '18 at 07:01