CloudFlare “flexible SSL” puts the TLS termination point into CloudFlare’s cloud, under their control. They can inspect any data sent to and from your web-server and the security is as strong as theirs.
That means that the web-traffic can be intercepted between the CloudFlare and your own environment. That could happen:
- at your own servers;
- at your ISP and any routers between them and CloudFlare; or
- inside CloudFlare cloud.
The security of your data is no longer fully under your own control – it is very much in the hands of CloudFlare. In practical terms, it doesn’t have to be significantly less secure, but it creates several new weak points.
The important aspect is that it has an impact on your compliance and liability if you use HTTPS to satisfy external regulatory requirements – like protection of credit card numbers if you use your web-servers for online sale. You’d need to extend your compliance efforts and include the unsecured traffic between CloudFlare and your servers.
Is CloudFlare “Flexible SSL” for me?
It depends on your threat model. If you don’t worry about the security and just want to show the green padlock in your visitors’ web browsers then the answer is a resounding yes.
If you mostly worry about the security between your visitors’ browsers and “the internet”, e.g., eavesdropping on the WiFi network they use to connect to your websites, then it would still work.
If your primary goal is to secure the traffic end-to-end, then you should not use it.
One more relevant aspect is DNS. If you want to use CloudFlare, you need to transfer the management of your DNS records to them. CloudFlare then controls how your domain name is resolved to IP addresses. This ultimately controls where are your visitors sent and which servers are between them and your own web servers.
References: the post has been inspired by and uses some of the answers fromĀ Quora: How secure is CloudFlare flexible SSL option.