CloudFlare Rolls Out Universal SSL

CloudFlare has made a big move that essentially doubles the number of encrypted sites on the internet by rolling out what it’s calling Universal SSL.

The company said that it will support secure sockets layer (SSL) connections to every CloudFlare customer, including the 2 million sites that have signed up for the free version of its service.

It’s part of a larger philosophical view for the website accelerator.

“Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet,” said Matthew Prince, co-founder and CEO at CloudFlare, in a blog. “Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world. Together we can do great things.”

For all customers, it will now automatically provision an SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., as well as a wildcard entry for all first-level subdomains (e.g.,,, etc.).

“Yesterday, there were about 2 million sites active on the Internet that supported encrypted connections,” Prince said. “By the end of the day today, we'll have doubled that.”

For a site that did not have SSL before, it will default to something called the Flexible SSL mode, which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not.

“We strongly recommend site owners install a certificate on their web servers so we can encrypt traffic to the origin,” CloudFlare said. “Once you've installed a certificate on your web server, you can enable the Full or Strict SSL modes, which encrypt origin traffic and provide a higher level of security.”

For free customers, Universal SSL support is limited to “modern browsers,” CloudFlare said. These are defined as browsers that include support for ECDSA, and which support an extension to the SSL protocol called Server Name Indication (SNI). SNI sends the website name (the equivalent of the host header) unencrypted, which allows CloudFlare to return different certificates on an IP address depending on what customer's site is requested. Typically any browser that’s less than six years old will meet these criteria; globally, more than 80% of CloudFlare requests come from modern browsers, it said.

The company also said that it has plans to expand the universe of supported browsers slightly by taking advantage of connections that arrive over IPv6 for browsers that don't support SNI.

“About 16% of unique IP addresses that connect to CloudFlare do so via IPv6,” the company  explained. “Since IPv6 addresses are virtually infinite, we don't have the same limitations as we do with IPv4 and can therefore return a unique certificate for every IPv6 address.”

CloudFlare's paid plans will support both modern and legacy browsers.

Overall, the goal is to encourage modern browser use and expand encryption to the far corners of the web, the company said. “The internet is a belief system,” said Prince. “At CloudFlare, we're proud today that we're playing a part in helping advance that belief system. And, having proven that Universal SSL is possible at our scale, we hope many other organizations will follow in turning SSL on for all their customers and at no additional cost.”

What’s Hot on Infosecurity Magazine?