The number of services today that allow you to quickly get online is stunning. Tumblr, WordPress, Blogger, AppEngine, Posterous, Ning, TypePad, Smugmug, and more allow anyone to publish content online. Unfortunately, most don't support SSL. This means that, if you access one of these platforms from a shared network connection, like a coffee shop or airport wifi, someone can use a tool like Firesheep to sniff your session cookie information and gain access to your account even without your password.
While the risk of this for most people isn't very high, our customer support team has been getting more and more inquiries about whether CloudFlare can add SSL encryption to these third party platforms. Justin on our team wanted to find out how easy it was so he used his own Tumblr blog (
justinpaine.com) to find out.
Setup a Custom Domain
The first step for any of these platforms is to setup a custom domain. Tumblr, for example, defaults sites to using a subdomain of tumblr.com. While we're working with platforms to allow you to add CloudFlare support when you're on a subdomain account, until the platforms explicitly allow it you'll need to setup your own domain. You can find instructions on how to do so for each of the platforms mentioned already through the following links:
Tumblr,
WordPress,
Blogger,
AppEngine,
Posterous,
Ning,
TypePad, and
Smugmug.
Adding CloudFlare
Once you have a custom domain for your site, you then need to add the site to CloudFlare. If you don't already have a CloudFlare account, you can
create one. After you create a new account, or login to your existing account, you can walk through the quick process of adding your site. The process takes four steps and about five minutes to complete.
To get SSL on your site, you'll need to select one of the
paid CloudFlare plans. All paid plans come with SSL support automatically. You don't need to buy or configure a SSL certificate seperately, we take care of that process for you automatically. As soon as you've finished configuring CloudFlare, we automatically add the SSL certificate and activate it for your account.
Flexible SSL
CloudFlare automatically detects that your platform provider doesn't support SSL and defaults you to the Flexible SSL setup. This means that connections from a browser to CloudFlare will be encrypted via HTTPS, but connections from CloudFlare to the platform will pass over unencrypted HTTP.
While it is ideal to have an end-to-end HTTPS connection, securing the connection from the browser to CloudFlare mitigates 99% of the real risk. A way to think about it is if you're worried about the government monitoring your web traffic, Flexible SSL won't offer a complete solution. On the other hand, if you're worried about someone next to you in the coffee shop sniffing your cookie or password information, CloudFlare's Flexible SSL will protect you.
If your platform provider ever begins to support SSL themselves, you can switch CloudFlare to Full SSL mode at any point from the CloudFlare Settings page and have end-to-end encryption. If you think about it, Flexible SSL is a lot like
CloudFlare's IPv6/IPv4 Gateway. In that case, we were translating between IPv6 and IPv4 networks seamlessly. In this case, we're translating between the HTTPS and HTTP protocols, also seamlessly.
Surf Securely
That's all there is to it. Once the DNS propogates, you'll be able to connect to your site securely just by entering HTTPS rather than HTTP. You can also use PageRules to force all connections to HTTPS if you'd like to default to an encrypted connection. Check out Justin's Tumblr:
It's one of the only encrypted Tumblr sites and it didn't require him changing anything in his Tumblr settings, just signing up for CloudFlare. Pretty cool!
One last note: we had previously supported
another method for SSL on Google's AppEngine. That method, which relied on domain masking, proved brittle and unreliable so it was depricated for now. This new method using Flexible SSL is 100% reliable and has the advantage of supporting a number of platforms beyond Google's AppEngine. We'll be bringing back domain masking enabled via PageRules in the future since it does have some beneficial uses.
