#StackBounty: #tls #cloudflare Security implications of Cloudflare's SSL Full mode (not Strict)

Bounty: 100

Cloudflare enables several options regarding the communication between its servers and our own.

"SSL Full" means Cloudflare encrypts the traffic but doesn’t check the validity of our servers’ certificate.

"SSL Full (Strict)" means Cloudflare encrypts the traffic and checks the validity of our servers’ certificate.

I am wondering what the security risks are of using "SSL Full".

I understand that theoretically the risk is that someone could pose as us to Cloudflare. I guess this would require that when Cloudflare’s servers try to resolve the IP address of our server, they would be misled towards this malicious server. Or that someone on the way between Cloudflare and our server would pose as us, in a Man in the Middle pattern.

How likely is that? Is it even possible?

Cloudflare isn’t explicit at all as to whether this option is acceptable in a production setting.


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.