Warning ! Cloudflare free SSL Certificate Reveals Other User’s Domains

Cloudflare free SSL users are grouped together and shares the same SSL certificate. Looking at the details of the SSL certificates reveals other user domains.

Cloudflare provided SSL support in their offerings which has free SSL Certificate option as well. I am sure you would have jumped right away to have your website with SSL support. If you haven’t, you better do it to increase site ranking as google started ranking sites with https higher.

But there is a small issue. The SSL certificate Cloudflare generates for your site is not just for the site you enabled SSL, it is the same certificate for all the other websites you have in your account.

I would have been little happier if that was the case, but looks like they use the same certificate for other users as well. The good thing is, it is not everybody using free account @ Cloudflare. It seems few users are grouped and share the same SSL certificate.

When you check your SSL certificate of your domain using the SSL check tools it reveals the domain details.

In this case I checked for my domain https://www.sslshopper.com/ssl-checker.html#hostname=thiru.in

Cloudflare free SSL shows other user's domain
free SSL Certificate details reveals other free user’s domains

If you have a problem with this, you better have your own SSL certificate !

Update Oct 18/2014: Please also check the discussions @ Reddit. As per this stackoverflow post, Cloudflare SSL breaks the trust doing this Free Flexible SSL.

Browser trust the SSL certificate assuming it is secured end-to-end, but in this case it it secured only from Browser to Cloudflare, from Cloudflare to Host is not secured which breaks the trust.

To overcome we can configure Self Signed Certificate using full SSL (no Strict) which would make the Cloudflare to Host also secured.

Leave a Reply

Your email address will not be published. Required fields are marked *