Date Published
Alex Krivit, Mikey Sleevi, Suleman Ahmad
Word count
Hacker News points


In 2014, Cloudflare introduced Universal SSL to encrypt internet connections by making SSL/TLS certificates free and easy to obtain. However, configuring an origin server with a certificate was complex and expensive at the time. To address this issue, Cloudflare provided guidance on how to configure and upload certificates for secure connections between Cloudflare and customers' origin servers. In 2015, they launched a beta Origin CA service offering free limited-function certificates to customer origin servers. In response to increased demand for documentation and configuration of origin-facing SSL/TLS communication, in 2016, Cloudflare announced the GA of origin certificate authority to provide cheap and easy origin certificates along with guidance on how to best configure backend security for any website. They also introduced features like authenticated origin pull and Cloudflare Tunnel to enhance backend security. Now, Cloudflare is taking another step forward by automatically managing the most secure connection possible between their customers' origin servers and themselves. This will reduce the configuration burden for origin-facing security and provide a zero-configuration option for how they communicate with origins. They will also open up all SSL/TLS modes to all plan levels, including Strict mode, which was previously reserved for enterprise customers only. To upgrade the origin-facing security of websites, Cloudflare uses their SSL/TLS Recommender tool to determine the highest security level an origin can use and then automatically upgrades it without breaking anything. They are also moving from per-zone SSL/TLS settings to per-origin SSL/TLS settings for more precise security settings. The rollout of these changes is expected to begin before the end of the year.