A couple of weeks ago, Cloudflare announced a new solution that allows DDOS Protection, Caching and application firewalls of SSL encrypted traffic without handing over the private key. This is a significant breakthrough for companies. Many companies have strong controls over private keys that prevent external sharing. More often the simple cost of key ceremonies is punitive to the business.
Cloudflare has adapted a method for using an externally located private key to issue the session key. You can find more details in these blog posts:
Private key is secure, and now can be stored in the customer HSMs.
Is the encryption broken at any point ?
Cloudflare has been offering SSL termination for some time.
Encryption is ‘intercepted’ but this is mitigated by risk managing:
- CF servers hold decryption keys in memory only. Physical theft will not result in data loss
- CF servers are located in high quality, secure facilities
- private key stays physically within the control of owner
- CF as a target means loss of current sessions (not all sessions until new keys are generated)
- customers firewalls key requests to known IPs of CloudFlare network further restricting attack surface
Cloudflare offers free SSL for blogs for Free. Packet Pushers uses the service for security, DDOS and as a CDN.