on the use of SSL by Cloud Flare and similar services. The Cloud Flare certificates we found all had the common name in the same style as the "ssl2796.cloudflare.com" shown in that Netcraft report. The "ssl2796" in the name is a Cloud Flare tracking ID in the 49,541 root domains we found that use "standard" (not "universal") Cloud Flare certificates. Every root domain also has a subdomain wildcard line (*.example.com), which we deleted to save space.
We compiled this list by attempting a handshake with the Cloud Flare domains in our database. The "standard" certificates on this page (with "ssl" in front of the number instead of "sni") mean that the domain has a paid account at Cloud Flare. Paid accounts make up about five percent of the domains that use Cloud Flare, according to news reports.
It's all a marketing effort anyway, whether paid or free. There is no such thing as "secure" SSL when you have potential Men-In-The-Middle at scores of data centers around the world. Local authorities could be sniffing the plaintext available at these data centers, and Cloud Flare wouldn't have a clue.
(Their "data centers" are typically a rack or two of equipment that Cloud Flare ships to a real data center, along with installation instructions.) We asked Cloud Flare to confirm that sniffing is possible at these so-called "data centers," but they didn't respond. By now we're wondering if there's a plaintext Ethernet port at the back of their equipment rack that makes interception easy and convenient. If so, it would make no difference whether the origin server has its own certificate. Cloud Flare may claim that there is no way plaintext can be accessed from their equipment racks, despite the fact that some sort of decrypt and re-encrypt must occur there due to the nature of their role as a CDN. After all, Cloud Flare has engineers who come up with clever techniques to enhance SSL.
Gmslots Deluxe - зеркало казино Gaminatorslots
But imagine that you are a government regulator in a country where a big ISP hosts a Cloud Flare "data center." Your job is to consider the Internet in terms of public safety and current laws, and you go to that ISP with a list of Cloud Flare-user domains you want blocked. The ISP replies that everything is encrypted, and Cloud Flare traffic cannot be intercepted. In other words, nothing can be done about the ISIS sites, carders, booters, gamblers, escorts, phishers, malware, and copyright infringers that Cloud Flare protects. It's fairly obvious you ask this ISP to block the Cloud Flare IP addresses used by the offending domains.
If those IPs change, then block Cloud Flare's entire IP space, and continue to monitor the situation. If Cloud Flare's traffic still gets through, you ask the ISP to pull the plug on Cloud Flare's racks. This is why Cloud Flare will add a plaintext port to their own hardware someday, if they haven't already.
The Cloud Flare certificates below encrypt the traffic only between the browser and Cloud Flare. The traffic between the original web server and Cloud Flare remains unencrypted unless the web server owner has his own certificate installed on his machine.
Almost everyone who browses a https domain reached from Cloud Flare is unaware that just half of the route is encrypted. When they see the padlock on their screen, they feel that everything is safe. It's easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars. Moreover, the subdomain wildcard option on each domain is handy for obscuring a URL in a phishing email.
Скачиваемое казино - gms-deluxe-
Suppose that grandpa, age 90, gets an official-looking email that advises him to immediately change his password. He clicks on the URL in the email and ends up at bankofamerica.q4 This page is an excellent imitation of the Bank of America pages he remembers, and there is also that nice little SSL padlock in the corner of the address bar. Probably, because he doesn't realize that he's at a subdomain of q4and is entering his old and new password into a fake page for the benefit of a phisher. As if the "standard" certificates aren't enough of a problem, there are also over four million "universal" certificates that present bigger problems. All you need for a free Cloud Flare account is a domain and an email address. Little countries and even some little islands all have their own top-level domain these days. Many registrars around the world are pleased to sell these cc TLD and g TLD registrations. It's a cash cow for everyone, but especially for bad guys.
The same situation exists for anyone who needs a throwaway email address that's nearly impossible to trace. Now add Cloud Flare's free fly-by-night "universal" SSL.