In one move that will essentially double the number of SSL-protected websites online today within a 24 hours time, CloudFlare announced Monday that it will be enabling SSL among of its more than two million customers for free.
CloudFlare’s new project, Universal SSL, will be available for both free and paying customers. CloudFlare said their move is designed to deter ISPs, government agencies and attackers from throttling and censoring the internet. CloudFlare is designed to protect and accelerated websites their customers input, and the company’s decision to enable SSL for all its customers could make a significant impact on the security of large amounts of web traffic, moving the internet towards “encrypted-by-default.”
“The team behind Netscape first introduced SSL back in February 1995, originally intended to facilitate ecommerce online. As the Internet grew in importance, governments, ISPs, and hackers began to intercept, throttle, and censor traffic as it flowed across the network to serve their ends. In response, SSL’s importance expanded beyond ecommerce to help ensure a free and open web. As Google and the IETF work on the next generation Internet protocols like SPDY and HTTP/2, it’s no wonder encryption is at their heart. And so, in order for CloudFlare to fulfill its mission of helping build a better Internet, we knew one of the most important things we could do was enable Universal SSL for all our customers — even if they don’t pay us,” Matthew Prince, CEO of CloudFlare, said.
“Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web,” Prince said. “In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world.”
In layman’s terms, Universal SSL means CloudFlare will provide SSL certificates for every customer and will accept HTTPS connections for customers main domains and first tier subdomains. Price said the decision for CloudFlare to turn on SSL for free was not one the company took lightly. Executing HTTPS connections puts an increased load on the CPU, especially with CloudFlares size. To address the issue, CloudFlare decided to utilize ECDSA (elliptic curve digital signing algorithm), and algorithm less taxing then RSA.
Prince said another challenge the company faced was offering SSL to free customers, a reason many users typically upgrade, becoming premium paying customers, meaning Universal SSL could result in less revenue for CloudFlare. Prince said the company’s board of directors decided the risk was worth it.
“We went over our plans for launching Universal SSL and how doing so may hurt our revenue given that SSL is one of the reasons people upgrade to a paid plan. But everyone on CloudFlare’s Board was unanimous: even if it does hurt revenue in the short term, it’s the right thing to do,” Prince said.