Web performance and security company CloudFlare today launched Universal SSL, making Secure Socket Layer (SSL) encryption available to anyone at no cost.
“Yesterday there were about 2 million SSL-enabled sites active online,” explained Matthew Prince, co-founder and CEO of CloudFlare. “By the end of the day today, CloudFlare will have rolled out free SSL to another 2 million — almost doubling the size of the encrypted web.”
SSL is the critical cryptographic technology that secures the web. The protocol keeps traffic from being monitored or altered by governments, ISPs, or hackers. SSL forms the foundation of trust online, to the point that Google recently announced that encrypted sites will rank higher in search results than those that don’t use encryption. Next generation web protocols such as SPDY and HTTP/2 require SSL. Unfortunately, SSL’s cost and complexity have meant that before today fewer than 0.4 percent of websites were encrypted.
Setting up and configuring SSL has traditionally been difficult for website administrators, requiring multiple steps: going to a Certificate Authority (CA) to validate a site’s identity, buying a needlessly expensive certificate, installing the certificate on a server, and constant upkeep to stay ahead of vulnerabilities. CloudFlare’s Universal SSL allows a site to setup state-of-the art encryption without the complexity or cost.
“We didn’t just enable basic SSL for free, we enabled cutting-edge cryptography and made it free and easy for anyone,” said Nick Sullivan, Security Engineering Lead at CloudFlare. “The cryptographic systems we’re rolling out as part of Universal SSL are a generation ahead of what is used by even the top Internet giants. These certificates use elliptic curve digital signature algorithm (ECDSA) keys, ensuring all connections with CloudFlare sites have Perfect Forward Secrecy, and they are signed with ECDSA and the highly secure SHA-256 hash function. This is a level of cryptographic security most web administrators literally couldn’t buy.”
CloudFlare has supported SSL at no additional cost on all of its paid plans since the company launched four years ago. Universal SSL extends cryptographic protection to even CloudFlare’s smallest customers. To enable Universal SSL, a site needs to only sign up for CloudFlare’s free service — a process that takes about five minutes and requires no technical expertise or changes to a site’s web server. CloudFlare automatically issues and deploys the Universal SSL certificate within 24 hours. Once deployed, encrypted connections, as well as modern web protocols such as SPDY, are automatically supported to any modern web browser.
“The importance of Universal SSL isn’t just the protection of these 2 million sites, but the fact that it moves the Internet one step closer to an encrypted-by-default standard,” explained Matthew Prince. “While small sites may think they don’t need SSL, every encrypted byte exchanged online makes it more difficult for organizations that aim to throttle, censor, or otherwise restrict the Internet. We’re hopeful that, now that we’ve shown it’s possible at our scale, other organizations will follow and make SSL at no cost the default for all their customers.”
For sites that require more advanced SSL configurations, CloudFlare also supports custom certificates from any certificate authority, full end-to-end SSL with robust certificate checking, and Keyless SSL — announced earlier this month — which lets sites use CloudFlare without giving up custody of their private keys.