-
Universal SSL is the product.
Yes we give free certs. You cannot download those certs, we manage them for you and terminate the SSL traffic, rotate the certs, renew them, etc. It means we are a reverse proxy.
We then connect to your server, and yup... DNS is the key. When you enable Cloudflare for an A, AAAA or CNAME we will publish our IPs to the world, terminate the SSL, and then use the real IPs internally to reach you.
There are three modes for that last bit where Cloudflare talks to your server:
- Strict - You must have an SSL cert matching the host name on your origin
- Full - You can have any SSL cert on your origin, we only encrypt and we do not verify
- Flexible - We'll send the last bit over HTTP so we've publicly used HTTPS but privately go to you view HTTP
Flexible isn't great security, but sometimes with CNAMEs it's the best you can do (no control over the CNAME sites' ability to use TLS).
This is all free, and we still make money from it, it's not going away and isn't a loss leader... it's just a by-product of lowering the cost of doing something to fractions of a cent through automation and some clever tech.
- Strict - You must have an SSL cert matching the host name on your origin
So, @Velocio Cloudflare dish out free certs? Think I might get 'em for my blog sites.
How do they handle validation/revalidation if I'm on cheapass shared linux hosting? I don't think I can use Let's Encrypt in this case. Presumably I use you as a DNS and you shuffle my traffic to my host, doing some SSL shenanigans in the process? How do you make money out of it?
Is this some kind of loss leader to get me to upgrade plans later on?