Huge: Cloudflare’s Free SSL Service Brings Encrypted-By-Default Web Closer Than Ever

Too few websites use encryption on the web. According to Cloudflare, only 2 million websites use HTTPS/SSL encryption, but starting today that number will double, thanks to its new free SSL service, Universal SSL.

Cloudflare will enable HTTPS encryption for all of its members through this new service, including all of the ones signed up for the free plan. Along with Google's decision to rank HTTPS websites higher in its search engine, this marks some of the biggest news in making the web a more secure place since the Snowden revelations.

Cloudflare announced last fall that it was working on a way to offer free SSL encryption to all of its members. Today is the day that service launches.

There are different levels for this encryption service. Existing paying customers who were already using Cloudflare's SSL encryption will automatically be provisioned with an SSL certificate for all of their domains and subdomains.

For members who weren't using SSL encryption before (such as those on the free plan), Cloudflare will enable the "Flexible SSL" mode, which means that only the traffic from a site's user to Cloudflare's servers will be encrypted, but not from Cloudflare to the site's origin.

This isn't an ideal scenario, as hackers or malicious state actors could, for example, still capture that traffic from Cloudflare to the site's origin if it's in plain text. However, the Flexible SSL mode still makes it safer for people using it in risky environments such as when connecting from an Internet cafe or from an oppressive nation.

Cloudflare will also allow site owners to use self-signed certificates; then, their sites will be fully protected, even from Cloudflare to the site's origin.

It would probably be better if Cloudflare asked all of its free members to use self-signed certificates, but it's likely the company didn't want to do that because it would inconvenience those members too much. It seems Cloudflare made a judgment call here, preferring to have most of its free members "half-encrypt" than have only a small portion fully encrypt their websites.

There's one other advantage to using even the free Flexible SSL mode from Cloudflare – it should count in Google's new HTTPS ranking policy. Thus, site owners who use Flexible SSL mode should still get a small boost in Google's search engine.

This option should be reserved for websites that don't use sensitive user information. Those sites that handle sensitive information should be using the Full SSL or Full SSL Strict modes. (The latter requires the certificate to be signed by a Certificate Authority and to have an expiration date.)

Cloudflare will be using an ECDSA cipher suite, which has a much smaller performance overhead for its servers than a more traditional RSA-based cipher suite. It also offers "Perfect Forward Secrecy," which enables Cloudflare to change the keys on a more frequent basis, ensuring that malicious hackers can't decrypt all previous communications if they somehow get their hands on one of the keys.

There's just one small problem with ECDSA cipher suites: They aren't supported by all browsers, so Cloudflare will be using an RSA-based cipher suite for older browsers. The good news is that if you have a browser that is less than six years old (newer than Internet Explorer on Windows XP or the Android pre-4.0 browser), then it should support it. Otherwise, Cloudflare will show you a message at the top of websites using its Universal SSL service that you can update to a more modern browser.

Cloudflare's Universal SSL service will also enable SPDY connections for all of its users, giving the faster next-generation HTTPS 2.0 protocol (which is based on Google's SPDY) a big jump start, as well.

Cloudflare made an impressive move today, doubling the number of sites using HTTPS encryption in one fell swoop. That number may still be far from a 100 percent fully-encrypted web, but it's one more step towards that goal, which seems more achievable by the day.

New, more modern encryption protocols that make secure communications both easier and safer will be of great help in the coming years, but in the end, it's going to be very difficult to get billions of people to use such encryption in a relatively short time. Big Internet service providers can help accelerate that process and make it smoother for users, as Cloudflare proved today.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.