by josephcsible on 11/27/2021, 7:31:09 PM
Flexible SSL is basically equivalent to visiting a totally insecure site over a VPN instead of directly. There's a few advantages to it. Off the top of my head:
1. It protects the privacy of the client still. Nobody can tell which page a given IP address is looking at on a site, since once the traffic is decrypted, it's no longer associated with the originator.
2. Most snooping and MITM attacks happen towards the client end of the connection, which this would protect from.
It's definitely not appropriate for sending sensitive data like credit card numbers, though.
by phillipseamore on 11/27/2021, 9:07:42 PM
This isn't specific to Cloudflare. Many (most?) services only terminate TLS on their client facing servers and any request/response is in the clear to any backend servers (which might be located on other networks).
Regarding CF, traffic to an origin server that's set as flexible might still go through a secured tunnel (e.g. Argo).
Isn't this misleading? The client thinks their traffic is safe, but it ends up being exposed? Doesn't this defeat the purpose of SSL and browser certificate validation?