Did you know that websites with HTTPS are ranked higher on some search engines, including Google?
Setting up HTTPS can seem difficult and expensive, especially if you’re not a tech person, and just want to blog. However, not having HTTPS will make it harder for your site to be near the top of Google searches, and it makes your site seem less professional. Many shared hosting providers do not let you use Let’s Encrypt to get a free SSL certificate, and require you to pay them large amounts of money to have SSL set up. So, you switch to CloudFlare to enable SSL. Great job, but which SSL option is the best?
Flexible SSL is designed to make deploying SSL as easy as possible. The server does NOT need to be configured to work with SSL, and does not even require a self-signed certificate. It works by encrypting all data between visitors and the nearest CloudFlare data center, but from there to your server, it’s unencrypted. CloudFlare has a good description of this on their SSL page:
While not as secure as the other options, Flexible SSL does protect your visitors from a large class of threats including public WiFi snooping and ad injection over HTTP.
Basically, Flexible SSL is easy to set up, but is not as secure as the other two options. While it does improve security, and possible your SEO a bit, if the connection between CloudFlare and your server is compromised, all user data can be stolen in unencrypted form.
Full SSL is also quite easy to deploy, but requires the server to be configured with at least a self-signed SSL certificate, and be listening on TCP 443. All traffic is encrypted between your visitors and CloudFlare, and then from CloudFlare to your server. This way, even if your server’s connection to the outside world is compromised, all the data available to snoopers is useless because it’s encrypted(hopefully with modern ciphers). This mode protects your visitors from attacks from being on open WiFi networks, and attacks that are between the CloudFlare datacenter and your server.
The third free options is Full SSL(strict). This mode is most similar to Full, but it requires a valid SSL certificate, or one signed by them. This ensures that not only all data is encrypted to your server, but also that no hacker is pretending to be your server. As forging an SSL certificate is nearly impossible, this is the most secure method CloudFlare offers.
Which one to use?
Well, it depends on the kind of site you run.
Is your site a blog without comments or user logins? then Flexible SSL will be just fine, as no important information is being sent.
Is your site a blog that has users comment and/or login? then I’d recommend at least Full SSL mode to ensure their password is encrypted until it reaches your server.
Is your site something like an e-commerce site? then two things: one, shame on you for using a free CloudFlare plan :) , and two, please use Full SSL(Strict) with at least a custom SSL certificate.