The unintended privacy consequences of using CloudFlare’s HTTPS
CloudFlare has a fantastic feature where you can use their DNS and CDN service and get free HTTPS. This is great because having a domain people can access securely should not be costly or difficult to set up, and they should be commended for leading the way on something that will surely be the norm in years to come. However, there is a catch to CloudFlare’s implementation which opens up a potential privacy breach for its customers.
To make their implementation work, CloudFlare uses something called SNI. The way SNI works is that multiple domains can share the same SSL certificate. Therefore, if you are using CloudFlare’s free HTTPS, your domain’s SSL certificate is not unique and is shared with up to 100 other domains.
Sharing the SSL certificate with other domains and even being able to see those other domains is by itself not a privacy issue, and to me seems like a perfectly...
Continue reading →