CloudFlare adds lots of new encryption features

CloudFlare is encrypting its corner of the internet.

The company announced today that it has rolled out new encryption features for all the websites it protects: TLS 1.3, automatic HTTPS rewrites, and opportunistic encryption upgrades. The technical upgrades will occur behind the scenes, so CloudFlare’s customers won’t notice much of a difference (except perhaps a slight uptick in speed). But the changes will have the effect of encrypting web traffic for nearly 10 percent of all internet requests, making the web significantly more secure.

Right now, only a small portion of what you do online is protected by encryption. When you log onto Facebook or check your bank balance online, your data is protected. But plenty of other stuff — the articles you read on major news websites, the items you view on major shopping sites, even some of the porn you watch — isn’t transported to your computer by an encrypted connection, which means that it can be viewed or modified by an attacker.

In March, Google found that most of the world’s top 100 websites don’t use secure HTTPS connections. With such obvious risks, it may seem strange that site operators haven’t take precautions to protect user data. But, although it’s getting easier, implementing HTTPS is still a pain. That’s why CloudFlare is trying to make it easier.

“There’s still a perception — sometimes a reality — that encrypted connections are slower,” says Matthew Prince, CEO of CloudFlare. “There’s also a problem that if you connect to a site that’s encrypted but there are resources unencrypted you can get a big, scary warning. Or if someone’s built a page with an unencrypted resource, a lot of those resources need to get fixed.” By offering TLS 1.3, HTTPS rewrites, and opportunistic encryption, Prince hopes to address all three issues.

CloudFlare is the first major company to upgrade from TLS 1.2, which has been in use for the better part of a decade, to TLS 1.3 (Firefox and Chrome are adding support for the new protocol). “This update, the first since 2008, is a major overhaul that provides both increased security and enhanced speed, especially on mobile networks,” said CloudFlare’s head of cryptography Nick Sullivan.

Prince expects TLS 1.3 to bring a 30 – 40 percent increase in performance for encrypted webpages. “For the first time online, encrypted pages are now faster than unencrypted pages,” he explained. “There is no performance penalty. It removes one of the last objections that people have on why they shouldn’t use encryption.”

Because browsers haven’t widely implemented TLS 1.3, users won’t see that increased performance yet. But CloudFlare hopes the change will be an incentive for browsers to move faster.

The second change, automatic HTTPS rewrites, is modeled on the HTTPS Everywhere plugin developed by the Electronic Frontier Foundation and the Tor Project and is aimed at addressing the “big, scary warning” that users receive when they visit an encrypted website that loads some unencrypted resources.

Users who install HTTPS Everywhere will have their traffic forced to a secure connection whenever possible — but they need to proactively seek out and install the browser extension.

“A lot of people in our office use it,” Prince said of HTTPS Everywhere. “A lot of the crypto folks use it. But my dad, the normals out there would never use this. For all our customers, we could do the thing the plugin does without the end user having to take any additional steps.”

Pushing unencrypted resources to HTTPS will help cut down on the warnings users get when parts of a page are insecure. Unlike TLS 1.3, users will experience the benefit of CloudFlare’s automatic HTTPS rewrites immediately.

“There has been a crazy chicken-and-egg problem holding up the deployment of secure encryption on the web,” Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation, said in a statement. “Browsers tried to protect users by blocking insecure parts of secure HTTPS pages, but that made it impossible to deploy encryption incrementally. CloudFlare’s new automatic HTTPS rewrites will help sites encrypt everything all at once, and fix this deadlock in web security.”

The final change, opportunistic encryption, builds on the concepts behind HTTPS Everywhere and will only impact Firefox users — for now. Cloudflare is using opportunistic encryption to load encrypted pages, even when a user tries to visit a site via HTTP. “If there’s any way to get an encrypted version, the browser will quietly and silently upgrade in the background to an encrypted version. Every site on CloudFlare has an encrypted version by default and for free,” Prince said.

CloudFlare has already turned on all of the new security features automatically for its free users. Legacy paying customers will have the choice to opt in, while new customers who sign up will be opted in by default, with an option to turn the features off.