Do you support CloudFlare’s ‘Flexible SSL’ option?
No, we do not. Initially, we did, as it provides an encryption option for web users visiting websites in the case that the website owner has not setup a ‘proper’ SSL connection yet. However, we decided to disable and disallow the ‘flexible SSL’ option for all of our clients. The reason for this is that the ‘flexible SSL’ option gives users the allusion that a website is fully encrypted and private when in fact its not; that is, the connection between CloudFlare and a user’s browser is encrypted despite the actual origin server completely lacking an SSL certificate or encryption of any kind. In other words, the site’s data is not secure or encrypted and in danger of packet sniffing, hackers, or so forth, without the users even knowing this. As our goal at LittleBizzy is transparency and quality, we decided not to allow these “pseudo/fake” SSL connections on our network, and we require website owners that desire SSL to order that setup from us so that a proper SSL can be setup on their origin server, then all HTTP resources are 301 redirected to their HTTPS version, and lastly the database is scanned and replaced with the HTTPS versions. This ensures that both website owners and their visitors are more clear about SSL vs non SSL in the world of LittleBizzy and can take better confidence in knowing that data is safe. Plus, we are aiming toward PCI compliance in the future and this is a serious security concern that we decided to address pro-actively.