关于"支持" CloudFlare网站的一部分有一篇关于SSL选项的文章:What do the SSL options mean?
...文章的作者建议将SSL选项设置为" OFF "而不是灵活的SSL:
但它不如任何其他选项(甚至“关闭”)更安全,甚至可能在您决定切换它时导致麻烦:如何修复无限重定向循环。 ..
我知道使用Flexible SSL,CloudFlare和您的Web服务器之间没有安全连接。这是作者建议比“关闭”更不安全的唯一原因,还是有更多?还有其他风险吗?使用灵活SSL 时的漏洞(与关闭相比)?请注意,我只是比较这两个选项:
答案 0 :(得分:1)
The only way I can see Flexible being less secure than Off is... malicious folks looking for those flexible connections (http) between known cloudflare servers and your web server. Having SSL on the client side suggests you have important/private/financial data, so it might be worth their efforts to looks for insecure transfers between CF and your server.
Aside from that conjecture, I'd consider Flexible as dangerous, a liability, false sense of security, or simply lieing to your clients. They think their connection is secure, when it's really not.
It's odd to me that CF even offers Flexible.
答案 1 :(得分:0)
拥有一些SSL / TLS比完全没有它更好。在repeal of FCC Privacy Requirements for ISPS之后,整个互联网上的所有网站都需要是HTTPS,并且应该完全禁止HTTP。攻击者现在可以访问访问任何网站或网络服务的用户的浏览习惯。 Even StackOverflow.com would greatly benefit from enforcing the use of HTTPS