In the wake of revelations about NSA spying, not to mention the Web hacks that seem to occur on a daily basis, encryption is top-of-mind for Web users and webmasters alike.
Google recently said that it would favor encrypted sites in its search results, so it's becoming a must for businesses that rely on search traffic. But encryption isn't free, and not all sites have the extra cash required, so CloudFlare is offering a new service, dubbed Universal SSL, which will provide encrypted connections to its customers, including the 2 million that use the free version.
SSL, short for Secure Sockets Layer, is what puts the S in HTTPS, and signifies that a site is more secure than HTTP (and generally safe for activities like online shopping and banking). CloudFlare, a Web performance and security company, said in a blog post that it considered the fact that providing Universal SSL to free customers "may hurt our revenue given that SSL is one of the reasons people upgrade to a paid plan. But everyone on CloudFlare's Board was unanimous: even if it does hurt revenue in the short term, it's the right thing to do."
"For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains," CloudFlare said.
The main difference between a free and paid CloudFlare Universal SSL account is that the free version will only work on modern browsers: it will not support Internet Explorer on Windows XP or Android pre-Ice Cream Sandwich. Site owners can, however, add a banner to their sites warning users that they are using an outdated browser.
"CloudFlare's paid plans have always and will always support both modern and legacy browsers," the company said.
Sites that do not have SSL will default to CloudFlare's Flexible SSL mode, "which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not." As a result, CloudFlare recommends a certificate on Web servers "so we can encrypt traffic to the origin."
CloudFlare will publish a blog post later today with instructions on how to set that up. "Once you've installed a certificate on your Web server, you can enable the Full or Strict SSL modes which encrypt origin traffic and provide a higher level of security," the company said.
Existing customers should be provisioned for Universal SSL within 24 hours, though anyone who signed up via a CloudFlare partner will have to wait a bit longer due a technical limitation. New customers will have to wait 24 hours for the free version; paying customers get it automatically.
"Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet," CloudFlare concluded. "Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the Web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world."
In June, CloudFlare revealed Project Galileo, which offers its enterprise-level security system to help non-profits battle cyber criminals and distributed denial of service attacks. CloudFlare partnered with non-governmental organizations and groups such as the American Civil Liberties Union, the Electronic Frontier Foundation, Mozilla, and the Open Technology Institute to help at-risk public interest websites.