EFF has a long running-mission to Encrypt the Web. To make the Web more secure, more private, and more censorship-resistant, we need to completely replace the insecure HTTP protocol with HTTPS. That task saw some major progress last week, with the anouncement by CloudFlare that it will now make HTTPS free and available by default for the approximately two million sites that it serves.
CloudFlare is a content distribution network (CDN). That means that it doesn't entirely host web sites on its own machines, but provides a proxy and caching infrastructure to distribute content on behalf of other sites, making them faster and greatly increasing their capacity to serve large numbers of users at once. When you connect to a site served by CloudFlare, you connect to one of CloudFlare's machines, which sometimes connect back to the site's real servers to check for updated copies of static pages, scripts and images.
CloudFlare's announcement means that all of those sites will automatically now support secure HTTPS connections. There are still a few steps that sites on CloudFlare should take in order to enhance the security benefits of this update. If you host a site through CloudFlare, EFF's guide on How to Deploy HTTPS Correctly gives you many of the details you need about the difference between a secure HTTPS deployment and an insecure one. And, as CloudFlare explains, you should also set up HTTPS on your own servers to secure the connection between CloudFlare and your site. We will be updating our HTTPS Everywhere browser extension in order to secure sites on CloudFlare, even if their webmasters don't take any action.
Historically, CDNs have often treated HTTPS as a premium feature, and charged sites more — in some cases, substantially more — money for supporting it. We often discuss security issues with large web site operators; several major sites have cited CDN-related costs as a core reason their sites didn't support HTTPS across the board. Remarkably, CloudFlare's announcement even applies to its free service tier. So not only will CloudFlare not charge existing customers extra for HTTPS support, it will make it available to millions of web sites that aren't paying any money at all.
A challenge to other infrastructure providers
CloudFlare is the first major infrastructure provider to take this step. We congratulate them for reaching this milestone; now, we hope other hosting providers and CDNs will follow in CloudFlare's footsteps by treating HTTPS as a basic, standard part of the web and not a premium feature.