In a move designed to thwart wholesale eavesdropping by state-sponsored spies and sophisticated crime gangs, content delivery network CloudFlare has upgraded its Web-encryption capabilities to better protect data traveling between its own servers and those of its customers.
Known as full (strict) transport layer security (TLS), the newly added mode provides robust encryption and cryptographic authentication for backend traffic, which usually means data traveling over the Internet backbone. Under the new option, TLS traffic passing between CloudFlare and its customers is protected and authenticated using certificates signed by a handful of certificate authorities. Until now, backend encryption for CloudFlare customers didn't validate certificates to ensure they were signed by a trusted certificate authority. That measure is better than no encryption but is still could be susceptible to "active" man-in-the-middle attacks using self-signed certificates. Such attacks involve the use of a separate, self-signed certificate by someone who places himself between the two servers sending the encrypted data. Because data is encrypted using the private key in the rogue certificate, the attacker has the ability to surreptitiously read any traffic passing through the connection.
The improved backend TLS accompanies front-end TLS that is already in place. This type of Web encryption protects data as it passes from an end-user's computer to CloudFlare's content delivery network. That includes traffic passing over a Wi-Fi network or from the end-user's ISP to CloudFlare servers.