Cloudflare puts an end to insecure HTTP

Cloudflare wants to make online communication more secure by blocking API access via unencrypted HTTP. This is intended to prevent unauthorized eavesdroppers from accessing sensitive information and possibly misusing it.

In a blog post, Cloudflare explains how the company wants to offer better protection. Connections over plaintext protocols such as HTTP are at risk of exposing sensitive information because they are transmitted unencrypted and can be intercepted by network intermediaries such as Wi-Fi hotspots, internet providers or malicious actors. Cloudflare employees write that it is therefore now common for servers to redirect HTTP connections or return an HTTP 403 error message (Forbidden) to close the connection and force clients to use HTTPS.

Plain text redirects come too late

However, by the time such a redirect occurs, the baby has already fallen into the well, as sensitive information such as API keys have been transmitted in plain text. The data was exposed even before the server had the opportunity to redirect the client or reject the connection. Therefore, the better approach is to seal the network ports for plaintext HTTP – and Cloudflare is now implementing this.

Effective immediately, Cloudflare is closing the HTTP ports on "api.cloudflare.com", at least for internal use. At the same time, the company has made it possible for the URL to change the IP address dynamically in order to decouple names from IP addresses. Those who use static API IPs should be informed in good time about the measures to be taken.

Cloudflare enables customers to switch off all HTTP ports for their websites and domains by opting in. This is to come as a free feature in the last quarter of this year. Cloudflare already has an "Always use HTTPS" setting to redirect all customer traffic to customer domains from HTTP to HTTPS. For example, through an HTTP 3XX redirect, a request to http://-URL then lands on https://. However, if "api.cloudflare.com" is called up, the API key may already have been removed. In such a case, those affected would have to renew the API keys and be informed of this. However, a preventive approach does not allow such an insecure connection to be established in the first place, for example by closing all plain text HTTP ports. As no API keys are corrupted as a result, they do not need to be rotated and renewed.

Just over two percent of Cloudflare's traffic still takes place via HTTP, according to its own statements. These are probably mostly human users, although web browsers now warn against unencrypted connections and automatically and silently switch to HTTPS. There is also the issue of IoT devices that are only capable of HTTP with limited processing power, automated API clients and outdated software. Blocking HTTP port 80 would completely prevent such clients from accessing the service. Therefore, Cloudflare starts carefully with the "api.cloudflare.com" URL.

Check whether you are affected

Before activating the blocking option for their domains, Cloudflare customers can check the dashboard to see whether clients are still accessing unencrypted services and switch them over if necessary. Under "Analytics & Logs" – "Traffic Served Over SSL" you will find a breakdown of encrypted and unencrypted traffic. After opting in, no more traffic should run over HTTP and the number should drop to zero.

Developers may have to adapt their software to the new conditions. For example, in the foreseeable future there will no longer be an HTTP 403 forbidden message when a connection is requested, but the connection will be rejected due to the blocked port. The switch to non-static IP addresses for "api.cloudflare.com" also means that support for outdated "non-SNI" clients is being phased out. However, Cloudflare would like to help affected customers with this.

(dmk)