Cloudflare has recently blocked all non-encrypted HTTP connections to its APIs via api.cloudflare.com by default. Only encrypted HTTPS connections are now allowed. The measure is intended to prevent sensitive data from leaking through unsecured connections.
Cloudflare’s measure is aimed at the Cloudflare API. This helps developers and system administrators automate and manage their Cloudflare services. Among other things, it helps with the management of DNS records, configuring firewalls, protection against DDoS attacks, caching SSL settings, rolling out infrastructure, accessing data for analyses, managing zero-trust access and other security settings.
Until now, the API accepted both unencrypted HTTP connections and encrypted HTTPS connections. Connections with so-called cleartext HTTP ports ran the risk of sensitive information being leaked. This was the case because this traffic was not encrypted and could therefore easily be intercepted by internet providers, WiFi hotspot providers or hackers on the same network.
Servers tackle this HTTP traffic by redirecting it or rejecting it with a 403 response, forcing clients to use encrypted HTTPS connections. However, this can be too late for sensitive data. This data, for example an API token, may already have been sent in cleartext in the first client connection request. This data would then have been exposed at an earlier stage, before the server can redirect or reject the connection.
Blocking HTTP traffic
Cloudflare wants to solve this problem once and for all and therefore closes off the entire HTTP interface to its API environment. This means blocking plaintext connections in the transport layer before any data has been exchanged. This means that only encrypted HTTPS connections are now possible.
The new measure has major consequences for anyone who still uses unencrypted HTTP connections via the Cloudflare API Service. Bots, scripts and other tools that depend on this will no longer work.
This also applies to other legacy systems, automated clients, IoT devices and other low-level clients that do not yet use HTTPS by default due to poor configurations.
Cloudflare itself indicates that approximately 2.4 percent of the internet traffic processed via its systems still uses the unsafe HTTP protocol. If automated traffic is included, this rises to 17 percent.
Actions by customers
Customers can check the ratio between HTTP and HTTPS traffic themselves in their Cloudflare dashboard. This allows them to estimate the extent to which the measure affects their environment.
For users of websites that run on Cloudflare, the specialist will soon offer a free option until the end of this year to safely disable unencrypted HTTP traffic.
See also: Cloudflare launches platform for real-time threat information