Cloudflare vs Let's Encrypt for HTTPS
There's a number of options for securing your site with HTTPS and not all of them are equal. Learn the differences between these 2 free options.
Cloudflare and Let’s Encrypt and are both free options to secure your site with HTTPS.
Previously I’ve written about the importance of securing your site so I recommend reading that first if you have any doubts on whether or not you should spend the time to secure your site (spoiler alert: you should have enabled HTTPS yesterday!).
What Is Cloudflare and How Does It Work?
Cloudflare is a CDN (content delivery network), but it also happens to offer securing your site with HTTPS for free too. Not only that, but they say setting everything up is really easy. You just need to make a DNS change.
Sounds like a pretty sweet deal, until you read the fine print!
Cloudflare doesn’t offer end to end encryption by default:
The above is a diagram taken from their own website. This is how their “Flexible SSL” set up works which is what you get by default on their free plan.
This is a huge problem because the traffic from your visitors is only encrypted up to the point where it reaches Cloudflare’s servers. Then it’s decrypted and sent over plain text to your server.
Your visitors are tricked into thinking their data is safe when it’s really not. This false sense of security is even worse than no encryption because at least with no encryption you know what you’re getting into because browsers visually warn you when you view insecure sites.
So while you still get a green secure lock by using this option, your data is not really protected.
Cloudflare sees everything (such as your user’s login information) and passes it out in the open back to your server. That leaves your visitor’s data open to be intercepted by anyone listening.
Now, you can opt into using their “Full SSL” option instead, but now you lose the ease of use from the “Flexible SSL” option because you need to configure your own web server for SSL instead of just making a DNS change.
Shared SSL Certificates, Yikes!
The above is easily enough reason to avoid them like the plague, but they also used shared SSL certificates. That means the SSL certificate being served with your domain is also being served to dozens or hundreds of other unrelated sites.
That means anyone who inspects your SSL certificate will see a bunch of domain names that are not associated to your site.
CloudFlare’s shared SSL solution will leak domain names:
I’ve blurred the domains to protect the innocent but believe me, those are all unrelated domain names listed above. If you happen to use Cloudflare yourself, you can check it out by inspecting your SSL certificate in your browser or use a site like this.
You Can Get a Dedicated SSL Certificate With Cloudflare, But…
It’s going to end up costing $5 / month per domain name.
That means if I wanted to protect all of my course sites as well as this site (which is 4 sites at the time of writing this article) I would need to spend $20/month for SSL certificates. No thanks!
That’s way more expensive than most SSL vendors. They typically charge $10 per year.
What Makes Let’s Encrypt Better Than Cloudflare?
Cloudflare hijacks your DNS, which means their servers are hit first when someone tries to resolve your domain name, then it in turn sends the traffic to your server. So ignoring the SSL issues we went over above, you may experience much slower load times on your site when using Cloudflare (especially if you use their free plan).
Let’s Encrypt is nothing like that. When you protect your site with HTTPS using Let’s Encrypt you are still in full control over your DNS and you get full end to end encryption.
All you have to do is configure your web server (nginx, Apache, etc.) for SSL and then configure Let’s Encrypt to issue and renew SSL certificates for you.
It’s not even a service you sign up for. You just verify that you own your domain (which can be done automatically) and it’ll work in the end.
Unlike Cloudflare, there’s no monthly fees or additional fees for SSL certificates. Once you have it all configured, you can sit back and relax while cron and Let’s Encrypt does everything for you. It’ll work for life and it’s free.
This is what I personally use for all of my sites (as well as my clients).
I think Let’s Encrypt is such a great solution that I wanted to share everything I’ve learned about it so I created the HTTPS with Let’s Encrypt course.
That course explains how everything works in detail and even covers things like how to buy a domain name from a good registrar (which will save you money in the long term), hosting static and dynamic sites on DigitalOcean using nginx or Apache on both Ubuntu and CentOS.
Of course it’s loaded with fully working / battle hardened scripts and configs based on real world experience. That’s the only way I roll!