Do also keep in mind that ssl on Heroku is terminated at their routing layer before your Dynos. Therefore it is as easy for Heroku (Salesforce) to man-in-the-middle your application as it is for CloudFlare, whether that be on instruction for the authorities or due to a bad actor on the staff.

Both of them you have to trust to do the right thing and that is an exercise left to the individual thinking of using either service. So lets not pretend that CloudFlare is a special case.

If you need to trust the none of your service providers can MITM your site then you can't use any PaaS or CDN, you need to terminate the SSL yourself, that includes for all static assets you use. No more jQuery from Google CDN, no more analytics/exception tracking/fonts from your favoured provider and no more advertising conversion tracking.

But then do also remember that it's possible for any web host to take over their customers site as long as they own the IP address. They just point the IP to another server, configure it to respond to the hostname and they can then even use any SSL certificate provider who validates the domain name with a file at a specific URL to grab a certificate.

Everyone has to make their own judgment on who they can trust. CloudFlare is no different.

>No more jQuery from Google CDN, no more analytics/exception tracking/fonts from your favoured provider and no more advertising conversion tracking

Those all sound like reasonable best practices for building a website.

Except for the part where anyone you'd like to partner with isn't going to trust your internal analytics to gauge your popularity. One of the points of third party analytics is that you have a disinterested third party who can provide the data to someone else.

If I use self hosted analytics and exception tracking I have to ensure its up-to-date with security patches. The pros will do a better job at this than anyone will self hosting. Concentrate on your core business, knowing when to outsource is important.

As someone running an ecommerce website without using advertising conversion tracking from to our various advertising networks it would simply not be measurable or cost effective. It is an essential part of how the systems works.

>Therefore it is as easy for Heroku (Salesforce) to man-in-the-middle your application as it is for CloudFlare

Heroku owns your server and can just as easily read your database off disk and/or your webserver process's memory. If you don't want to trust an infrastructure provider, you need to have physical control of your server. Such quibbles about architecture are deck chairs on the Titanic.

In one sense that's true, but as they say in the security field, the fact that someone could break down your home's front door with an axe doesn't keep us from locking our doors. Even if you generally trust your infrastructure provider, there's still no harm in considering the different layers at which you are and are not protected from certain attacks. For example, a single rogue employee might be able to do some harm in one area, but not another.

>No more jQuery from Google CDN, no more analytics/exception tracking/fonts from your favoured provider and no more advertising conversion tracking

You don't have to trust the CDN for any static resource you load as long as you use the subresource integrity feature of modern browsers[1]. You basically include the hash of the content on your main domain and the browser will validate it when it loads it from CDN. So you only need to trust your main site.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

Edit: It was already mentioned by michaelmior https://news.ycombinator.com/item?id=12138277

In terms of using resources from a CDN, you can (sort of) make use of subresource integrity [0]. Browser support isn't great yet though I believe.

[0] https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

With the exception that MITM between cloudflare and the origin has been seen in the wild and documented and MITM on/in the heroku network has not.

I'm guessing this is not a worry for a digital ocean droplet. Do you know if that is the case?

Yes. Some people have confused themselves into thinking TLS is end-to-end, when it's only point-to-point. Not specific to cloudflare; Google did this for years and the NSA took advantage of that (hence the "SSL added and removed here" thing).

We're suggesting CloudFlare as its one of the few DNS providers that supports SSL at the domain apex on Heroku. I wouldn't recommend using their built-in SSL solution though and it's easy to turn off.

There are multiple providers supporting CNAME-like functionality on the apex that are compatible with Heroku (and other hostname-based endpoints):

* Cloudflare

* DNSMadeEasy

* DNSimple (my company)

* easydns

* PointDNS

I'm certain more will support it as open source name servers add support.

CNAMEs at apexes make my heart hurt so much.

Well if you're using Heroku you already have that man in the middle via their routing layer

They have a lot more control that just the routing layer. They own your process, they have your source code, they have your API keys. There is a huge implicit trust in Heroku. It is my host of choice but they definitely own the keys to the palace.

Welcome to the internet -- what you actually just said was:

"[The Cloud] is essentially a consensual man-in-the-middle and for certain threat models is not compatible with the 'secure' modifier."

That's simultaneously wrong and misleading.

"The Cloud" isn't a company that has direct access to a certificate authority.

"The Cloud" doesn't produce a valid TLS certificate for YOUR website, to encrypt the connection between them and your visitors, but not necessarily between them and your server.

"The Cloud" is a vague term for "other people's computers".

CloudFlare is better than plaintext HTTP, but if your goal is confidentiality, then CloudFlare is probably worse than direct HTTPS with no intermediaries.

Again, threat models differ. For most people, CloudFlare is probably just fine.