Certificate Optimization

SHA-256 signed certificates are the new standard of TLS and the encrypted web. Starting in 2016, certificate authorities (CAs) will no longer be issuing SHA-1 certificates, making encrypting the web for older browsers difficult, if not impossible.

Browser vendors will phase out support for SHA-1 certificates in 2016, which means that, eventually, users with older browsers or operating systems won’t be able to access the encrypted web.

SHA-2 is supported by around 98% of browsers. This is good news, but that missing 2% represents over 37 million Internet users worldwide. Dropping support for SHA-1 means 37 million people won’t be able to access SSL/TLS-encrypted websites, especially those in certain emerging markets.

Cloudflare’s certificate optimization logic examines the browser’s capabilities, and then serves the most modern certificate it can support.

Cloudflare Business or Enterprise customers who would like to upload their own unique certificates for browser optimization can do so by contacting support..

Contact Our Team
1 (888) 99 FLARE
1 (888) 993 5273

SSL/TLS (X509) Certificates

SSL/TLS certificates are used to establish HTTPS sessions between browsers and servers. These certificates are distributed to browsers within in a standardized data structure — called X509 — that contains information such as the hostname(s) the certificate is valid for and when it expires. It also contains the name of the browser-trusted certificate authority (CA) — Comodo, DigiCert, GlobalSign, etc. — that signed the certificate and verified its contents.

When a browser receives this X509 structure, it extracts the certificate, hashes it (more on this in a second), and uses the issuer’s public key to verify the signature. If the signature matches, it continues on up the chain of trust, all the way to the CA’s root certificate, which it trusts implicitly.

Certificate Signature Hashing Algorithms

Before the browser can verify the signature of an X509 structure using the issuer’s public key, it must first hash its contents. For most of the web’s HTTPS history, an algorithm called the Secure Hash Algorithm (SHA) was used to do this. Version 1 of this algorithm, released in 1995, was found by cryptographers in 2005 to be at risk for an attack known as a “collision”.

The cost of creating such a collision has been prohibitive since then, but it’s expected to be within reach of a determined (and deep-pocketed) foe by the next decade. As a result, many browsers are abandoning support for SHA-1 in lieu of the newer hashing standard, SHA-256.

SHA-256, commonly referred to as SHA-2, was adopted by browsers in recent years because it is exponentially more resistant to collisions. Unfortunately, older browsers were not built with SHA-2 support, and many are run on operating systems that are too old to upgrade. Cloudflare’s Certificate Optimization gives those lacking updatable hardware access to the encrypted web.

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /mo per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Limited DDoS protection
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /mo per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes all of these features:
  • Basic web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /mo per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

The Business Plan includes all of these features:
  • Advanced DDoS protection
  • Advanced web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to TLS 1.2 only mode and WAF
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized support
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

The Enterprise Plan includes all of these features:
  • 24/7/365 enterprise-grade phone and email support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Advanced DDoS protection with prioritized IP ranges
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to raw logs
  • Dedicated solution and customer success engineers
  • Access to China CDN points of presence (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / mo
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / mo
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.
MOST POPULAR

Business

$ 200 / mo
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.