CloudFlare is a Blogger HTTPS Bust

My quest for TLS on Blogger continues.  CloudFlare indicates their product supports HTTPS with Blogger.  Yes, it does support Blogger but not out of the box and not completely securely.  If you desire a secure solution with HTTPSTLS you will need a different solution other than the ProPlan.  It’s not even clear to me their other solutions would work either.  For those interested in the details read on.

Photo 1: CloudFlare page rules

CloudFlare setup for HTTPS was easy enough.  After making a few DNS changes the night before, hold my breath, I created a couple of easy page rules to switch over to HTTPS.  Page rules are used to identify areas of your site are applicable or within scope of a particular CloudFlare feature like redirects.  CloudFlare does not provide support for regular expressions but they do provide basic wildcard asterisk (e.g., *) support, photo 1.  After I entered the rules shown most of my site was using HTTPS.  Shortly after I applied the new rules I received some mixed content warnings from readers.

Photo 2: OWASP Zap Proxy

To identify the mixed content, I used OWASP ZAP Proxy to review the content being loaded.  ZAP Proxy is an OWASP tool that runs on your desktop to monitor HTTP(S) network traffic between your web browser and the web servers.  ZAP allows you to view HTTP requests, responses, and edit them if you wish.  Note the results from my ZAP run in photo 2.  Shown are several unprotected blogspot.com and blogblog.com These are URLs loaded by Blogger and not being rewritten by CloudFlare.  Nothing broken yet since the blogger URLs don’t fit my page rule spec.  You might consider to fix this you could add a page rule to those in photo 1 like, http://*.blogspot.com but you would be wrong.  Any combination of wildcards with the asterisk up front ends in disappointment.  Contrary to instructions leading wildcards are not supported in ProPlan at all.  To work around this I created a test rule like http://1.bp.blogspot.com/.   This page rule did not work either.  When the rule is entered CloudFlare produces a warning to indicate rules must apply to your site, securitycurmudgeon.com in my case.  At this point I contacted the company who returned a prompt response.   CloudFlare’s advice was not very helpful since Blogger site admins like me don’t have the level of control over their site URLs required to fix this.  Unfortunately, mixed content security is even more dangerous than no security at all since it sets a false expectation of security.  If someone else has an idea please ping me but I don’t think this is an easy fix for me.  I need to figure out something else.  I’m tempted to run my own server but that comes with some IT headaches of it’s own.  Back to the drawing board.

–Milton

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/