CloudFlare阻止了所有未加密的HTTP連接到其API

現在僅允許使用加密的HTTPS連接。該措施旨在防止敏感數據通過無抵押連接洩漏。

Cloudflare has recently blocked all non-encrypted HTTP connections to its APIs via api.cloudflare.com by default. Only encrypted HTTPS connections are now allowed. The measure is intended to prevent sensitive data from leaking through unsecured connections.

CloudFlare最近通過api.cloudflare.com阻止了所有未加密的HTTP連接到其API。現在僅允許使用加密的HTTPS連接。該措施旨在防止敏感數據通過無抵押連接洩漏。

Cloudflare’s measure is aimed at the Cloudflare API. This helps developers and system administrators automate and manage their Cloudflare services. Among other things, it helps with the management of DNS records, configuring firewalls, protection against DDoS attacks, caching SSL settings, rolling out infrastructure, accessing data for analyses, managing zero-trust access and other security settings.

Cloudflare的措施針對Cloudflare API。這可以幫助開發人員和系統管理員自動化並管理其CloudFlare服務。除其他外，它有助於管理DNS記錄，配置防火牆，防止DDOS攻擊，緩存SSL設置，推出基礎架構，訪問數據進行分析，管理零值訪問和其他安全設置。

Until now, the API accepted both unencrypted HTTP connections and encrypted HTTPS connections. Connections with so-called cleartext HTTP ports ran the risk of sensitive information being leaked. This was the case because this traffic was not encrypted and could therefore easily be intercepted by internet providers, WiFi hotspot providers or hackers on the same network.

到目前為止，API接受了未加密的HTTP連接和加密的HTTPS連接。與所謂的clearText HTTP端口的連接有洩漏敏感信息的風險。情況就是如此，因為該流量沒有被加密，因此很容易被同一網絡上的Internet提供商，WiFi熱點提供商或黑客攔截。

Servers tackle this HTTP traffic by redirecting it or rejecting it with a 403 response, forcing clients to use encrypted HTTPS connections. However, this can be too late for sensitive data. This data, for example an API token, may already have been sent in cleartext in the first client connection request. This data would then have been exposed at an earlier stage, before the server can redirect or reject the connection.

服務器通過重定向或通過403響應拒絕該HTTP流量來解決此HTTP流量，從而迫使客戶使用加密的HTTPS連接。但是，對於敏感數據可能為時已晚。例如，該數據（例如API令牌）可能已經在第一個客戶端連接請求中的ClearText中發送。然後，在服務器可以重定向或拒絕連接之前，該數據將在較早的階段暴露。

Blocking HTTP traffic

阻止HTTP流量

Cloudflare wants to solve this problem once and for all and therefore closes off the entire HTTP interface to its API environment. This means blocking plaintext connections in the transport layer before any data has been exchanged. This means that only encrypted HTTPS connections are now possible.

CloudFlare希望一勞永逸地解決此問題，因此將整個HTTP接口關閉到其API環境。這意味著在交換任何數據之前阻止傳輸層中的明文連接。這意味著現在只能使用加密的HTTPS連接。

The new measure has major consequences for anyone who still uses unencrypted HTTP connections via the Cloudflare API Service. Bots, scripts and other tools that depend on this will no longer work.

新措施對仍然使用CloudFlare API服務使用未加密的HTTP連接的任何人都會產生重大影響。機器人，腳本和其他取決於此的工具將不再起作用。

This also applies to other legacy systems, automated clients, IoT devices and other low-level clients that do not yet use HTTPS by default due to poor configurations.

這也適用於其他舊系統，自動化客戶端，IoT設備和其他由於配置不佳而默認使用HTTPS的低級客戶端。

Cloudflare itself indicates that approximately 2.4 percent of the internet traffic processed via its systems still uses the unsafe HTTP protocol. If automated traffic is included, this rises to 17 percent.

CloudFlare本身表明，通過其係統處理的Internet流量的約2.4％仍然使用不安全的HTTP協議。如果包括自動流量，這將上升至17％。

Actions by customers

客戶的行動

Customers can check the ratio between HTTP and HTTPS traffic themselves in their Cloudflare dashboard. This allows them to estimate the extent to which the measure affects their environment.

客戶可以在CloudFlare儀表板中檢查HTTP和HTTPS訪問量的比率。這使他們能夠估計措施影響其環境的程度。

For users of websites that run on Cloudflare, the specialist will soon offer a free option until the end of this year to safely disable unencrypted HTTP traffic.

對於在CloudFlare上運行的網站的用戶，專家很快將提供免費的選項，直到今年年底可以安全地禁用未加密的HTTP流量。

See also: Cloudflare launches platform for real-time threat information

另請參閱：CloudFlare啟動平台以獲取實時威脅信息