CloudFlare阻止了所有未加密的HTTP连接到其API

现在仅允许使用加密的HTTPS连接。该措施旨在防止敏感数据通过无抵押连接泄漏。

Cloudflare has recently blocked all non-encrypted HTTP connections to its APIs via api.cloudflare.com by default. Only encrypted HTTPS connections are now allowed. The measure is intended to prevent sensitive data from leaking through unsecured connections.

CloudFlare最近通过api.cloudflare.com阻止了所有未加密的HTTP连接到其API。现在仅允许使用加密的HTTPS连接。该措施旨在防止敏感数据通过无抵押连接泄漏。

Cloudflare’s measure is aimed at the Cloudflare API. This helps developers and system administrators automate and manage their Cloudflare services. Among other things, it helps with the management of DNS records, configuring firewalls, protection against DDoS attacks, caching SSL settings, rolling out infrastructure, accessing data for analyses, managing zero-trust access and other security settings.

Cloudflare的措施针对Cloudflare API。这可以帮助开发人员和系统管理员自动化并管理其CloudFlare服务。除其他外，它有助于管理DNS记录，配置防火墙，防止DDOS攻击，缓存SSL设置，推出基础架构，访问数据进行分析，管理零值访问和其他安全设置。

Until now, the API accepted both unencrypted HTTP connections and encrypted HTTPS connections. Connections with so-called cleartext HTTP ports ran the risk of sensitive information being leaked. This was the case because this traffic was not encrypted and could therefore easily be intercepted by internet providers, WiFi hotspot providers or hackers on the same network.

到目前为止，API接受了未加密的HTTP连接和加密的HTTPS连接。与所谓的clearText HTTP端口的连接有泄漏敏感信息的风险。情况就是如此，因为该流量没有被加密，因此很容易被同一网络上的Internet提供商，WiFi热点提供商或黑客拦截。

Servers tackle this HTTP traffic by redirecting it or rejecting it with a 403 response, forcing clients to use encrypted HTTPS connections. However, this can be too late for sensitive data. This data, for example an API token, may already have been sent in cleartext in the first client connection request. This data would then have been exposed at an earlier stage, before the server can redirect or reject the connection.

服务器通过重定向或通过403响应拒绝该HTTP流量来解决此HTTP流量，从而迫使客户使用加密的HTTPS连接。但是，对于敏感数据可能为时已晚。例如，该数据（例如API令牌）可能已经在第一个客户端连接请求中的ClearText中发送。然后，在服务器可以重定向或拒绝连接之前，该数据将在较早的阶段暴露。

Blocking HTTP traffic

阻止HTTP流量

Cloudflare wants to solve this problem once and for all and therefore closes off the entire HTTP interface to its API environment. This means blocking plaintext connections in the transport layer before any data has been exchanged. This means that only encrypted HTTPS connections are now possible.

CloudFlare希望一劳永逸地解决此问题，因此将整个HTTP接口关闭到其API环境。这意味着在交换任何数据之前阻止传输层中的明文连接。这意味着现在只能使用加密的HTTPS连接。

The new measure has major consequences for anyone who still uses unencrypted HTTP connections via the Cloudflare API Service. Bots, scripts and other tools that depend on this will no longer work.

新措施对仍然使用CloudFlare API服务使用未加密的HTTP连接的任何人都会产生重大影响。机器人，脚本和其他取决于此的工具将不再起作用。

This also applies to other legacy systems, automated clients, IoT devices and other low-level clients that do not yet use HTTPS by default due to poor configurations.

这也适用于其他旧系统，自动化客户端，IoT设备和其他由于配置不佳而默认使用HTTPS的低级客户端。

Cloudflare itself indicates that approximately 2.4 percent of the internet traffic processed via its systems still uses the unsafe HTTP protocol. If automated traffic is included, this rises to 17 percent.

CloudFlare本身表明，通过其系统处理的Internet流量的约2.4％仍然使用不安全的HTTP协议。如果包括自动流量，这将上升至17％。

Actions by customers

客户的行动

Customers can check the ratio between HTTP and HTTPS traffic themselves in their Cloudflare dashboard. This allows them to estimate the extent to which the measure affects their environment.

客户可以在CloudFlare仪表板中检查HTTP和HTTPS访问量的比率。这使他们能够估计措施影响其环境的程度。

For users of websites that run on Cloudflare, the specialist will soon offer a free option until the end of this year to safely disable unencrypted HTTP traffic.

对于在CloudFlare上运行的网站的用户，专家很快将提供免费的选项，直到今年年底可以安全地禁用未加密的HTTP流量。

See also: Cloudflare launches platform for real-time threat information

另请参阅：CloudFlare启动平台以获取实时威胁信息