Reasoning Behind CloudFlare’s Free Universal SSL


On Wednesday September 24th, the CloudFlare Board discussed their plans for launching Universal SSL at no charge, and the impact on revenue. The main topic of discussion: “how doing may hurt our revenue given SSL is one of the reasons people upgrade to a paid plan.” The consensus “even if it does hurt revenue in the short term, it’s the right thing to do.” In one shot, CloudFlare gives away 2M SSL Certs, doubling the global SSL Cert count from 2M to 4M. Their certs apply to the root domain, and includes wildcard certs. In case anyone is wondering, wildcard certs are a premium feature offered by most CDNs at a price tag of $500 – $1500 per month, depending on the customer requirements.

Not all SSL Certs are not created equal. The SSL Certs offered by the Akamai’s and EdgeCast of the world are technically superior in many ways. But we’ll let the CDNs battle that one out. Now let’s analyze CloudFlare’s move from a few angles. First, it will hurt revenue in the short term, and in the long term. What happens if $5M in existing revenue or potential new customer revenue evaporates, because customers opt to go the free route? For a $40M/year CDN, that’s an enormous hit. Next, Matthew Prince stated in a press release that CloudFlare invested over 10,000 hours developing the SSL feature. That equates to 5 full time engineers working on SSL for 1 year. With the high salaries in Silicon Valley, that means it cost $1M to create Universal SSL at $200k/engineer per year, or more.

Opportunity Cost: The $1M investment in SSL could have been invested elsewhere, like another cutting edge feature that differentiates CloudFlare from the competition. CloudFlare is no longer in the driver’s seat when it comes to security feature set innovation. Engineers might disagree, but SSL is SSL, what does it matter if its very high quality, or just good quality. Both do the same thing which is to encrypt data. It doesn’t give a CDN leverage over another CDN when competing for the same business. There are much better features to invest it, like fraud detection, where mouse activity can be tracked and stored, in order to create a baseline. Thereafter, if a hacker or intelligent bot steals user credentials, and logs in as a regular user, the feature will detect the anomalies and mitigate the attack.

Scroll to Top