In a move designed to thwart wholesale eavesdropping by state-sponsored spies and sophisticated crime gangs, content delivery network CloudFlare has upgraded its Web-encryption capabilities to better protect data traveling between its own servers and those of its customers.

Known as full (strict) transport layer security (TLS), the newly added mode provides robust encryption and cryptographic authentication for backend traffic, which usually means data traveling over the Internet backbone. Under the new option, TLS traffic passing between CloudFlare and its customers is protected and authenticated using certificates signed by a handful of certificate authorities. Until now, backend encryption for CloudFlare customers didn't validate certificates to ensure they were signed by a trusted certificate authority. That measure is better than no encryption but is still could be susceptible to "active" man-in-the-middle attacks using self-signed certificates. Such attacks involve the use of a separate, self-signed certificate by someone who places himself between the two servers sending the encrypted data. Because data is encrypted using the private key in the rogue certificate, the attacker has the ability to surreptitiously read any traffic passing through the connection.

The improved backend TLS accompanies front-end TLS that is already in place. This type of Web encryption protects data as it passes from an end-user's computer to CloudFlare's content delivery network. That includes traffic passing over a Wi-Fi network or from the end-user's ISP to CloudFlare servers.

In addition to using certificates signed by authorities, full (strict) TLS also pares down the list of authorities signing the certificates. That move is intended to prevent active man-in-the-middle attacks that rely on certificates signed by hacked or rogue authorities. CloudFlare is also publishing the source code implementing full (strict) TLS so other sites or services running the nginx Web server can use it.

Full (strict) TLS comes a few months after documents leaked by former National Security Agency contractor Edward Snowden revealed that the agency has in the past tapped the overseas links that Google and Yahoo use to communicate between their data centers. While US and UK surveillance agencies have a variety of stealthy attacks for bypassing encryption , privacy advocates generally agree that those techniques are costly to carry out on a wide scale.

Options such as full (strict) TLS go a long way to improving security and privacy on the Internet, but there's still more that can be done. Certificate pinning, for instance, does even more to prevent active man-in-the-middle attacks that abuse credentials signed by certificate authorities. A CloudFlare engineer said that measure is in the works. The CloudFlare blog post regarding full (strict) TLS functionality is here.