When we founded Qloaked, we were facing a fairly common problem among small SaaS businesses – how to secure client domains pointed at our service – and the only solution we were able to find on the market came from Cloudflare's SSL for SaaS service.
Now, we'll say up front that we love Cloudflare – we're users ourselves, and we also work with a ton of companies that rely on their services.
Cloudflare's role in bulletproofing the web (through DDOS mitigation, CDN availability, asset compression, speed enhancements and a ton of other services) is something we should all be thankful for.
However, as a small SaaS company, Cloudflare's pricing for its SSL for SaaS service was… Unrealistic. ]
You should speak to their sales team yourself to get an exact quote, but our conversation yielded that it was only available to enterprise customers, for whom pricing starts in the "low four figures" monthly.
For many SaaS companies, that's an extremely high price to pay for SSL certificates – especially as Cloudflare's cheaper packages offer most of the features on enterprise. Hence, we needed to build an alternative, and Qloaked was born.
1) Technical Simplicity: No API calls required
Cloudflare is essentially a reverse proxy, which means it intercepts traffic between the user's DNS lookup and the remote server and serves content from its CDN or cache rather than the remote server.
Based on this blogpost, SaaS companies can use the SSL for SaaS service by instructing their clients to point a CNAME (e.g. support.yourcustomer.site) at their Cloudflare-protected endpoint (e.g. whitelabel.yourcompany.ltd) and then pinging the Cloudflare API to request SSL certificate issuance.
The query itself looks a little like this:
Having to do this every single time isn't ideal if you're running a globally-available app.
Qloaked works in almost exactly the same way, but there's no API call required. When Qloaked detects a new domain sending traffic to your Qloaked-configured endpoint (e.g. whitelabel.yourcompany.ltd), our service tries to secure it automatically, without an API call.
For our customers, this means client SSL connections with NO setup whatsoever – we'll issue the certificate as soon as traffic from a new host is detected, and we'll transition non-HTTPS connections to HTTPS as soon as the certificate is set up.
2) Shorter Validity Periods
Cloudflare's SSL for SaaS product seems to use SSL certificates valid for 365 days. This is good (and better than the two-year maximum), but it's not as good as a shorter duration.
We use Let's Encrypt on our backend, which mandates a ninety-day lifetime for the certificates, for two reasons:
Qloaked automatically rotates certificates for all domains using the service, so your certificates are more secure and easier to manage.
Our pricing is designed for small and growing companies, not enterprises – we're fully transparent about our cost (you'll find everything you need to know on the front page).
Cloudflare's SSL for SaaS pricing, however, isn't really designed for small businesses. When we enquired, we were told that SSL for SaaS is available on the enterprise plan, which starts from "four figures monthly" (that's USD). If you're primarily worried about securing domains, that's a pretty punchy outlay.
A small note: Our understanding is that Cloudflare doesn't impose bandwidth limits on its SSL for SaaS service, but we do, primarily to offset the bandwidth/infrastructure costs that we'll incur offering a reverse proxy to your service.
Our bandwidth overage charges are reasonable and transparent (and also on our front page), and shouldn't affect most users.
So there you have it, the three main differences between Qloaked and Cloudflare's services for custom vanity domains. They're important differences, but we shouldn't lose sight of the whole picture here: securing your customers' traffic is important if you're a SaaS business.
It's better for you, better for them, and better for the web in general. So pick the solution that works for you, but please do get it done!