Home / Companies / Cloudflare / Blog / March 2016

March 2016 Summaries

7 posts from Cloudflare

Filter
Month: Year:
Post Summaries Back to Blog
Cloudflare has released version 1.2 of its open-source TLS/PKI toolkit, CFSSL. The update includes a range of new features such as configuration scanning, automated provisioning via the transport package, revocation, certificate transparency and PKCS#11 support. These enhancements aim to make CFSSL more powerful for users ranging from large SaaS providers like Heroku to game companies like Riot Games and even new Certificate Authorities like Let's Encrypt. The toolkit is now available at cfssl.org, where users can try out its user interface, download binaries, and test some of its features.
Mar 31, 2016 2,204 words in the original blog post.
The Tor Project offers an anonymous browsing service, which is important for individuals living in repressive regimes. However, it also provides value to online attackers, as 94% of requests from the Tor network are malicious. Cloudflare has not explicitly treated traffic from Tor differently but users of the Tor browser have been more likely to experience CAPTCHAs or other restrictions due to the high threat score associated with Tor exit nodes. The company is working on solutions that reduce the impact of CAPTCHAs on Tor users without compromising their anonymity and while keeping its customers safe.
Mar 30, 2016 2,380 words in the original blog post.
The IETF Hackathon in Buenos Aires on April 2-3 will focus on implementing the latest draft of TLS 1.3 and testing interoperability between existing implementations written in various languages. CloudFlare and Mozilla are working together to improve security and performance for HTTPS with this new version of TLS, which hasn't seen an update in eight years. Those interested in network programming and cryptography are encouraged to attend the hackathon or apply to join the CloudFlare team.
Mar 28, 2016 172 words in the original blog post.
Cloudflare has implemented a "no browser left behind" initiative, serving over 500 billion SHA-1 certificates to visitors who otherwise would not have been able to communicate securely with their customers' sites using HTTPS. The company continues to present newer SHA-2 certificates to modern browsers using the latest in elliptic curve cryptography. Cloudflare has developed a logic tree for determining which certificate to present and, relatedly, which cipher suite to use during the SSL/TLS handshake process. This logic takes into account various factors such as plan type, presence of signature_algorithm extension, specific signature_algorithms, shared cipher suites, server_name_indication extension, and Legacy Browser Support settings in the Cloudflare dashboard.
Mar 23, 2016 2,723 words in the original blog post.
The text discusses how attackers conduct DDoS attacks by exploiting DNS lookups with small queries and large answers, a method known as reflection attack. Domains with DNSSEC are particularly vulnerable to this type of abuse. To prevent such attacks on domains hosted on CloudFlare, the company implemented measures to ensure that most DNS responses fit within 512 bytes UDP packets even when signed with DNSSEC. This involved using a rarely-used signature algorithm and deprecating a DNS record type. The text also mentions the use of elliptic curve cryptography in ECDSA signature algorithm, which allows for smaller keys while maintaining the same level of security as larger RSA keys. Additionally, it explains how CloudFlare stopped answering ANY queries to prevent their misuse in launching large DDoS attacks and is working towards making ANY deprecation an Internet standard.
Mar 04, 2016 677 words in the original blog post.
Over the last month, CloudFlare has been dealing with some of the largest distributed denial of service (DDoS) attacks ever seen, peaking at around 400Gbps of aggregate inbound traffic. These layer 3 DDoS attacks consist of a large volume of packets hitting the target network and aim to overwhelm its hardware or connectivity. The recent spate of large attacks are all layer 3 (L3) DDoS, which are dangerous because most of the time the only solution is to acquire large network capacity and buy beefy networking hardware, which is not an option for many independent website operators. Fortunately, CloudFlare's automatic mitigation systems were able to sort good from bad packets and keep websites online during these attacks.
Mar 03, 2016 1,132 words in the original blog post.
On March 1st, 2016, John Graham-Cumming announced that CloudFlare customers are automatically protected against the DROWN Attack due to their lack of SSLv2 enabled on servers. The company's SSL configuration is published for others to use and currently accepts TLS 1.0, 1.1, and 1.2. They are proactively testing customers' origin web servers for vulnerabilities and will reach out to those with vulnerable servers. In the meantime, users should ensure that SSLv2 is fully disabled or private keys are not shared with servers still needing SSLv2.
Mar 01, 2016 99 words in the original blog post.