Home / Companies / Cloudflare / Blog / May 2016

May 2016 Summaries

14 posts from Cloudflare

Filter
Month: Year:
Post Summaries Back to Blog
A customer recently inquired about simple GET requests for their homepage being blocked by the Cloudflare Web Application Firewall (WAF). The issue was traced back to a SQL injection attempt hidden within the User-Agent HTTP request header. This technique is commonly used by scanning tools and can be exploited to extract information from a website or gain access. To mitigate such attacks, it's crucial for web applications to sanitize input and employ security measures like Cloudflare's WAF.
May 17, 2016 1,388 words in the original blog post.
On May 13, 2016, John Graham-Cumming announced that CloudFlare was supporting HTTP/2 Server Push for all its customers. By simply adding a Link header to an HTTP response specifying preload, CloudFlare would automatically push items to web browsers that support Server Push. The use of Server Push can significantly reduce page load times by pushing resources before the browser asks for them. Experimentation with different types of resources and determining the optimal number of items to push is encouraged.
May 13, 2016 1,034 words in the original blog post.
On April 28, 2016, Cloudflare released HTTP/2 Server Push support for all customers. Today, 50% of sites that use HTTP/2 are served via Cloudflare. The company has also extracted its changes to NGINX and made them available as a patch, allowing both SPDY and HTTP/2 to be supported together with the standard release of NGINX. To configure an NGINX server to support both HTTP/2 and SPDY on the same port, users need to run `./configure --with-http_spdy_module --with-http_v2_module --with-http_ssl_module`. The patch uses ALPN and NPN to advertise the availability of the two protocols. Cloudflare continues to support SPDY and HTTP/2 across all its sites, monitoring the percentage of connections that use SPDY before making a decision on its eventual deprecation.
May 13, 2016 366 words in the original blog post.
Cloudflare introduced Origin CA, a service that allows users to get certificates directly from them without needing to go through third-party certificate authorities. The private key is generated client-side in the browser using W3C's Web Crypto API and only the public key is sent to Cloudflare servers for security purposes. This feature not only ensures privacy but also provides a simpler, more convenient way of getting certificates without requiring command-line operations. The Origin CA dashboard uses WebCrypto for generating keys and PKI.js for creating CSRs.
May 10, 2016 910 words in the original blog post.
Multiple vulnerabilities were discovered in ImageMagick, an image manipulation software, leading to the exploitation of CVE-2016-3714 by hackers. This vulnerability allows arbitrary code execution by hiding it inside uploaded image files. Cloudflare rolled out a WAF rule to protect its customers from this vulnerability. The most common payloads used by hackers include reconnaissance and remote access payloads, which enable them to gain control of the targeted machine. It is crucial for users of ImageMagick to upgrade as quickly as possible to be fully protected against this vulnerability.
May 09, 2016 1,210 words in the original blog post.
CloudFlare has developed a robust API that allows comprehensive control over its services, and it is accessible through various programming languages, including Python, Go, and Node.js. The blog post focuses on the Python wrapper, python-cloudflare, which simplifies interaction with CloudFlare's v4 API by translating API documentation directly into Python code. This package, available on GitHub, offers functionality for managing domains, DNS records, and other settings, while also providing a command-line interface for executing API calls and processing JSON responses. CloudFlare encourages community contributions to this open-source project and offers additional client libraries for developers using other programming languages.
May 09, 2016 965 words in the original blog post.
On November 9th, 2016, CloudFlare will discontinue support for its first client API, API v1. The company is excited to introduce the latest version of their API, API v4, which offers extensive features and improvements over previous versions. API v4 supports every feature on CloudFlare and includes new capabilities such as managing zone's Page Rules, uploading SSL certificates, setting firewall access rules at a user level, and more. Additionally, API v4 uses JSON throughout for both request and response data, making it easier to work with compared to the previous version. Migration documentation is available for users transitioning from API v1 to v4.
May 09, 2016 663 words in the original blog post.
On March 9, agentzh (章亦春) organized the first Bay Area OpenResty Meetup at CloudFlare's San Francisco office. The event was sponsored by CloudFlare, a big user of Lua, LuaJIT, NGINX and OpenResty. Slides and videos from the meetup are now available for viewing by those who could not attend in person. Presentations included topics such as abode.io by Dragos Dascalita of Adobe, KONG by Marco Palladino from Mashape, and "What's new in OpenResty for 2016" by Yichun Zhang of CloudFlare. Those interested in attending future OpenResty Meetups should follow the meetup itself.
May 09, 2016 132 words in the original blog post.
On May 5th, 2016, CloudFlare announced the expansion of WebSocket support to all its customers, including Enterprise, Business, Pro, and Free plans. WebSockets is a protocol that enables real-time communication between web servers and clients by creating a persistent connection. This technology is vital for applications like social feeds, multimedia chat, collaborative editing, multiplayer gaming, stock updates, and more. By supporting WebSockets, CloudFlare aims to reduce latency and unnecessary HTTP header traffic, making the internet faster and more efficient for its users.
May 05, 2016 440 words in the original blog post.
A new vulnerability has been discovered in OpenSSL/LibreSSL, specifically a padding oracle in CBC mode decryption. This issue is similar to the Lucky13 vulnerability and was found using TLS-Attacker tool developed by Juraj Somorovsky. The vulnerability affects servers with AES-NI instructions and can be exploited to recover at least 16 bytes of data sent repeatedly just before attacker-controlled data, such as HTTP Cookies. CloudFlare websites are protected from this vulnerability, but customers supporting only AES-CBC should upgrade their systems as soon as possible.
May 04, 2016 2,239 words in the original blog post.
The next DNS meetup will feature Dan Kaminsky, known for discovering a core flaw in the Internet and leading efforts to repair it. Topics covered will include the history of the Kaminsky attack, future developments in DNS and privacy, securing email with DNS, and policy implications of government-allowed DNS blocking. The event will take place at Gandi's headquarters in San Francisco on May 10th, 2016, at 6 PM PST. RSVP is required to attend the meetup, while a livestream link will be provided closer to the event for those unable to attend in person.
May 04, 2016 225 words in the original blog post.
Cloudflare has introduced Origin CA, an encryption service for its customers that provides free and performant HTTPS protection for their origin servers. The new feature is designed to make it easier and more efficient for users to secure their websites with SSL/TLS certificates. Origin CA offers several benefits over public certificate authorities (CAs), including ease of issuance and renewal, support for wildcard certificates, faster and simpler revocation processes, compatibility with a wide range of web servers and operating systems, and optimized certificates that increase performance and reduce bandwidth consumption at the origin. Users can issue Origin CA certificates through the Cloudflare dashboard, API, or CLI.
May 03, 2016 2,917 words in the original blog post.
On May 2nd, 2016, Cloudflare released a new version of its plugin for cPanel with two new features and enhanced control over website security settings. The updated plugin (v6.0) uses the latest cPanel PHP-based APIs and is redesigned to facilitate easier addition of new features and frequent updates. It allows users to quickly start using Cloudflare features by clicking on the Cloudflare icon from their cPanel interface. New features include Full Zone Provisioning, enabling all of Cloudflare's protection for root domains and subdomains, and an "I'm under attack" mode for filtering out malicious traffic during Layer 7 DDoS attacks. Users can also control more security settings from cPanel, such as the basic security level, challenge passage duration, and browser integrity check. Additionally, performance settings like caching levels, auto-minify options, and development mode can be managed within cPanel. The plugin is now based on the latest cPanel APIs for increased stability and supports localization into any language.
May 02, 2016 476 words in the original blog post.
On May 2, 2016, Cloudflare opened a new data center in Bangkok, Thailand, expanding its network to span across 32 cities in Asia and 79 globally. This expansion is part of the company's efforts to improve internet performance for users in Southeast Asia. Despite only 40% of the population being online, Thailand has quickly become a majority-mobile country with 70% of its users accessing the internet primarily via smartphones. Through Cloudflare's implementation of encryption and HTTP/2 Server Push, mobile users experience better performance and less battery usage for the same content. The company also announced partnerships with local carriers to improve internet experiences for their customers in Thailand.
May 02, 2016 394 words in the original blog post.