Home / Companies / Cloudflare / Blog / February 2022

February 2022 Summaries

25 posts from Cloudflare

Filter
Month: Year:
Post Summaries Back to Blog
Cloudflare is working on adding post-quantum cryptography to its systems, a process they refer to as "post-quantumifying" their services. The company has started by migrating Transport Layer Security (TLS) protocols and connections to use post-quantum cryptography for confidentiality protection. They have implemented a hybrid mechanism that combines both classical and post-quantum algorithms, ensuring the security of their connections in case the security of the post-quantum algorithm fails. Cloudflare has successfully tested this new mechanism in specific internal services such as Logfwrdr, Cloudflare Tunnel, and GoKeyless. The next steps involve migrating more codebases to modified TLS libraries and extending the use of post-quantum cryptography beyond their edge network to reach customer connection points.
Feb 25, 2022 3,084 words in the original blog post.
Quantum computers pose a threat to modern cryptographic mechanisms, but the cryptographic community has designed new mechanisms to safeguard against this disruption. The most important security and privacy properties to protect in the face of a quantum computer are confidentiality and authentication. Changing the key exchange of the TLS handshake is simple; changing the authentication of TLS, in practice, is hard. Middleboxes and middleware in the network can be slow to upgrade, hindering the rollout of new protocols. The migration to post-quantum cryptography is not only about the technical changes but is dependent on how the Internet works as an interconnected community that needs coordination and collective willingness to change systems.
Feb 25, 2022 3,175 words in the original blog post.
Germany is at the forefront of security and privacy regulation in Europe, with its cloud security industry adhering to international, regional, and country-specific standards. Cloudflare has taken appropriate organizational and technical precautions to prevent disruptions to the availability, integrity, authenticity, and confidentiality of its production systems in accordance with BSI-KritisV. TÜViT audited Cloudflare's security controls and Information Security Management System (ISMS), allowing them to comply with Germany's NIS Directive. The company is also undergoing an independent third-party audit for the C5 certification, which focuses on operational security within cloud services. Cloudflare holds various certifications that demonstrate its dedication to privacy and security, including ISO 27001, SOC2 Type II, PCI DSS, ISO 27701, and FedRAMP In Process.
Feb 24, 2022 609 words in the original blog post.
The Crypto Forum Research Group of the Internet Research Task Force has developed Hybrid Public Key Encryption (HPKE), a new standard for public-key encryption in internet protocols and applications. HPKE is designed to be simple, reusable, and future-proof by building upon knowledge from prior PKE schemes and software implementations. It is already in use in emerging Internet standards such as TLS Encrypted Client Hello and Oblivious DNS-over-HTTPS, with interoperable implementations available in libraries like OpenSSL, BoringSSL, NSS, and CIRCL. HPKE's generic construction allows it to adapt to a wide variety of application requirements, making it an essential part of the future of internet security protocols.
Feb 24, 2022 2,440 words in the original blog post.
In this paper, we present an overview of our work on formally verifying the security properties of KEMTLS, a post-quantum secure key exchange protocol that is being proposed for standardization by the Internet Engineering Task Force (IETF). We describe how we modeled the KEMTLS protocol in Tamarin, a symbolic model checker. We then present some of the challenges we faced while performing this verification work and discuss our strategies for overcoming them. Finally, we provide an overview of our proof that KEMTLS achieves its security goals. Reference(s): [1] "Why does cryptographic software fail?: a case study and open problems" by David Lazar, Haogang Chen, Xi Wang and Nickolai Zeldovich [2] "SoK: Computer-Aided Cryptography" by Manuel Barbosa, Gilles Barthe, Karthik Bhargavan, Bruno Blanchet, Cas Cremers, Kevin Liao and Bryan Parno [3] "Post-quantum TLS without handshake signatures" by Peter Schwabe and Douglas Stebila and Thom Wiggers [4] "A comprehensive symbolic analysis of TLS 1.3." by Cas Cremers, Marko Horvat, Jonathan Hoyland, Sam Scott, and Thyla van der Merwe [5] "A Logic of Authentication" by Michael Burrows, Martin Abadi, and Roger M. Needham
Feb 24, 2022 5,847 words in the original blog post.
Cryptographic code is essential for secure communication in various applications, but ensuring its correctness and security can be challenging. Formal verification techniques are used to prove that a piece of code correctly implements a specification. In this blog post, the authors discuss formal verification tools such as EasyCrypt and Jasmin, which help verify cryptographic implementations. They also emphasize the importance of formal verification for post-quantum cryptography, as deploying algorithms with flaws in their security properties could have severe consequences. The authors are working towards a formally verified implementation of FrodoKEM and collaborating to create a library that can be used in real-world connections.
Feb 24, 2022 3,630 words in the original blog post.
Cloudflare has agreed to acquire Area 1 Security, a company that specializes in cloud-native technology to protect businesses from email-based security threats. The integration of Area 1's technology with Cloudflare's global network will provide customers with the most comprehensive Zero Trust security platform available. Email remains an important and vulnerable vector for cyber threats against businesses and individuals, despite advancements in spam protection and cloud-based email. Existing email security solutions often fail to adequately protect users from phishing attacks and other advanced threats. Cloudflare's acquisition of Area 1 Security aims to enhance its ability to secure customers by adding email security to its existing Zero Trust security platform, offering a seamless integration of multiple layers of security protection for businesses.
Feb 23, 2022 1,634 words in the original blog post.
On February 1, 2022, a configuration error on one of Cloudflare's routers caused a route leak of up to 2,000 Internet prefixes to an Internet transit provider. The leak lasted for 32 seconds and later 7 seconds but did not impact Cloudflare's network or customers. The company apologized for the mistake. The error occurred during a scheduled migration of one of their existing Internet transit links in Newark to a link with more capacity. Due to an oversight, no BGP filters were added to only export prefixes of Cloudflare and its customers. As a result, all known prefixes were sent to the ISP router, which shut down the session as the number of prefixes exceeded the maximum limit configured. The company has since introduced an implicit reject policy for BGP sessions to prevent such incidents in the future. They also emphasized the importance of protocols like RPKI and network automation to reduce the impact of route leaks, whether intentional or accidental.
Feb 23, 2022 1,579 words in the original blog post.
The blog discusses the transition of cryptographic protocols to post-quantum security in response to the potential threat posed by quantum computers. It delves into the challenges faced when upgrading TLS, a widely deployed protocol, to be resistant against quantum computing attacks. The focus is on the choice between fast and small cryptographic algorithms for key exchange and signature schemes. The blog also explores the possibility of using key exchange not just for confidentiality but also for authentication, which could lead to more efficient post-quantum TLS handshakes. It emphasizes that the transition to post-quantum cryptography might require a fresh look at the desired characteristics of protocols and their constraints.
Feb 23, 2022 2,094 words in the original blog post.
On February 22, 2022, Tonga was reconnected to the Internet after successful repairs to an undersea cable damaged by a volcanic eruption on January 14. The repair took 20 days and involved replacing a 92 km section of the 827 km submarine fiber optical cable connecting Tonga to Fiji and international networks. While people on the main island have access to the Internet, repairs for the domestic cable connecting the main island with outlying islands are expected to take six to nine months more. Undersea cables play a crucial role in global internet traffic, with 428 active submarine cables running around the globe.
Feb 22, 2022 627 words in the original blog post.
The text discusses the concept of authentication in both real life and digital scenarios. Authentication involves asserting or providing proof of an identity, which can be challenging due to the possibility of deception. In the story of Odysseus, he tricked Polyphemus by claiming his name was "Nobody," illustrating how easy it is to claim an identity but difficult to provide proof. In the digital world, authentication protocols like Transport Layer Security (TLS) use digitally signed statements of identity (certificates) to ensure secure communication between users and their bank providers. A key element in these protocols is the use of digital signatures, which are a demonstration of authorship for documents or messages sent through digital means. The text then delves into the construction of one particular post-quantum signature algorithm called CRYSTALS-Dilithium. Dilithium's mathematical core is based on the hardness of lattice and isogeny problems, which are crucial for maintaining security in a post-quantum world. The algorithm builds upon an identification scheme that consists of key generation, commitment, challenge, response, and verification algorithms. The Fiat–Shamir transformation is used to turn this interactive identification scheme into a non-interactive signature scheme, where one party can issue signatures and others can verify them using the public key. The text also mentions other digital signatures beyond Dilithium, such as Falcon and Rainbow, which are based on different mathematical problems. In conclusion, authentication is essential for ensuring secure communication in both real-life and digital scenarios. Post-quantum signature algorithms like CRYSTALS-Dilithium provide a solution to this challenge by offering cryptographic tools that can resist attacks from quantum computers.
Feb 22, 2022 2,700 words in the original blog post.
The text discusses key exchange algorithms, which are essential for secure communication over the internet. These algorithms enable two parties to exchange information without ever having to meet in advance. Key exchange algorithms are based on hard mathematical problems such as integer factorization and the discrete logarithm problem. However, these problems can be efficiently solved by a quantum computer, breaking the secrecy of the communication. The text introduces Key Encapsulation Mechanisms (KEMs) and explains how they work. It also discusses the use of KEMs in modern internet connections and presents an example of a post-quantum KEM called FrodoKEM. The security of FrodoKEM is based on the hardness of the Learning With Errors (LWE) problem over lattices. The text further explains how to build encryption from this mathematical base using Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEMs). It also mentions other KEMs beyond Frodo, such as Kyber, NTRU, Saber, and Classic McEliece.
Feb 22, 2022 3,341 words in the original blog post.
Quantum computing is a rapidly advancing field with significant implications for cryptography and secure connections. Unlike classical computers, which use bits (0 or 1), quantum computers utilize qubits that can exist in multiple states simultaneously due to superposition. This allows quantum computers to perform certain calculations much faster than their classical counterparts. However, they cannot solve undecidable problems nor disprove the Church-Turing thesis. Quantum computing has the potential to break most of today's cryptographic algorithms, posing a threat to privacy and security in digital communications. Fortunately, researchers are developing post-quantum cryptography algorithms that can resist quantum attacks. These new algorithms rely on mathematical problems such as lattice-based schemes, isogenies, multivariate cryptography, and code-based cryptography. The National Institute of Standards and Technology (NIST) has been running a post-quantum process since 2016 to standardize these new cryptographic algorithms. The current finalists include lattice-based schemes like Classic McEliece, CRYSTALS-KYBER, NTRU, and SABER, as well as multivariate cryptography scheme Rainbow and digital signature schemes CRYSTALS-DILITHIUM and FALCON. As quantum computing continues to advance, it is crucial for the development of secure post-quantum cryptographic algorithms to protect our communications and data from potential threats posed by quantum computers.
Feb 21, 2022 3,836 words in the original blog post.
Cloudflare is preparing for a post-quantum future by analyzing and categorizing the challenges that quantum computers pose to cryptography. The company has identified five "kingdoms" of challenges, including protocols, implementation, standardization, community, and research levels. These challenges range from implementing efficient algorithms to coordinating migration across different systems and communicating with end-users. Cloudflare is actively collaborating with standardization bodies and organizing workshops for experts on post-quantum cryptography. The company plans to conduct more tests in various network environments and architectures to better understand the integration of post-quantum algorithms into protocols and systems.
Feb 21, 2022 3,647 words in the original blog post.
During CIO week, the general availability of client-side security product Page Shield was announced. The product aims to protect websites' end users from client-side attacks that target vulnerable JavaScript dependencies in order to run malicious code in the victim's browser. One major threat is Magecart-style attacks, which involve compromising a website's scripts and exfiltrating sensitive user data to an attacker-controlled domain. Page Shield uses content security policies (CSP), static analysis, threat feeds, subresource integrity checks, and external connection checks to detect malicious scripts. The product currently leverages CSP reports, threat intelligence feeds, and ML-based static analysis for detection. Future developments will include expanding content-based risk scoring to cover other attack types like crypto-mining and adware.
Feb 18, 2022 1,312 words in the original blog post.
Cloudflare has open-sourced a production tooling called "tubular" that they developed for the sk_lookup hook, which is contributed to the Linux kernel. The software consists of an eBPF program and a larger user space component. Tubular allows users to change the addresses of a service on the fly and has been used in Cloudflare's Spectrum product and authoritative DNS services. It enables handling multiple services using the same port on different addresses, listening on all 2^16 ports, and managing state with eBPF maps. The source code for tubular is available at https://github.com/cloudflare/tubular.
Feb 17, 2022 2,974 words in the original blog post.
The Super Bowl had significant impact on internet traffic as viewers turned to food delivery services, social media, messaging apps, sports websites, and more during the game. Notably, the Coinbase QR code commercial generated a 14x increase in traffic to their website, while General Motors' Dr. Evil takeover ad drove traffic to a peak of over 400x above baseline. Additionally, Super Bowl advertisers experienced varying degrees of success in driving traffic to their websites, with some experiencing significant increases and others seeing more modest growth.
Feb 14, 2022 1,490 words in the original blog post.
On February 10, 2022, Cloudflare announced its acquisition of Vectrix, a cloud-access security broker (CASB) company focused on enhancing control and visibility in the use of SaaS applications and public cloud providers. The integration of Vectrix's technology into Cloudflare's Zero Trust product group aims to create a comprehensive solution that works better together than standalone products. This acquisition is part of Cloudflare's ongoing efforts to help businesses transition from traditional security models to more modern, flexible, and efficient solutions.
Feb 10, 2022 1,763 words in the original blog post.
Vectrix, a company that helps detect security issues across SaaS applications, has been acquired by Cloudflare. Vectrix focuses on both data and users in SaaS apps to alert IT and security teams about unauthorized user access, file exposure, misconfigurations, and shadow IT. The growing adoption of SaaS tools has led to new challenges for IT and security teams, such as files being made public or external users joining private chat channels. Cloudflare's API-driven CASB solution helps address these issues by scanning, detecting, and continuously monitoring security issues across organization-approved, IT-managed SaaS apps. The Vectrix team will be integrating its API-driven CASB functionality into the Cloudflare Zero Trust platform, which is set to launch later this year.
Feb 10, 2022 971 words in the original blog post.
Cloudflare has moved its Email Routing feature from closed beta to open beta, making it available for all zones in every Cloudflare account without a waitlist. Introduced during Cloudflare's Birthday Week in September 2021, the service allows users to create custom email addresses for their domains without managing multiple mailboxes. The transition to open beta follows increased adoption and feedback from users during the closed beta period. Some limitations still exist, such as not supporting Internationalized Domain Names (IDNs) and subdomains, but these are outlined in the documentation.
Feb 08, 2022 374 words in the original blog post.
Cole MacKenzie introduced Instant Logs, a new offering for Cloudflare's Enterprise customers. This tool enables real-time consumption and analysis of HTTP traffic logs. To get started with Instant Logs in the terminal, users need to install open-source tools like Websocat and Angle Grinder. Creating an Instant Logs session requires a POST request with necessary parameters such as zone tag/ID, authentication key or API token, fields, sample, filter, and kind. The response includes a unique WebSocket address for receiving messages directly from the network. Users can then connect to the WebSocket using Websocat and start receiving logs in line-delimited JSON format. Instant Logs allows users to specify fields, choose a sample rate, and define filters based on their requirements. Angle Grinder is a useful tool for slicing and dicing logs, enabling powerful insights into HTTP traffic.
Feb 07, 2022 781 words in the original blog post.
The io_uring API is designed to provide a more efficient way for applications to handle I/O operations by allowing them to submit multiple requests in one go and then wait for all of them to complete, rather than having to make separate system calls for each request. This can help reduce the overhead associated with making these system calls and improve overall application performance. One important aspect of using io_uring is managing the worker pool size, which determines how many threads will be created to handle the submitted I/O requests. In this article, we explored different methods for setting this limit: 1. Using the IORING_REGISTER_IOWQ_MAX_WORKERS command when registering an IO work queue (io_wq). 2. Setting the RLIMIT_NPROC resource limit using the prlimit utility or by modifying /etc/security/limits.conf file. 3. Limiting the number of tasks within a control group using cgroups. 4. Using multiple instances of io_uring in single-threaded and multi-threaded programs, which can lead to different worker pool sizes depending on how many threads are operating on each instance. 5. Considering NUMA architecture when configuring the worker pool size, as it may affect the number of workers per NUMA node. By understanding these methods and their implications, developers can better optimize their applications' use of io_uring to achieve maximum performance benefits.
Feb 04, 2022 4,150 words in the original blog post.
The Austrian Data Protection Authority has ruled that Google Analytics violates the EU General Data Protection Regulation (GDPR) due to potential data transfers to the US. This decision is causing concern among EU companies using Google Analytics and network engineers, as it may set a precedent for more sweeping actions from data regulators. The issue arises from the transfer of personal data to the US without proper handling, which could attract the attention of other European regulators. Cloudflare's Zaraz offers a solution by managing third-party tools and creating an extra layer of security and control over Personal Identifiable Information (PII), Protected Health Information (PHI), or other sensitive pieces of information that are often unintentionally passed to third-party vendors.
Feb 03, 2022 2,268 words in the original blog post.
Programmers often encounter invalid assumptions when using APIs or systems beyond their limits, leading to unexpected failures. One such case is the Linux networking stack, which can run out of ephemeral ports and become unable to establish any outgoing connections. This issue was experienced by Marek Majkowski while working with TCP and UDP connections. The root cause lies in the fact that each Linux connection consumes a local port (ephemeral port), which limits the total connection count based on the size of the ephemeral port range. The default range contains more than 28,000 ports, but this doesn't mean we can have at most 28,000 outgoing connections. To avoid such issues, programmers should be aware of how to allow source port reuse and prevent having the ephemeral-port-range limit imposed. This can be achieved by using an userspace connectx() function, which is a better way of creating outgoing TCP and UDP connections on Linux. The implementation involves various techniques such as manual source IP and port discovery, REUSEADDR locking dance, and undocumented behavior of the Linux operating system. In summary, understanding the limitations of APIs and systems can help programmers avoid unexpected failures and improve their code's performance and reliability.
Feb 02, 2022 3,310 words in the original blog post.
Cloudflare has launched its public bug bounty program, hosted on HackerOne's platform. The company started with a vulnerability disclosure policy in 2014 and added a private bounty program in 2018. Through these initiatives, they have paid out $211,512 in bounties to researchers. The public bug bounty program aims to improve the signal-to-noise ratio of reports by providing more detailed information about Cloudflare's products and services. They also plan to add more documentation, testing platforms, and a way for researchers to interact with their security teams.
Feb 01, 2022 1,650 words in the original blog post.