Home / Companies / Cloudflare / Blog / October 2022

October 2022 Summaries

19 posts from Cloudflare

Filter
Month: Year:
Post Summaries Back to Blog
Privacy Gateway is a service that relays encrypted HTTP requests and responses between a client and application server, improving end-user privacy by preventing the server from seeing sensitive information like IP addresses and TLS fingerprints. It is based on Oblivious HTTP (OHTTP), an emerging IETF standard built upon standard hybrid public-key cryptography. Deployed for Flo Health Inc., Privacy Gateway encrypts all request data, preventing the application server from seeing users' IP addresses and Cloudflare from seeing the contents of that request data. It enables applications to collect user telemetry in a privacy-respecting manner and allows users to visit healthcare sites without worrying about their IP address being tracked.
Oct 27, 2022 2,133 words in the original blog post.
The text discusses a formal security analysis conducted on Oblivious HTTP (OHTTP), a protocol that decouples who from what was sent in an HTTP request or response by using public key encryption and a proxy. The goal of the analysis is to ensure that the protocol meets its privacy goals, which include separating client identifying information from requests and preventing linking between future requests from the same client. The text delves into the design of OHTTP, its simplified model, and the use of Tamarin for formal analysis. It also explains how the attacker's capabilities are modeled in the context of this protocol. Finally, it outlines the security properties that were proven using the Tamarin prover, such as gateway authentication, request and response secrecy, relay connection security, AEAD nonce reuse resistance, and client unlinkability.
Oct 27, 2022 3,429 words in the original blog post.
On October 25, 2022, a change to Cloudflare's Tiered Cache system caused some requests to fail with status code 530 for users. The issue lasted for almost six hours and affected about 5% of all requests at peak. The failures were due to side effects of how the company handles cacheable requests across locations. After identifying the problem, a rollback was expedited which completed in 87 minutes. Cloudflare apologized for the inconvenience caused and is taking steps to prevent such incidents from happening again.
Oct 26, 2022 1,219 words in the original blog post.
Cloudflare's Email Routing has been a popular feature since its launch in 2021 and now processes email traffic for over 550,000 inboxes daily. The service has expanded with new features such as IPv6 egress support, improved observability through analytics and detailed logs, integration with audit logs, anti-spam techniques using reputation databases, IDN support, and 8-bit MIME transport. Route to Workers is nearing completion, allowing users to programmatically process emails and use them as triggers for other actions. Cloudflare continues to improve email services by adding support for emerging protocols and extensions like ARC and EAI.
Oct 25, 2022 1,956 words in the original blog post.
Cloudflare Pages now supports deploying Next.js applications that opt in to the Edge Runtime. This marks the fourth full-stack web framework officially supported by the platform. The adoption of open standards, such as Next.js' Edge Runtime, allows developers to run their business without fearing significant vendor lock-in. Deploying Next.js apps on Cloudflare Pages requires using the @cloudflare/next-on-pages CLI and setting specific compatibility flags in the project settings. The platform is working towards general availability with features like analytics, logging, billing, and Wasm support for full-stack applications.
Oct 24, 2022 1,662 words in the original blog post.
Cloudflare has introduced a new feature called Connection Monitor, which is an addition to its Page Shield client-side security solution. This tool helps website administrators detect malicious outbound connections made by third-party JavaScript code on their sites. By monitoring these connections, administrators can ensure that only appropriate third parties are receiving sensitive data from site visitors. The Connection Monitor complements the existing Script Monitor feature of Page Shield, which focuses on analyzing JavaScript code to find malicious signals. Together, they provide a comprehensive security solution for websites using third-party JavaScript libraries.
Oct 21, 2022 1,020 words in the original blog post.
Researchers have developed a fragments architecture to build micro-frontends using Cloudflare Workers. This approach is designed to help developers create better web applications by enabling teams to develop and deploy their features independently of other teams, resulting in faster development and deployment times. The architecture relies on the distributed, low latency properties provided by Cloudflare Workers, which allows for server-side rendering of micro-frontends from anywhere on its global network. This results in a high-performance solution that is both cost-effective and scalable to the needs of large enterprise teams without compromising release velocity or user experience.
Oct 20, 2022 2,599 words in the original blog post.
On October 19, 2022, David Tuber announced updates to the Cloudflare Peering Portal. The portal allows network operators to identify the best places for interconnection with Cloudflare and has been made even easier by removing Cloudflare-specific logins and allowing users to request sessions directly in the portal. Peering is important as it distributes traffic across multiple networks, reduces bandwidth prices, and improves performance by reducing network hops. The updated portal now supports PeeringDB login, making it simpler for users to initiate peering sessions with Cloudflare at Internet Exchanges.
Oct 19, 2022 1,706 words in the original blog post.
During the third quarter of 2022, Cloudflare observed various internet disruptions across multiple regions due to government-directed shutdowns, natural disasters, power outages, and technical problems. These incidents impacted countries such as Iraq, Cuba, Afghanistan, Sierra Leone, Somaliland, India, Iran, Papua New Guinea, Mexico, Puerto Rico, Turks and Caicos islands, Nova Scotia, Florida, Venezuela, Oman, Ukraine, and Chad. The disruptions were caused by factors like exam cheating prevention, anti-government protests, natural calamities, power outages, sabotage of sub-sea cables, and technical issues. Cloudflare's Radar Outage Center provides information on these historical disruptions and is also accessible through an API for integration into other tools and applications.
Oct 18, 2022 2,745 words in the original blog post.
The third quarter of 2022 saw a significant increase in Distributed Denial of Service (DDoS) attacks compared to last year. Multi-terabit strong DDoS attacks have become more frequent, with Cloudflare automatically detecting and mitigating multiple attacks exceeding 1 Tbps. The largest attack was a 2.5 Tbps DDoS attack launched by a Mirai botnet variant targeting the Minecraft server Wynncraft. Overall, there has been an increase in application-layer DDoS attacks, with HTTP DDoS attacks increasing by 111% year-over-year (YoY) and decreasing by 10% quarter-over-quarter (QoQ). Additionally, network-layer DDoS attacks increased by 97% YoY and 24% QoQ. The gaming/gambling industry was the most targeted by L3/4 DDoS attacks, including a massive 2.5 Tbps attack. Ransom DDoS attacks also saw an increase of 67% YoY and 15% QoQ.
Oct 12, 2022 2,695 words in the original blog post.
In this post, we discussed the implementation of BPF tails calls on ARM64 architecture. We started by explaining what a BPF tail call is and how it works in general. Then, we dived into the details of the BPF JIT compiler for ARM64, specifically focusing on the prologue and epilogue code that gets emitted when compiling BPF programs. We discovered that there was an issue with mixing BPF tail calls and function calls on ARM64, which could potentially allow users to create program chains longer than the MAX_TAIL_CALL_CNT limit. To fix this problem, we made a small tweak to the BPF JIT compiler code by adding a check for whether the current BPF program is the main one or not before initializing the tail call count register. Finally, we tested our changes using GDB and observed how a BPF program calls into a BPF function, and from there tail calls to another BPF program. The feature will be enabled in the upcoming Linux 6.0 release.
Oct 10, 2022 5,162 words in the original blog post.
The text discusses the integration of "Early Hints" with Pages, which is designed to improve website performance by allowing browsers to start loading critical resources before receiving a full HTML response. This feature has been generally available since Chrome version 103 and can be used on websites hosted on Cloudflare Pages. The text also provides an example of how Early Hints works in practice, demonstrating significant improvements in key performance metrics such as the largest contentful paint (LCP). Additionally, it explains how to enable Early Hints for custom domains and mentions future plans to support Smart Early Hints.
Oct 07, 2022 1,121 words in the original blog post.
Today, Cloudflare announced Total TLS, a one-click feature that automatically issues individual TLS certificates for every subdomain in customers' domains. This new feature enhances security by keeping all traffic bound to subdomains encrypted and eliminates the need for customers to worry about insecure connection errors. With Total TLS, Cloudflare aims to provide an easy, customizable, and scalable solution for managing TLS certificates across various subdomains. The feature is now available as part of Advanced Certificate Manager for domains using Cloudflare as their authoritative DNS provider.
Oct 06, 2022 806 words in the original blog post.
Cloudflare is hosting a series of Zero Trust Roadshows in North American cities to help businesses tackle security modernization one step at a time. The events will feature discussions on how to break the Zero Trust roadmap into manageable pieces, focusing on augmenting or replacing VPNs, streamlining SaaS security, and strengthening threat and data protection. These in-person discussions aim to provide guidance for organizations unsure of how to start their Zero Trust adoption journey.
Oct 05, 2022 266 words in the original blog post.
Consumer hardware is pushing the limits of consumer bandwidth as VR headsets support 5760 x 3840 resolution and nearly all new TVs and smartphones sold today support 4K. However, consumer internet bandwidth hasn't kept up with these advancements, leading to buffering issues for users streaming video content. To address this issue, Cloudflare Stream now supports the AV1 codec for live videos and their recordings in open beta. AV1 is an open and royalty-free video codec that uses 46% less bandwidth than H.264, the most commonly used video codec on the web today. The adoption of AV1 can help improve live video streaming experiences by reducing buffering and improving overall video quality.
Oct 05, 2022 1,876 words in the original blog post.
In 2014, Cloudflare introduced Universal SSL to encrypt internet connections by making SSL/TLS certificates free and easy to obtain. However, configuring an origin server with a certificate was complex and expensive at the time. To address this issue, Cloudflare provided guidance on how to configure and upload certificates for secure connections between Cloudflare and customers' origin servers. In 2015, they launched a beta Origin CA service offering free limited-function certificates to customer origin servers. In response to increased demand for documentation and configuration of origin-facing SSL/TLS communication, in 2016, Cloudflare announced the GA of origin certificate authority to provide cheap and easy origin certificates along with guidance on how to best configure backend security for any website. They also introduced features like authenticated origin pull and Cloudflare Tunnel to enhance backend security. Now, Cloudflare is taking another step forward by automatically managing the most secure connection possible between their customers' origin servers and themselves. This will reduce the configuration burden for origin-facing security and provide a zero-configuration option for how they communicate with origins. They will also open up all SSL/TLS modes to all plan levels, including Strict mode, which was previously reserved for enterprise customers only. To upgrade the origin-facing security of websites, Cloudflare uses their SSL/TLS Recommender tool to determine the highest security level an origin can use and then automatically upgrades it without breaking anything. They are also moving from per-zone SSL/TLS settings to per-origin SSL/TLS settings for more precise security settings. The rollout of these changes is expected to begin before the end of the year.
Oct 03, 2022 1,887 words in the original blog post.
Cloudflare has announced that it now supports post-quantum (PQ) cryptography on all its websites and APIs, making them secure against any future quantum computer. This comes after the US National Institute of Standards and Technology (NIST) announced in July 2022 which PQ cryptography they will standardize. The final standards are expected to be published in 2024. Cloudflare's beta service offers this post-quantum cryptography free of charge, believing that post-quantum security should be the new baseline for the Internet.
Oct 03, 2022 3,345 words in the original blog post.
The migration to post-quantum cryptography is expected to be a major theme in IT for the next decade. This shift will require hardware and software updates to ensure data protection against quantum computers, as any encrypted data captured today can potentially be broken by future quantum computers. Cloudflare Tunnel aims to simplify this transition with its Post-Quantum Cloudflare Tunnel feature, which allows users to benefit from post-quantum secure connections without upgrading their applications. The company has made significant progress in making post-quantum tunnels the default option, but there is still work to be done before it becomes a standard feature.
Oct 03, 2022 1,353 words in the original blog post.
In celebration of its 12th birthday, Cloudflare announced 36 new products and features during its "Birthday Week." These include the world's first Zero Trust SIM, a plan to replace Page Rules with four dedicated products, an invisible alternative to CAPTCHA called Turnstile, and support for post-quantum cryptography. Other notable announcements included enhancements to Cloudflare Workers, Stream, Radar, and partnerships with leading venture capital firms to provide up to $1.25 billion in funding for startups built on Cloudflare Workers.
Oct 03, 2022 1,287 words in the original blog post.