Incident report on memory leak caused by Cloudflare parser bug

Published on by John Graham-Cumming.

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as…

LuaJIT Hacking: Getting next() out of the NYI list

Published on by Javier Guerra.

At Cloudflare we’re heavy users of LuaJIT and in the past have sponsored many improvements to its performance. LuaJIT is a powerful piece of software, maybe the highest performing JIT in the industry. But it’s not always easy to get the most out of it, and sometimes a small change in one part of your code can negatively impact other, already optimized, parts. One of the…

You can now use Google Authenticator and any TOTP app for Two-Factor Authentication

Published on by Evan Johnson.

Since the very beginning, Cloudflare has offered two-factor authentication with Authy, and starting today we are expanding your options to keep your account safe with Google Authenticator and any Time-based One Time Password (TOTP) app of your choice. If you want to get started right away, visit your account settings. Setting up Two-Factor with Google Authenticator or with any TOTP app is easy - just use the app…

Discovering Great Talent with Path Forward

Published on by Janet Van Huysse.

From left to right, Gloria Mancu, Janet Van Huysse, and Wanda Chiu In the fall of 2016, I was just beginning my job search. I’d been lucky to lead HR at a number of great cutting-edge technology start-ups, and I was looking for my next adventure. I wanted to find a company that wasn’t just a great business--I wanted one that was also making a positive…

NCC Group's Cryptography Services audits our Go TLS 1.3 stack

Published on by Filippo Valsorda.

The Cloudflare TLS 1.3 beta is run by a Go implementation of the protocol based on the Go standard library, crypto/tls. Starting from that excellent Go codebase allowed us to quickly start experimenting, to be the first wide server deployment of the protocol, and to effectively track the changes to the specification draft. Of course, the security of a TLS implementation is critical, so we engaged…