Deprecating the DNS ANY meta-query type

Published on by Marek Majkowski.

DNS, one of the oldest technologies running the Internet, keeps evolving. There is a constant stream of new developments, from DNSSEC, through DNS-over-TLS, to a plentiful supply of fresh EDNS extensions. CC BY-ND 2.0 image by Antarctica Bound New DNS Resource Records types are being added all the time. As the Internet evolves, new RR’s gain traction while the usage of some old record types decreases.…

Unser neuer 31er Datacenter: Düsseldorf

Published on by Joshua Motta.

Hallo Düsseldorf. Nestled in the center of the Lower Rhine basin lies the bustling city of Düsseldorf, capital of Germany’s most populous state, Northern Rhine-Westphalia. Provided its status as an international business and telecommunications hub, and serving a population larger than the Netherlands, our data center in Düsseldorf is an important addition to our European network. This means not only better performance in Germany and Northern Europe,…

No upgrade needed: CloudFlare sites already protected from FREAK

Published on by John Graham-Cumming.

The newly announced FREAK vulnerability is not a concern for CloudFlare's SSL customers. We do not support 'export grade' cryptography (which, by its nature, is weak) and we upgraded to the non-vulnerable version of OpenSSL the day it was released in early January. CC BY 2.0 image by Stuart Heath Our OpenSSL configuration is freely available on our Github account here as are our patches to OpenSSL…

Protecting web origins with Authenticated Origin Pulls

Published on by Rajeev Sharma.

As we have been discussing this week, securing the connection between CloudFlare and the origin server is arguably just as important as securing the connection between end users and CloudFlare. The origin certificate authority we announced this week will help CloudFlare verify that it is talking to the correct origin server. But what about verification in the opposite direction? How can the origin verify that the client talking…

Thoughts on Network Neutrality, the FCC, and the Future of Internet Governance

Published on by Matthew Prince.

Today the United States Federal Communications Commission (FCC) voted to extend the rules that previously regulated the telephone industry to now regulate Internet Service Providers (ISPs). The Commission did this in order to preserve the principle of network neutrality. Broadly stated, this principle is that networks should not discriminate against content that passes through them. At CloudFlare, we are strong proponents of network neutrality. My co-founder, Michelle Zatlyn,…

Enforce Web Policy with HTTP Strict Transport Security (HSTS)

Published on by Ryan Lackey.

HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. Downgrade attacks (also known as SSL stripping attacks) are a serious threat to web applications. This type of attack is a form of man-in-the-middle attack in which an attacker…