Protecting web origins with Authenticated Origin Pulls

Published on by Rajeev Sharma.

As we have been discussing this week, securing the connection between CloudFlare and the origin server is arguably just as important as securing the connection between end users and CloudFlare. The origin certificate authority we announced this week will help CloudFlare verify that it is talking to the correct origin server. But what about verification in the opposite direction? How can the origin verify that the client talking…

Thoughts on Network Neutrality, the FCC, and the Future of Internet Governance

Published on by Matthew Prince.

Today the United States Federal Communications Commission (FCC) voted to extend the rules that previously regulated the telephone industry to now regulate Internet Service Providers (ISPs). The Commission did this in order to preserve the principle of network neutrality. Broadly stated, this principle is that networks should not discriminate against content that passes through them. At CloudFlare, we are strong proponents of network neutrality. My co-founder, Michelle Zatlyn,…

Enforce Web Policy with HTTP Strict Transport Security (HSTS)

Published on by Ryan Lackey.

HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. Downgrade attacks (also known as SSL stripping attacks) are a serious threat to web applications. This type of attack is a form of man-in-the-middle attack in which an attacker…

Universal SSL: Encryption all the way to the origin, for free

Published on by Nick Sullivan.

Last September, CloudFlare unveiled Universal SSL, enabling HTTPS support for all sites by default. All sites using CloudFlare now support strong cryptography from the browser to CloudFlare’s servers. One of the most popular requests for Universal SSL was to make it easier to encrypt the other half of the connection: from CloudFlare to the origin server. Until today, encryption from CloudFlare to the origin required the purchase…

TLS Session Resumption: Full-speed and Secure

Published on by Zi Lin.

At CloudFlare, making web sites faster and safer at scale is always a driving force for innovation. We introduced “Universal SSL” to dramatically increase the size of the encrypted web. In order for that to happen we knew we needed to efficiently handle large volumes of HTTPS traffic, and give end users the fastest possible performance. CC BY 2.0 image by ecos systems In this article, I’…

Do the ChaCha: better mobile performance with cryptography

Published on by Nick Sullivan.

CC BY-ND 2.0 image image by Clinton Steeds CloudFlare is always trying to improve customer experience by adopting the latest and best web technologies so that our customers (and their visitors) have a fast and a secure web browsing experience. More and more web sites are now using HTTPS by default. This sea change has been spearheaded by many groups including CloudFlare enabling free SSL for millions…