Cloudflare’s mission is to help build a better Internet. One of the tools used in pursuit of this goal is computer science research. We’ve learned that some of the difficult problems to solve are best approached through research and experimentation to understand the solution before engineering it at scale. This research-focused approach to solving the big problems of the Internet is exemplified by the work of the Cryptography Research team, which leverages research to help build a safer, more secure and more performant Internet. Over the years, the team has worked on more than just cryptography, so we’re taking the model we’ve developed and expanding the scope of the team to include more areas of computer science research. Cryptography Research at Cloudflare is now Cloudflare Research. I am excited to share some of the insights we’ve learned over the years in this blog post.
Cloudflare’s research model
|Team structure||Hybrid approach. We have a program that allows research engineers to be embedded into product and operations teams for temporary assignments. This gives people direct exposure to practical problems.|
|Problem philosophy||Impact-focused. We use our expertise and the expertise of partners in industry and academia to select projects that have the potential to make a big impact, and for which existing solutions are insufficient or not yet popularized.|
|Promoting solutions||Open collaboration. Popularizing winning ideas through public outreach, working with industry partners to promote standardization, and implementing ideas at scale to show they’re effective.|
The hybrid approach to research
“Super-ambitious goals tend to be unifying and energizing to people; but only if they believe there's a chance of success.” - Peter Diamandis
Given the scale and reach of Cloudflare, research problems (and opportunities) present themselves all the time. Our approach to research is a practical one. We choose to tackle projects that have the potential to make a big impact, and for which existing solutions are insufficient. This stems from a belief that the interconnected systems that make up the Internet can be changed and improved in a fundamental way. While some research problems are solvable in a few months, some may take years. We don’t shy away from long-term projects, but the Internet moves fast, so it’s important to break down long-term projects into smaller, independently-valuable pieces in order to continually provide value while pursuing a bigger vision.
Successful technological innovation is not purely about technical accomplishments. New creations need the social and political scaffolding to support it while being built, and the momentum and support to gain popularity. We are better able to innovate if grounded in a deep understanding of the current day-to-day. To stay grounded, our research team members spend part of their time solving practical problems that affect Cloudflare and our customers right now.
Cloudflare employs a hybrid research model similar to the model pioneered by Google. Innovation can come from everywhere in a company, so teams are encouraged to find the right balance between research and engineering activities. The research team works with the same tools, systems, and constraints as the rest of the engineering organization.
Research engineers are expected to write production-quality code and contribute to engineering activities. This enables researchers to leverage the rich data provided by Cloudflare’s production environment for experiments. To further break down silos, we have a program that allows research engineers to be embedded into product and operations teams for temporary assignments. This gives people direct exposure to practical problems.
Continuing a successful tradition (our tradition)
“Skate to where the puck is going, not where it has been.” - Wayne Gretzky
The output of the research team is both new knowledge and technology that can lead to innovative products. Research works hand-in-hand with both product and engineering to help drive long-term positive outcomes for both Cloudflare and the Internet at large.
An example of a long-term project that requires both research and engineering is helping the Internet migrate from insecure to secure network protocols. To tackle the problem, we pursued several smaller projects with discrete and measurable outcomes. This included:
- Building designs and supporting systems to enable Cloudflare SSL certificates to scale to all free customers
- Open sourcing software that helped Let’s Encrypt do the same
- Measuring the prevalence of middleboxes harmful to security
- Helping design and deploy TLS 1.3
- Supporting accountability in the PKI with Certificate Transparency
- Promoting secure time synchronization via NTS and Roughtime
- Encrypting DNS with DoH and DoT
and many other smaller projects. Each step along the way contributed something concrete to help make the Internet more secure.
This year’s Crypto Week is a great example of the type of impact an effective hybrid research organization can make. Every day that week, a new announcement was made that helped take research results and realize their practical impact. From the League of Entropy, which is based on fundamental work by researchers at EPFL, to Cloudflare Time Services, which helps address time security issues raised in papers by former Cloudflare intern Aanchal Malhotra, to our own (currently running) post-quantum experiment with Google Chrome, engineers at Cloudflare combined research with building large-scale production systems to help solve some unsolved problems on the Internet.
Open collaboration, open standards, and open source
“We reject kings, presidents and voting. We believe in rough consensus and running code.” - Dave Clark
Effective research requires:
- Choosing interesting problems to solve
- Popularizing the ideas discovered while studying the solution space
- Implementing the ideas at scale to show they’re effective
Cloudflare’s massive popularity puts us in a very privileged position. We can research, implement and deploy experiments at a scale that simply can’t be done by most organizations. This makes Cloudflare an attractive research partner for universities and other research institutions who have domain knowledge but not data. We rely on our own expertise along with that of peers in both academia and industry to decide which problems to tackle in order to achieve common goals and make new scientific progress. Our middlebox detection project, proposed by researchers at the University of Michigan, is an example of such a problem.
We’re not purists who are only interested in pursuing our own ideas. Some interesting problems have already been solved, but the solution isn’t widely known or implemented. In this situation, we contribute our efforts to help elevate the best ideas and make them available to the public in an accessible way. Our early work popularizing elliptic curves on the Internet is such an example.
Popularizing an idea and implementing the idea at scale are two different things. Along with popularizing winning ideas, we want to ensure these ideas stick and provide benefits to Internet users. To promote the widespread deployment of useful ideas, we work on standards and deploy newly emerging standards early on. Doing so helps the industry easily adopt innovations and supports interoperability. For example, the work done for Crypto Week 2019 has helped the development of international technical standards. Aspects of the League of Entropy are now being standardized at the CFRG, Roughtime is now being considered for adoption as an IETF standard, and we are presenting our post-quantum results as part of NIST’s post-quantum cryptography standardization effort.
Open source software is another key aspect of scaling the implementation of an idea. We open source associated code whenever possible. The research team collaborates with the wider research world as well as internally with other teams at Cloudflare.
Focus areas going forward
Doing research, sharing it in an accessible way, working with top experts to validate it, and working on standardization has several benefits. It provides an opportunity to educate the public, further scientific understanding, and improve the state of the art; but it’s also a great way to attract candidates. Great engineers want to work on interesting projects and great researchers want to see their work have an impact. This hybrid research approach is attractive to both types of candidates.
Computer science is a vast arena, so the areas we’re currently focusing on are:
- Security and privacy
- Internet measurement
- Low-level networking and operating systems
- Emerging networking paradigms
Here are some highlights of publications we’ve co-authored over the last few years in these areas. We’ll be building on this tradition going forward.
- Attacking White-Box AES Constructions. Created during investigations into protecting keys in untrusted locations.
- Privacy Pass. Arose from discussions around reducing CAPTCHA friction without reducing site protection.
- Is the Web Ready for OCSP Must-Staple? Arose during the development of high-availability OCSP stapling.
- Protocols for Checking Compromised Credentials. Work that came out of collaborations with Have I Been Pwned.
- The Security Impact of HTTPS Interception. Came about when exploring the end-to-end security of customer connections and discussing with researchers interested in the same topic. Resulted in MALCOLM.
- In search of CurveSwap: Measuring elliptic curve implementations in the wild. New attack devised when analyzing TLS 1.2 vulnerabilities.
- Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate. Partly motivated by the difficulty of running Nimbus.
And by the way, we’re hiring!
If none of these fit you perfectly, but you still want to reach out, send us an email at: [email protected].