Introducing Certificate Transparency and Nimbus
March 23, 2018 2:45 PM
Certificate Transparency (CT) is an ambitious project to help improve security online by bringing accountability to the system that protects HTTPS. ...
Deprecating TLS 1.0 and 1.1 on api.cloudflare.com
March 12, 2018 4:00 PM
On June 4, Cloudflare will end support for TLS 1.0 and 1.1 on api.cloudflare.com. The dashboard will shift from www.cloudflare.com/a to dash.cloudflare.com, requiring a browser with TLS 1.2 or higher....
The real cause of large DDoS - IP Spoofing
March 06, 2018 3:46 PM
A week ago we published a story about new amplification attacks using memcached protocol on UDP port 11211. A few things happened since then: Github announced it was a target of 1.3Tbps memcached attack. OVH and Arbor reported similar large attacks with the peak reported at 1.7Tbps. ...
Using Cloudflare Workers to identify pwned passwords
February 26, 2018 12:04 PM
Last week Troy Hunt launched his Pwned Password v2 service which has an API handled and cached by Cloudflare using a clever anonymity scheme. The following simple code can check if a password exists in Troy's database without sending the password to Troy....
Validating Leaked Passwords with k-Anonymity
February 21, 2018 7:00 PM
Today, v2 of Pwned Passwords was released as part of the Have I Been Pwned service offered by Troy Hunt. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security....
MORE POSTS
February 21, 2018 7:00 PM
How Developers got Password Security so Wrong
Both in our real lives, and online, there are times where we need to authenticate ourselves - where we need to confirm we are who we say we are. This can be done using three things....
- By
February 16, 2018 10:30 PM
Keeping our users safe
To everyone in Cloudflare, account security is one of our most important tasks. We recognize that to every customer on our platform, we are critical infrastructure. We also know that the simplest attacks often lead to the most devastating of outcomes. ...
- By
February 14, 2018 8:00 PM
HTTPS or bust: Chrome’s plan to label sites as "Not Secure"
Google just announced that beginning in July 2018, with the release of Chrome 68, web pages loaded without HTTPS will be marked as “not secure”. More than half of web visitors will soon see this warning when visiting unencrypted HTTP sites....
- By
January 19, 2018 5:38 PM
Web Cache Deception Attack revisited
In April, we wrote about Web Cache Deception attacks, and how our customers can avoid them using origin configuration. Since our previous blog post, we have looked for but have not seen any large scale attacks like this in the wild....
- By
January 18, 2018 3:58 PM
Deprecating SPDY
Participating in the Internet democracy occasionally means that technologies that were once popular lose their utility as newer technologies emerge. SPDY is one such technology. As a result, we're announcing our intention to deprecate the use of SPDY for connections made to Clou...
- By
January 17, 2018 2:00 PM
Introducing Cloudflare Access: Like BeyondCorp, But You Don’t Have To Be A Google Employee To Use It
Tell me if this sounds familiar: any connection from inside the corporate network is trusted and any connection from the outside is not. This is the security strategy used by most enterprises today. The problem is that security is breached, the attacker has access to everything....
- By
January 08, 2018 6:57 PM
An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience
Last week the news of two significant computer bugs was announced. They've been dubbed Meltdown and Spectre and they take advantage of very technical systems that modern CPUs have implemented to make computers extremely fast. ...
- By
December 28, 2017 6:22 PM
How "expensive" is crypto anyway?
I wouldn’t be surprised if the title of this post attracts some Bitcoin aficionados, but if you are such, I want to disappoint you. For me crypto means cryptography, not cybermoney, and the price we pay for it is measured in CPU cycles, not USD....
- By
December 26, 2017 8:30 PM
Why TLS 1.3 isn't in browsers yet
Upgrading a security protocol in an ecosystem as complex as the Internet is difficult. You need to update clients and servers and make sure everything in between continues to work correctly. The Internet is in the middle of such an upgrade right now. ...
- By
December 26, 2017 4:53 PM
Concise (Post-Christmas) Cryptography Challenges
It's the day after Christmas; or, depending on your geography, Boxing Day. With the festivities over, you may still find yourself stuck at home and somewhat bored. ...
- By
December 25, 2017 3:32 PM
Simple Cyber Security Tips (for your Parents)
Today, December 25th, Cloudflare offices around the world are taking a break. From San Francisco to London and Singapore; engineers have retreated home for the holidays (albeit with those engineers on-call closely monitoring their mobile phones)....
- By
December 24, 2017 4:57 PM
TLS 1.3 is going to save us all, and other reasons why IoT is still insecure
As I’m writing this, four DDoS attacks are ongoing and being automatically mitigated by Gatebot. Cloudflare’s job is to get attacked. Our network gets attacked constantly....
- By
December 21, 2017 2:01 PM
2018 and the Internet: our predictions
At the end of 2016, I wrote a blog post with seven predictions for 2017. Let’s start by reviewing how I did. I’ll score myself with two points for being correct, one point for mostly right and zero for wrong. That’ll give me a maximum possible score of fourteen. Here goes......
- By
December 14, 2017 7:41 PM
Inside the infamous Mirai IoT Botnet: A Retrospective Analysis
This post offers a retrospective on Mirai, the infamous IoT botnet that disrupted major websites with massive DDoS attacks, leveraging hundreds of thousands of compromised Internet-of-Things devices....
- By
December 11, 2017 2:00 PM
The end of the road for Server: cloudflare-nginx
Six years ago when I joined Cloudflare the company had a capital F, about 20 employees, and a software stack that was mostly NGINX, PHP and PowerDNS (there was even a little Apache). ...
- By