One More Thing: Keyless SSL and CloudFlare's Growing Network

I wanted to write one more thing about Keyless SSL, our announcement from last week, before attention shifts to what we'll be announcing on Monday. Keyless allows us to provide CloudFlare's service without having private SSL keys stored locally on our edge servers. The news last week focused on how this could allow very large customers, like major financial institutions, to use CloudFlare without trusting us with their private keys.

But there's another use that will benefit the entire CloudFlare userbase, not just our largest enterprise customers, and it's this: Keyless SSL is a key part of our strategy to continue to expand CloudFlare's global network.

CloudFlare's Global Network Today

CloudFlare's network today consists of 28 edge data centers that span much of the globe. We have technical and security requirements for these facilities in order to ensure that the equipment they house remains secure. Generally, we're in Tier III or IV data center facilities with the highest level of security. In our San Jose facility, for instance, you have to pass through 5 biometric scans, in addition to multiple 24x7 manned guard check points, before you can get to the electronically locked cabinets housing our servers.

There are only about 30 locations around the world where a large number of networks come together in a building that meets these security requirements. In other words, we have largely run out of places that it makes sense for us to add a new location where we are confident enough in the facility's security to store sensitive information like customers' private keys.

Bigger Network, New Challenges

With most of CloudFlare's rival services, even those that have a seemingly larger network footprint, the minute you ask them to enable SSL the size of the network shrinks to something that resembles our network today. That's because they too don't feel comfortable storing customers' private keys in many of their edge nodes. And that's why most legacy CDN providers charge such such an enormous premium the minute you ask them to support SSL.

But it makes sense to continue to grow our network. As we do, not only can we provide faster performance, but we can further isolate and mitigate large scale attacks. The way we think about it at CloudFlare is that, ultimately, we want to have equipment running in every cell phone tower base station. In order to do that, we need to ensure that we can do so securely. There are many requirements to pull that off, but one of them is ensuring that our customers' most sensitive data is never stored anywhere without the highest security standards. That's where Keyless SSL comes in.

Securely Extending CloudFlare's Edge

The map above shows all the locations where CloudFlare is actively working to turn up data centers over the next 12 months. As we expand into some of the more distant corners of the Internet, Keyless SSL allows us to offer our full range of services without needing to store customers' SSL in facilities that don't meet the highest security standards.

Beyond technical concerns, different regions of the world have different geo-political concerns. For instance, European customers may not trust their keys being stored in the United States, American customers may not trust their keys being stored in China, and Chinese customers may not trust their keys being stored in Europe. Keyless will allow us to honor those geopolitical concerns on a customer by customer basis, either ourselves or in partnership with trusted third parties who can serve as key storage agents.

There are, of course, a number of other technical challenges to ensuring that a server in a potentially hostile environment can be secured and trusted. The good news is many of you reading this are holding in your hand a modern example of computing platform that has been locked down tightly to only run authorized software: your smart phone. We have been putting the pieces together to offer a global secure network including hiring cryptographers out of Apple, acquiring companies like CryptoSeal, and talking about best practices for keeping secrets safe in unsafe environments (PDF link) — it all has to do with continuing to securely expand CloudFlare's global network.

So, on the eve of a big announcement that may or may not have something to do with massively expanding the encrypted web, know that we're also leveraging technologies like Keyless SSL in order to securely expand the size of our network to better serve all our customers, not just the big enterprises that increasingly are trusting us to protect and accelerate their networks.