The Trouble with Tor

Published on by Matthew Prince.

The Tor Project makes a browser that allows anyone to surf the Internet anonymously. Tor stands for "the onion router" and that describes how the service works. Traffic is routed through a number of relays run across the Internet where each relay only knows the next hop (because each hop is enclosed in a cryptographic envelope), not the ultimate destination, until the traffic gets to the…

Going to IETF 95? Join the TLS 1.3 hackathon

Published on by Nick Sullivan.

If you’re in Buenos Aires on April 2-3 and are interested in building, come join the IETF Hackathon. CloudFlare and Mozilla will be working on TLS 1.3, the first new version of TLS in eight years! At the hackathon we’ll be focusing on implementing the latest draft of TLS 1.3 and testing interoperability between existing implementations written in C, Go, OCaml, JavaScript and F*…

TLS Certificate Optimization: The Technical Details behind "No Browser Left Behind"

Published on by Patrick R. Donahue.

Overview Back in early December we announced our "no browser left behind" initiative to the world. Since then, we have served well over 500 billion SHA-1 certificates to visitors that otherwise would not have been able to communicate securely with our customers’ sites using HTTPS. All the while, we’ve continued to present newer SHA-2 certificates to modern browsers using the latest in elliptic curve cryptography,…

A Deep Dive Into DNS Packet Sizes: Why Smaller Packet Sizes Keep The Internet Safe

Published on by Dani Grant.

CC BY 2.0 image by Robert Couse-Baker Yesterday we wrote about the 400 gigabit per second attacks we see on our network. One way that attackers DDoS websites is by repeatedly doing DNS lookups that have small queries, but large answers. The attackers spoof their IP address so that the DNS answers are sent to the server they are attacking, this is called a reflection attack. Domains…

400Gbps: Winter of Whopping Weekend DDoS Attacks

Published on by Marek Majkowski.

Over the last month, we’ve been watching some of the largest distributed denial of service (DDoS) attacks ever seen unfold. As CloudFlare has grown we've brought on line systems capable of absorbing and accurately measuring attacks. Since we don't need to resort to crude techniques to block traffic we can measure and filter attacks with accuracy. Our systems sort bad packets from good, keep websites online and…