Shellshock protection enabled for all customers

Published on by John Graham-Cumming.

On Thursday, we rolled out protection against the Shellshock bash vulnerability for all paying customers through the CloudFlare WAF. This protection was enabled automatically and immediately starting blocking malicious requests. We had a number of requests for protection from Shellshock for all our customers, including those on the Free plan. After observing the actual Shellshock traffic across our network and after seeing the true severity of the vulnerability…

One More Thing: Keyless SSL and CloudFlare's Growing Network

Published on by Matthew Prince.

I wanted to write one more thing about Keyless SSL, our announcement from last week, before attention shifts to what we'll be announcing on Monday. Keyless allows us to provide CloudFlare's service without having private SSL keys stored locally on our edge servers. The news last week focused on how this could allow very large customers, like major financial institutions, to use CloudFlare without trusting us with their…

Celebrating CloudFlare's 4th Birthday

Published on by Matthew Prince.

Since CloudFlare launched to the public four years ago today, we've always considered September 27th our birthday. We like to celebrate by doing something nice for our team and also for our customers. Two years ago, for example, we brought a cake into the office and then enabled free IPv6 support for all our customers. Saturday is our birthday this year, so we decided to celebrate it a…

Bash vulnerability CVE-2014-6271 patched

Published on by Ryan Lackey.

This morning, Stephane Chazelas disclosed a vulnerability in the program bash, the GNU Bourne-Again-Shell. This software is widely used, especially on Linux servers, such as the servers used to provide CloudFlare’s performance and security cloud services. This vulnerability is a serious risk to Internet infrastructure, as it allows remote code execution in many common configurations, and the severity is heightened due to bash being in the default…

Keyless SSL: The Nitty Gritty Technical Details

Published on by Nick Sullivan.

We announced Keyless SSL yesterday to an overwhelmingly positive response. We read through the comments on this blog, Reddit, Hacker News, and people seem interested in knowing more and getting deeper into the technical details. In this blog post we go into extraordinary detail to answer questions about how Keyless SSL was designed, how it works, and why it’s secure. Before we do so, we need some…