Eliminating Cold Starts 2: shard and conquer
2025-09-26
We reduced Cloudflare Workers cold starts by 10x by optimistically routing to servers with already-loaded Workers. Learn how we did it here....
Continue reading »
Automatically Secure: how we upgraded 6,000,000 domains by default to get ready for the Quantum Future
2025-09-24
After a year since we started enabling Automatic SSL/TLS, we want to talk about these results, why they matter, and how we’re preparing for the next leap in Internet security....
Addressing the unauthorized issuance of multiple TLS certificates for 1.1.1.1
2025-09-04
Unauthorized TLS certificates were issued for 1.1.1.1 by a Certification Authority without permission from Cloudflare. These rogue certificates have now been revoked....
Resolving a Mutual TLS session resumption vulnerability
2025-02-07
Cloudflare patched a Mutual TLS (mTLS) vulnerability (CVE-2025-23419) reported via its Bug Bounty Program. The flaw in session resumption allowed client certificates to authenticate across different...
A look at the latest post-quantum signature standardization candidates
2024-11-07
NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization....
MORE POSTS
September 25, 2024 1:00 PM
New standards for a faster and more private Internet
Cloudflare's customers can now take advantage of Zstandard (zstd) compression, offering 42% faster compression than Brotli and 11.3% more efficiency than GZIP. We're further optimizing performance for our customers with HTTP/3 prioritization and BBR congestion control, and enhanc...
- By
August 08, 2024 2:05 PM
Introducing Automatic SSL/TLS: securing and simplifying origin connectivity
This new Automatic SSL/TLS setting will maximize and simplify the encryption modes Cloudflare uses to communicate with origin servers by using the SSL/TLS Recommender....
- By
July 29, 2024 1:00 PM
Avoiding downtime: modern alternatives to outdated certificate pinning practices
Outages caused by certificate pinning is increasing. Learn why certificate pinning hasn’t kept up with modern standards and find alternatives to improve security while reducing management overhead...
- By
April 12, 2024 1:00 PM
How we ensure Cloudflare customers aren't affected by Let's Encrypt's certificate chain change
Let’s Encrypt’s cross-signed chain will be expiring in September. This will affect legacy devices with outdated trust stores (Android versions 7.1.1 or older). To prevent this change from impacting customers, Cloudflare will shift Let’s Encrypt certificates upon renewal to use a ...
- By
March 14, 2024 2:00 PM
Upcoming Let’s Encrypt certificate chain change and impact for Cloudflare customers
Let’s Encrypt’s cross-signed chain will be expiring. To prepare for, Cloudflare will issue certs from Let’s Encrypt’s ISRG X1 chain. This change impacts legacy devices with outdated trust stores....
- By
September 04, 2023 1:00 PM
Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections
In this blog we’re going to take a closer look at “connection coalescing”, with specific focus on manage it at a large scale...
- By
August 09, 2023 1:00 PM
Introducing per hostname TLS settings — security fit to your needs
Starting today, customers that use Cloudflare’s Advanced Certificate Manager can configure TLS settings on individual hostnames within a domain...
- By
July 11, 2023 1:00 PM
Bring your own CA for client certificate validation with API Shield
API shield customers can now upload their own CA to use for client certificate validation. This ensures that only authorized clients and devices can make requests to your API endpoint or application. ...
- By
April 03, 2023 1:00 PM
mTLS client certificate revocation vulnerability with TLS Session Resumption
This blog post outlines the root cause analysis and solution for a bug found in Cloudflare’s mTLS implementation...
- By
March 23, 2023 1:00 PM
Out now! Auto-renew TLS certificates with DCV Delegation
Cloudflare will now allow customers that are managing DNS externally to auto-renew certificates through DCV Delegation...
- By
March 13, 2023 1:00 PM
Mutual TLS now available for Workers
Mutual TLS is used to secure a range of network services and applications: APIs, web applications, microservices, databases and IoT devices. With mTLS support for Workers you can use Workers to authenticate to any service secured by mTLS directly!...
- By
December 15, 2022 2:00 PM
A new, configurable and scalable version of Geo Key Manager, now available in Closed Beta
We’re excited to announce a new version of Geo Key Manager — one that allows customers to define boundaries by country, by a region, or by a standard, such as “only store my private keys in FIPS compliant data centers” — now available in Closed Beta....
- By
November 16, 2022 2:00 PM
Bringing authentication and identification to Workers through Mutual TLS
We’re excited to announce that Workers will soon be able to send outbound requests through a mutually authenticated channel via mutual TLS authentication!...
- By
October 06, 2022 6:00 PM
Total TLS: one-click TLS for every hostname you have
Today, we’re excited to announce Total TLS — a one-click feature that will issue individual TLS certificates for every subdomain in our customer’s domains...
- By
August 04, 2022 1:00 PM
Experiment with post-quantum cryptography today
The future is post quantum. Enable post-quantum key agreement on your test zone today and get a headstart...
- By