Subscribe to receive notifications of new posts:

One More Thing: Keyless SSL and CloudFlare's Growing Network

2014-09-28

3 min read
One more thing...

I wanted to write one more thing about Keyless SSL, our announcement from last week, before attention shifts to what we'll be announcing on Monday. Keyless allows us to provide CloudFlare's service without having private SSL keys stored locally on our edge servers. The news last week focused on how this could allow very large customers, like major financial institutions, to use CloudFlare without trusting us with their private keys.

But there's another use that will benefit the entire CloudFlare userbase, not just our largest enterprise customers, and it's this: Keyless SSL is a key part of our strategy to continue to expand CloudFlare's global network.

CloudFlare's Global Network Today

CloudFlare's network today consists of 28 edge data centers that span much of the globe. We have technical and security requirements for these facilities in order to ensure that the equipment they house remains secure. Generally, we're in Tier III or IV data center facilities with the highest level of security. In our San Jose facility, for instance, you have to pass through 5 biometric scans, in addition to multiple 24x7 manned guard check points, before you can get to the electronically locked cabinets housing our servers.

There are only about 30 locations around the world where a large number of networks come together in a building that meets these security requirements. In other words, we have largely run out of places that it makes sense for us to add a new location where we are confident enough in the facility's security to store sensitive information like customers' private keys.

Bigger Network, New Challenges

With most of CloudFlare's rival services, even those that have a seemingly larger network footprint, the minute you ask them to enable SSL the size of the network shrinks to something that resembles our network today. That's because they too don't feel comfortable storing customers' private keys in many of their edge nodes. And that's why most legacy CDN providers charge such such an enormous premium the minute you ask them to support SSL.

But it makes sense to continue to grow our network. As we do, not only can we provide faster performance, but we can further isolate and mitigate large scale attacks. The way we think about it at CloudFlare is that, ultimately, we want to have equipment running in every cell phone tower base station. In order to do that, we need to ensure that we can do so securely. There are many requirements to pull that off, but one of them is ensuring that our customers' most sensitive data is never stored anywhere without the highest security standards. That's where Keyless SSL comes in.

Securely Extending CloudFlare's Edge

CloudFlare's Network Growth Plans for 2015

The map above shows all the locations where CloudFlare is actively working to turn up data centers over the next 12 months. As we expand into some of the more distant corners of the Internet, Keyless SSL allows us to offer our full range of services without needing to store customers' SSL in facilities that don't meet the highest security standards.

Beyond technical concerns, different regions of the world have different geo-political concerns. For instance, European customers may not trust their keys being stored in the United States, American customers may not trust their keys being stored in China, and Chinese customers may not trust their keys being stored in Europe. Keyless will allow us to honor those geopolitical concerns on a customer by customer basis, either ourselves or in partnership with trusted third parties who can serve as key storage agents.

There are, of course, a number of other technical challenges to ensuring that a server in a potentially hostile environment can be secured and trusted. The good news is many of you reading this are holding in your hand a modern example of computing platform that has been locked down tightly to only run authorized software: your smart phone. We have been putting the pieces together to offer a global secure network including hiring cryptographers out of Apple, acquiring companies like CryptoSeal, and talking about best practices for keeping secrets safe in unsafe environments (PDF link) — it all has to do with continuing to securely expand CloudFlare's global network.

So, on the eve of a big announcement that may or may not have something to do with massively expanding the encrypted web, know that we're also leveraging technologies like Keyless SSL in order to securely expand the size of our network to better serve all our customers, not just the big enterprises that increasingly are trusting us to protect and accelerate their networks.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Keyless SSLProduct NewsSSL

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

October 24, 2024 1:00 PM

Durable Objects aren't just durable, they're fast: a 10x speedup for Cloudflare Queues

Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version....

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

September 27, 2024 1:00 PM

AI Everywhere with the WAF Rule Builder Assistant, Cloudflare Radar AI Insights, and updated AI bot protection

This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added new AI bot & crawler traffic insights to Radar, and given customers new AI bot blocking capabilities...

September 26, 2024 1:00 PM

Zero-latency SQLite storage in every Durable Object

Traditional cloud storage is inherently slow because it is accessed over a network and must synchronize many clients. But what if we could instead put your application code deep into the storage layer, such that your code runs where the data is stored? Durable Objects with SQLite do just that. ...