Munich: Cloudflare’s fifth data center in Germany
Oktoberfest has come early this year! We just turned up our latest data center in Munich: our 110th data center globally, and our fifth in Germany, joining Frankfurt, Düsseldorf, Berlin and Hamburg. Just over a mile away from the historic Hofbräuhaus, our newest deployment helps make six million websites faster across Bavaria, while providing additional redundancy and capacity to withstand attacks.
Oktoberfest kommt früh in diesem Jahr! Wir haben gerade unser 110. Rechenzentrum in München angeschaltet. Wir haben somit fünf Rechenzentren in Deutschland (Frankfurt, Düsseldorf, Berlin, Hamburg und München). Nur ca. 2 Kilometer entfernt vom historischen Hofbräuhaus, wird unser neustes Rechenzentrum sechs Millionen Webseiten im Raum Bayern schneller machen, und zugleich größere Kapazitäten gegen DDoS Attacken bereitstellen.
As TripAdvisor put it: Germany’s third largest city reflects the character of a city and a post card village at the same time.
Wie TripAdvisor es ausdrückt: Deutschlands drittgrößte Stadt spiegelt zugleich den Charakter einer Stadt und eines Dorfes wider.
CC BY-NC-ND 2.0 image by Werner Nieke
Continued Expansion
We have several additional locations being added to our fast expanding network that spans 55 countries. If you have a new city in mind, let us know, Continue reading
Changing Internet Standards to Build A Secure Internet
We’ve been working with registrars and registries in the IETF on making DNSSEC easier for domain owners, and over the next two weeks we’ll be starting out by enabling DNSSEC automatically for .dk domains.
DNSSEC: A Primer
Before we get into the details of how we've improved the DNSSEC experience, we should explain why DNSSEC is important and the function it plays in keeping the web safe.
DNSSEC’s role is to verify the integrity of DNS answers. When DNS was written in the early 1980’s, it was only a few researchers and academics on the internet. They all knew and trusted each other, and couldn’t imagine a world in which someone malicious would try to operate online. As a result, DNS relies on trust to operate. When a client asks for the address of a hostname like www.cloudflare.com, without DNSSEC it will trust basically any server that returns the response, even if it wasn’t the same server it originally asked. With DNSSEC, every DNS answer is signed so clients can verify answers haven’t been manipulated over transit.
The Trouble With DNSSEC
If DNSSEC is so important, why do so few domains support it? First, for a domain to Continue reading
How we made our DNS stack 3x faster
Cloudflare is now well into its 6th year and providing authoritative DNS has been a core part of infrastructure from the start. We’ve since grown to be the largest and one of the fastest managed DNS services on the Internet, hosting DNS for nearly 100,000 of the Alexa top 1M sites and over 6 million other web properties – or DNS zones.
CC-BY 2.0 image by Steve Jurvetson
Today Cloudflare’s DNS service answers around 1 million queries per second – not including attack traffic – via a global anycast network. Naturally as a growing startup, the technology we used to handle tens or hundreds of thousands of zones a few years ago became outdated over time, and couldn't keep up with the millions we have today. Last year we decided to replace two core elements of our DNS infrastructure: the part of our DNS server that answers authoritative queries and the data pipeline which takes changes made by our customers to DNS records and distributes them to our edge machines across the globe.
The rough architecture of the system can be seen above. We store customer DNS records and other origin server information in a central database, convert the Continue reading
Curaçao and Djibouti – two new Cloudflare datacenters located where undersea cables meet
Cloudflare has just turned up two new datacenters (numbers 108 and 109). Both are around halfway between the Tropic of Cancer and the Equator. They are located continents-apart, yet share something very-much in common as both of these new data centers are deployed and associated with where undersea cables reach land. Undersea cables have been and still are a growing part of the interconnected world that the Internet represents.
Curaçao, part of the Netherland Antilles in the Caribbean
CC-BY 2.0 image by Nelo Hotsuma
Curaçao is located in the Southern Caribbean Sea (just north of Venezuela) and has a strong Dutch heritage. Along with Aruba and Bonaire, Curaçao is part of the Lesser Antilles (they are called the ABC islands).
More importantly, Willemstad - the capital of Curaçao is where the Amsterdam Internet Exchange operates AMS-IX Caribbean. Why AMS-IX? Because of that Dutch relationship!
It’s AMS-IX’s goal (along with its local partners) to promote Curaçao as an interconnection location for the Caribbean. Cloudflare is there with all its services ready for that day!
Djibouti on the horn of Africa
Djibouti is a country of around 850,000 people with ~60% of the population living in the nation's capital, also Continue reading
Zdravo, Beograde! Cloudflare network spans 30 European cities
CC-BY 2.0 image by De kleine rode kater
Since Cloudflare began with our very first data center in Chicago, we are especially excited that our expansion takes us to its sister city. Where the Sava meets the Danube, Belgrade (Serbia) is home to Cloudflare’s 107th data center.
Пошто је Клаудфлер почео са првим дата центом у Чикагу посебно смо узбуђени што нас је наше ширење одвело у побратимљен град. Тамо где се Сава улива у Дунав, Београд, у Србији је дом Клаудфлеровог 107. дата центра.
Pošto je Cloudflare počeo sa prvim data centrom u Čikagu posebno smo uzbuđeni što nas je naše širenje odvelo u pobratimljen grad. Tamo gde se Sava uliva u Dunav, Beograd, u Srbiji je dom Cloudflare-ovog 107. data centra.
As a member of the Serbian Open Exchange, the leading internet exchange point in the country, we are excited to help make 6 million websites even faster for nearly 6 million Internet users. Belgrade is seeing growth in employment across the technology industry, ranging from the Microsoft Development Center to Serbian gaming company Nordeus to startups such as TeleSkin and Content Insights.
Као члан Serbian Open Exchage-а, водећег internet exchange-a у Србији, драго нам Continue reading
Kansas City: Cloudflare’s 106th Data Center Now Live
CC-BY 2.0 image by Vincent Parsons
Kansas City, Missouri. Home to the Kansas City Royals, Swope Park, over 100 barbeque restaurants, and now, Cloudflare's 106th data center. We are excited to help make 6 million websites even faster in the Midwest, as our newest deployment joins existing United States facilities in Ashburn, Atlanta, Boston, Chicago, Dallas, Denver, Las Vegas, Los Angeles, Miami,
Minneapolis, Nashville, Newark, Omaha, Philadelphia, Phoenix, San Jose, Seattle, St. Louis, and Tampa.
BBQ!
CC-BY 2.0 image by Shelby Bell
Anthony Bourdain said it best with regards to Joe's KC BBQ in his "13 Places to Eat Before You Die" (alongside Michelin 3-star restaurants like French Laundry and Le Bernardin):
"People may disagree on who has the best BBQ. Here, the brisket (particularly the burnt ends), pulled pork, and ribs are all of a quality that meet the high standards even of Kansas City natives. It's the best BBQ in Kansas City, which makes it the best BBQ in the world."
Visit Kansas City to find the world’s largest shuttlecocks outside the Nelson Atkins Art Museum, as Continue reading
Cloudflare Apps: Develop Features for Everyone
CC-BY 2.5 image by Hans Braxmeier
Cloudflare’s mission is to help build a faster and more secure Internet for everyone, but sometimes sites often lack the accessibility features critical to allowing all Internet users to enjoy their content and perspective. Cloudflare Apps, which power the add-ons featured here, can allow developers to enhance any website. Get notified for the developer preview >>
The team at Cloudflare is excited to announce the release of two performance-enhancing features that makes the Internet more usable for two underrepresented demographics on the Internet: cats and Australians.
Feline Mode
The modern internet is full of content which challenges our perspectives. Often though, we are not interested in being challenged, we are interested in cats. To use the internet, to be a member of this incredible cultural fabric, is to find the most feline part of yourself. A love of sleeping, of curling up on a soft pile of destroyed clothing, a love of distracting and bothering others. Often though, websites just fail to recognize this critical part of our identity.
Australia Mode
We believe access to the internet is a basic human right. It’s not enough to just be able to access it Continue reading
Our Response to the Senate Vote on FCC Privacy Rules
Today, the U.S. Senate voted narrowly to undo certain regulations governing broadband providers, put in place during the Obama administration, that would have required Internet Service Providers (ISPs) to obtain approval from their customers before sharing information such as web-browsing histories, app usage, and aspects of their financial and health information, with third parties. Now, ISPs may sell targeted advertising or share personal information and browsing history with third party marketers, without first getting explicit consent from web users.
Cloudflare is disappointed with the Senate’s actions, as we feel strongly that consumer privacy rights need to be at the forefront of discussions around how personal information is treated. The new regulations would have steered the U.S. closer to the privacy standards enjoyed by citizens in many other developed countries, rather than away from such rights.
Defaulting to an “opt-in” rather than “opt-out” standard would provide consumers with greater controls over how, when, and with whom their personal information is used and shared. We believe that individuals should have the last say on what is done with their personal information, rather than corporations.
Regardless of whether Washington ultimately decides to approve rolling back these regulations, Cloudflare will continue to Continue reading
Buongiorno, Roma! Cloudflare Data Center CV
CC-BY 2.0 image by Ilaria Giacomi
We’re excited to announce Cloudflare’s 105th data center in Rome. Visitors in Italy (and especially around the region of Lazio) to over 6 million Internet properties now benefit from reduced latency and increased security. As our global network grows in breadth and capacity, we are able to stop attacks (typically, outside of Italy!), while serving legitimate traffic from our nearest in-country data center. Rome serves as a point of redundancy to our existing data center in Milan, and expands Cloudflare’s Europe network to 29 cities, with at least five more cities already in the works.
Siamo orgogliosi di annunciare il 105esimo data center di Cloudflare a Roma. Utenti in tutta Italia (e specialmente nel Lazio e regioni limitrofe) insieme ad oltre 6 milioni di proprietà in rete beneficeranno di latenze ridotte e maggior sicurezza. Con la crescita della nostra rete sia in copertura che capacità, abbiamo la possibilità di fermare attacchi (tipicamente originati fuori del territorio Italiano!) e di servire traffico legittimo dal data center più vicino. Roma offre maggiore ridondanza nella rete in coppia con il data center di Milano ed espande la rete Europea di Cloudflare a 29 Continue reading
¡Hola, Ecuador! Quito Data Center expands Cloudflare network to 104 cities across 52 countries
Located only 15 miles from the Equator, we are excited to announce Cloudflare’s newest data center in the World Heritage City of Quito, Ecuador. This deployment is made possible in partnership with the NAP.EC Internet exchange run by AEPROVI (Asociación de empresas proveedoras de servicios de internet). Our newest data center expands Cloudflare’s growing Latin America network to six cities, joining Buenos Aires (Argentina), Lima (Peru), Medellin (Colombia), Sao Paulo (Brazil) and Valparaiso (Chile). Quito is our 104th deployment globally, with over a dozen additional cities in the works right now.
Ubicado a sólo 15 millas del ecuador, estamos contentos de anunciar el nuevo centro de datos de Cloudflare en la ciudad de Quito, Ecuador. Este se realizó en asociación con el intercambio neutral de Internet de NAP.EC administrado por AEPROVI (Asociación de empresas proveedoras de servicios de internet). Este despliegue amplía la red latinoamericana de Cloudflare a seis ciudades: Buenos Aires (Argentina), Lima (Perú), Medellín (Colombia), Sao Paulo (Brasil) y Valparaíso (Chile). Quito es nuestro 104 despliegue global, con más de una docena de ciudades en desarrollo de expansión en este momento.
Open interconnection
Cloudflare participates at over 150 Internet exchanges Continue reading
Yerevan, Armenia: Cloudflare Data Center #103
In the coming days, Cloudflare will be announcing a series of new data centers across five continents. We begin with Yerevan, the capital and largest city of Armenia, the mountainous country in the South Caucasus. This deployment is our 37th data center in Asia, and 103rd data center globally.
History
Yerevan, one of the oldest continuously inhabited cities in the world, has a rich history going back all the way to 782 BC. Famous for its cognac, lavash flatbread, and beautiful medieval churches, Armenia is also home to more chess grandmasters per capita than most countries!
6 Million Websites Faster
Latency (ms) decreases 6x for UCOM Internet user in Yerevan to Cloudflare. Source: Cedexis
The newest Cloudflare deployment will make 6 million Internet properties faster and more secure, as we serve traffic to Yerevan and adjoining countries.
If the Cloudflare datacenter closest to the Equator (to date) was Singapore, the next deployment brings us even closer. Which one do you think it is?
The Cloudflare network today
- The Cloudflare Team
Introducing Zero Round Trip Time Resumption (0-RTT)
Cloudflare’s mission is to help build a faster and more secure Internet. Over the last several years, the Internet Engineering Task Force (IETF) has been working on a new version of TLS, the protocol that powers the secure web. Last September, Cloudflare was the first service provider to enable people to use this new version of the protocol, TLS 1.3, improving security and performance for millions of customers.
Today we are introducing another performance-enhancing feature: zero round trip time resumption, abbreviated as 0-RTT. About 60% of the connections we see are from people who are visiting a site for the first time or revisiting after an extended period of time. TLS 1.3 speeds up these connections significantly. The remaining 40% of connections are from visitors who have recently visited a site and are resuming a previous connection. For these resumed connections, standard TLS 1.3 is safer but no faster than any previous version of TLS. 0-RTT changes this. It dramatically speeds up resumed connections, leading to a faster and smoother web experience for web sites that you visit regularly. This speed boost is especially noticeable on mobile networks.
We’re happy to announce that 0-RTT is Continue reading
An AMP validator you can cURL
Cloudflare has been a long time supporter of AMP, an open-source markup language 1.5 billion web pages are using to accelerate their mobile web performance. Cloudflare runs Ampersand, the only alternative to Google’s AMP cache, and earlier this year we launched Accelerated Mobile Links, a way for sites on Cloudflare to open external links on their site in AMP format, as well as Firebolt, leveraging AMP to speed up ad performance.
One of the biggest challenges developers face in converting their web pages to AMP is testing their AMP pages for valid AMP syntax before deploying. It's not enough to make the templates work at dev time, you also need to validate individual pages before they’re published. Imagine, for example, a publishing company where content creators who are unfamiliar with AMP are modifying pages. Because the AMP markup language is so strict, one person adding an interactive element to a page can all of a sudden break the AMP formatting and stop the page from validating.
We wanted to make it as easy as possible to move webpages and sites to AMP so we built an AMP linter API for developers to check that their Continue reading
Cloudflare at Google NEXT 2017
The Cloudflare team is headed to Google NEXT 2017 from March 8th - 10th at Moscone Center in San Francisco, CA. We’re excited to meet with customers, partners, and new friends.
Come learn about Cloudflare’s recent partnership with Google Cloud Platform (CGP) through their CDN Interconnect Program. Cloudflare offers performance and security to over 25,000 Google Cloud Platform customers. The CDN Interconnect program allows Cloudflare’s servers to establish high-speed interconnections with Google Cloud Platform at various locations around the world, accelerating dynamic content while reducing bandwidth and egress billing costs.
We’ll be at booth C7 discussing the benefits of Cloudflare, our partnership with Google Cloud Platform, and handing out Cloudflare SWAG. In addition, our Co-Founder, Michelle Zatlyn, will be presenting “What is Google Cloud Platform’s CDN Interconnect Program?
Google Cloud Platform’s CDN Interconnect program allows select CDN providers to establish direct interconnect links with Google’s edge network at various locations. Customers egressing network traffic from Google Cloud Platform through one of these links will benefit from the direct connectivity to the CDN providers and will Continue reading
Quantifying the Impact of “Cloudbleed”
Last Thursday we released details on a bug in Cloudflare's parser impacting our customers. It was an extremely serious bug that caused data flowing through Cloudflare's network to be leaked onto the Internet. We fully patched the bug within hours of being notified. However, given the scale of Cloudflare, the impact was potentially massive.
The bug has been dubbed “Cloudbleed.” Because of its potential impact, the bug has been written about extensively and generated a lot of uncertainty. The burden of that uncertainty has been felt by our partners, customers, our customers’ customers. The question we’ve been asked the most often is: what risk does Cloudbleed pose to me?
We've spent the last twelve days using log data on the actual requests we’ve seen across our network to get a better grip on what the impact was and, in turn, provide an estimate of the risk to our customers. This post outlines our initial findings.
The summary is that, while the bug was very bad and had the potential to be much worse, based on our analysis so far: 1) we have found no evidence based on our logs that the bug was maliciously exploited before it was patched; Continue reading
Incident report on memory leak caused by Cloudflare parser bug
Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.
We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.
Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand Continue reading
LuaJIT Hacking: Getting next() out of the NYI list
At Cloudflare we’re heavy users of LuaJIT and in the past have sponsored many improvements to its performance.
LuaJIT is a powerful piece of software, maybe the highest performing JIT in the industry. But it’s not always easy to get the most out of it, and sometimes a small change in one part of your code can negatively impact other, already optimized, parts.
One of the first pieces of advice anyone receives when writing Lua code to run quickly using LuaJIT is “avoid the NYIs”: the language or library features that can’t be compiled because they’re NYI (not yet implemented). And that means they run in the interpreter.
CC BY-SA 2.0 image by Dwayne Bent
Another very attractive feature of LuaJIT is the FFI library, which allows Lua code to directly interface with C code and memory structures. The JIT compiler weaves these memory operations in line with the generated machine language, making it much more efficient than using the traditional Lua C API.
Unfortunately, if for any reason the Lua code using the FFI library has to run under the interpreter, it takes a very heavy performance hit. As it happens, under the interpreter the FFI is usually Continue reading
You can now use Google Authenticator and any TOTP app for Two-Factor Authentication
Since the very beginning, Cloudflare has offered two-factor authentication with Authy, and starting today we are expanding your options to keep your account safe with Google Authenticator and any Time-based One Time Password (TOTP) app of your choice.
If you want to get started right away, visit your account settings. Setting up Two-Factor with Google Authenticator or with any TOTP app is easy - just use the app to scan the barcode you see in the Cloudflare dashboard, enter the code the app returns, and you’re good to go.
Importance of Two-Factor Authentication
Often when you hear that an account was ‘hacked’, it really means that the password was stolen.
If the media stopped saying 'hacking' and instead said 'figured out their password', people would take password security more seriously.
— Khalil Sehnaoui (@sehnaoui) January 5, 2017
Two-Factor authentication is sometimes thought of as something that should be used to protect important accounts, but the best practice is to always enable it when it is available. Without a second factor, any mishap involving your password can lead to a compromise. Journalist Mat Honan’s high profile compromise in 2012 is a great example of the importance of two-factor authentication. When Continue reading
Discovering Great Talent with Path Forward
In the fall of 2016, I was just beginning my job search. I’d been lucky to lead HR at a number of great cutting-edge technology start-ups, and I was looking for my next adventure. I wanted to find a company that wasn’t just a great business--I wanted one that was also making a positive impact on the world, and one that had a mission I felt passionately about.
During my two decades running HR/People organizations, I’ve spent a lot of time working with--and talking to--parents in the workplace. I’ve been motivated to do so for a few reasons. According to the US census, mothers are the fastest-growing segment of the US workforce. Companies struggle to retain talented workers after they’ve become parents, especially mothers. It’s been reported that 43 percent of highly qualified women with children leave their careers. Millennials (who make up the majority of the US workforce) are reporting that they want to be more engaged parents and are placing a high value on companies that allow them to parent and still get promoted. Ultimately, I’ve come to believe that the skills you acquire while parenting are extremely relevant and valuable to the workforce.
So when Path Continue reading
NCC Group’s Cryptography Services audits our Go TLS 1.3 stack
The Cloudflare TLS 1.3 beta is run by a Go implementation of the protocol based on the Go standard library, crypto/tls. Starting from that excellent Go codebase allowed us to quickly start experimenting, to be the first wide server deployment of the protocol, and to effectively track the changes to the specification draft.
Of course, the security of a TLS implementation is critical, so we engaged NCC Group's Cryptography Services to perform an audit at the end of 2016.
You can find the codebase on the Cloudflare GitHub. It's a drop-in replacement for crypto/tls and comes with a go wrapper to patch the standard library as needed.
The code is developed in the open but is currently targeted only at internal use: the repository is frequently rebased and the API is not guaranteed to be stable or fully documented. You can take a sneak peek at the API here.
The final goal is to upstream the patches to the Go project so that all users of the Go standard library benefit from it. You can follow the process here.
Below we republish the article about the audit first appeared on the NCC Group's blog.