Curaçao and Djibouti – two new Cloudflare datacenters located where undersea cables meet
Cloudflare has just turned up two new datacenters (numbers 108 and 109). Both are around halfway between the Tropic of Cancer and the Equator. They are located continents-apart, yet share something very-much in common as both of these new data centers are deployed and associated with where undersea cables reach land. Undersea cables have been and still are a growing part of the interconnected world that the Internet represents.
Curaçao, part of the Netherland Antilles in the Caribbean
CC-BY 2.0 image by Nelo Hotsuma
Curaçao is located in the Southern Caribbean Sea (just north of Venezuela) and has a strong Dutch heritage. Along with Aruba and Bonaire, Curaçao is part of the Lesser Antilles (they are called the ABC islands).
More importantly, Willemstad - the capital of Curaçao is where the Amsterdam Internet Exchange operates AMS-IX Caribbean. Why AMS-IX? Because of that Dutch relationship!
It’s AMS-IX’s goal (along with its local partners) to promote Curaçao as an interconnection location for the Caribbean. Cloudflare is there with all its services ready for that day!
Djibouti on the horn of Africa
Djibouti is a country of around 850,000 people with ~60% of the population living in the nation's capital, also Continue reading
Zdravo, Beograde! Cloudflare network spans 30 European cities
CC-BY 2.0 image by De kleine rode kater
Since Cloudflare began with our very first data center in Chicago, we are especially excited that our expansion takes us to its sister city. Where the Sava meets the Danube, Belgrade (Serbia) is home to Cloudflare’s 107th data center.
Пошто је Клаудфлер почео са првим дата центом у Чикагу посебно смо узбуђени што нас је наше ширење одвело у побратимљен град. Тамо где се Сава улива у Дунав, Београд, у Србији је дом Клаудфлеровог 107. дата центра.
Pošto je Cloudflare počeo sa prvim data centrom u Čikagu posebno smo uzbuđeni što nas je naše širenje odvelo u pobratimljen grad. Tamo gde se Sava uliva u Dunav, Beograd, u Srbiji je dom Cloudflare-ovog 107. data centra.
As a member of the Serbian Open Exchange, the leading internet exchange point in the country, we are excited to help make 6 million websites even faster for nearly 6 million Internet users. Belgrade is seeing growth in employment across the technology industry, ranging from the Microsoft Development Center to Serbian gaming company Nordeus to startups such as TeleSkin and Content Insights.
Као члан Serbian Open Exchage-а, водећег internet exchange-a у Србији, драго нам Continue reading
Kansas City: Cloudflare’s 106th Data Center Now Live
CC-BY 2.0 image by Vincent Parsons
Kansas City, Missouri. Home to the Kansas City Royals, Swope Park, over 100 barbeque restaurants, and now, Cloudflare's 106th data center. We are excited to help make 6 million websites even faster in the Midwest, as our newest deployment joins existing United States facilities in Ashburn, Atlanta, Boston, Chicago, Dallas, Denver, Las Vegas, Los Angeles, Miami,
Minneapolis, Nashville, Newark, Omaha, Philadelphia, Phoenix, San Jose, Seattle, St. Louis, and Tampa.
BBQ!
CC-BY 2.0 image by Shelby Bell
Anthony Bourdain said it best with regards to Joe's KC BBQ in his "13 Places to Eat Before You Die" (alongside Michelin 3-star restaurants like French Laundry and Le Bernardin):
"People may disagree on who has the best BBQ. Here, the brisket (particularly the burnt ends), pulled pork, and ribs are all of a quality that meet the high standards even of Kansas City natives. It's the best BBQ in Kansas City, which makes it the best BBQ in the world."
Visit Kansas City to find the world’s largest shuttlecocks outside the Nelson Atkins Art Museum, as Continue reading
Cloudflare Apps: Develop Features for Everyone
CC-BY 2.5 image by Hans Braxmeier
Cloudflare’s mission is to help build a faster and more secure Internet for everyone, but sometimes sites often lack the accessibility features critical to allowing all Internet users to enjoy their content and perspective. Cloudflare Apps, which power the add-ons featured here, can allow developers to enhance any website. Get notified for the developer preview >>
The team at Cloudflare is excited to announce the release of two performance-enhancing features that makes the Internet more usable for two underrepresented demographics on the Internet: cats and Australians.
Feline Mode
The modern internet is full of content which challenges our perspectives. Often though, we are not interested in being challenged, we are interested in cats. To use the internet, to be a member of this incredible cultural fabric, is to find the most feline part of yourself. A love of sleeping, of curling up on a soft pile of destroyed clothing, a love of distracting and bothering others. Often though, websites just fail to recognize this critical part of our identity.
Australia Mode
We believe access to the internet is a basic human right. It’s not enough to just be able to access it Continue reading
Our Response to the Senate Vote on FCC Privacy Rules
Today, the U.S. Senate voted narrowly to undo certain regulations governing broadband providers, put in place during the Obama administration, that would have required Internet Service Providers (ISPs) to obtain approval from their customers before sharing information such as web-browsing histories, app usage, and aspects of their financial and health information, with third parties. Now, ISPs may sell targeted advertising or share personal information and browsing history with third party marketers, without first getting explicit consent from web users.
Cloudflare is disappointed with the Senate’s actions, as we feel strongly that consumer privacy rights need to be at the forefront of discussions around how personal information is treated. The new regulations would have steered the U.S. closer to the privacy standards enjoyed by citizens in many other developed countries, rather than away from such rights.
Defaulting to an “opt-in” rather than “opt-out” standard would provide consumers with greater controls over how, when, and with whom their personal information is used and shared. We believe that individuals should have the last say on what is done with their personal information, rather than corporations.
Regardless of whether Washington ultimately decides to approve rolling back these regulations, Cloudflare will continue to Continue reading
Buongiorno, Roma! Cloudflare Data Center CV
CC-BY 2.0 image by Ilaria Giacomi
We’re excited to announce Cloudflare’s 105th data center in Rome. Visitors in Italy (and especially around the region of Lazio) to over 6 million Internet properties now benefit from reduced latency and increased security. As our global network grows in breadth and capacity, we are able to stop attacks (typically, outside of Italy!), while serving legitimate traffic from our nearest in-country data center. Rome serves as a point of redundancy to our existing data center in Milan, and expands Cloudflare’s Europe network to 29 cities, with at least five more cities already in the works.
Siamo orgogliosi di annunciare il 105esimo data center di Cloudflare a Roma. Utenti in tutta Italia (e specialmente nel Lazio e regioni limitrofe) insieme ad oltre 6 milioni di proprietà in rete beneficeranno di latenze ridotte e maggior sicurezza. Con la crescita della nostra rete sia in copertura che capacità, abbiamo la possibilità di fermare attacchi (tipicamente originati fuori del territorio Italiano!) e di servire traffico legittimo dal data center più vicino. Roma offre maggiore ridondanza nella rete in coppia con il data center di Milano ed espande la rete Europea di Cloudflare a 29 Continue reading
¡Hola, Ecuador! Quito Data Center expands Cloudflare network to 104 cities across 52 countries
Located only 15 miles from the Equator, we are excited to announce Cloudflare’s newest data center in the World Heritage City of Quito, Ecuador. This deployment is made possible in partnership with the NAP.EC Internet exchange run by AEPROVI (Asociación de empresas proveedoras de servicios de internet). Our newest data center expands Cloudflare’s growing Latin America network to six cities, joining Buenos Aires (Argentina), Lima (Peru), Medellin (Colombia), Sao Paulo (Brazil) and Valparaiso (Chile). Quito is our 104th deployment globally, with over a dozen additional cities in the works right now.
Ubicado a sólo 15 millas del ecuador, estamos contentos de anunciar el nuevo centro de datos de Cloudflare en la ciudad de Quito, Ecuador. Este se realizó en asociación con el intercambio neutral de Internet de NAP.EC administrado por AEPROVI (Asociación de empresas proveedoras de servicios de internet). Este despliegue amplía la red latinoamericana de Cloudflare a seis ciudades: Buenos Aires (Argentina), Lima (Perú), Medellín (Colombia), Sao Paulo (Brasil) y Valparaíso (Chile). Quito es nuestro 104 despliegue global, con más de una docena de ciudades en desarrollo de expansión en este momento.
Open interconnection
Cloudflare participates at over 150 Internet exchanges Continue reading
Yerevan, Armenia: Cloudflare Data Center #103
In the coming days, Cloudflare will be announcing a series of new data centers across five continents. We begin with Yerevan, the capital and largest city of Armenia, the mountainous country in the South Caucasus. This deployment is our 37th data center in Asia, and 103rd data center globally.
History
Yerevan, one of the oldest continuously inhabited cities in the world, has a rich history going back all the way to 782 BC. Famous for its cognac, lavash flatbread, and beautiful medieval churches, Armenia is also home to more chess grandmasters per capita than most countries!
6 Million Websites Faster
Latency (ms) decreases 6x for UCOM Internet user in Yerevan to Cloudflare. Source: Cedexis
The newest Cloudflare deployment will make 6 million Internet properties faster and more secure, as we serve traffic to Yerevan and adjoining countries.
If the Cloudflare datacenter closest to the Equator (to date) was Singapore, the next deployment brings us even closer. Which one do you think it is?
The Cloudflare network today
- The Cloudflare Team
Introducing Zero Round Trip Time Resumption (0-RTT)
Cloudflare’s mission is to help build a faster and more secure Internet. Over the last several years, the Internet Engineering Task Force (IETF) has been working on a new version of TLS, the protocol that powers the secure web. Last September, Cloudflare was the first service provider to enable people to use this new version of the protocol, TLS 1.3, improving security and performance for millions of customers.
Today we are introducing another performance-enhancing feature: zero round trip time resumption, abbreviated as 0-RTT. About 60% of the connections we see are from people who are visiting a site for the first time or revisiting after an extended period of time. TLS 1.3 speeds up these connections significantly. The remaining 40% of connections are from visitors who have recently visited a site and are resuming a previous connection. For these resumed connections, standard TLS 1.3 is safer but no faster than any previous version of TLS. 0-RTT changes this. It dramatically speeds up resumed connections, leading to a faster and smoother web experience for web sites that you visit regularly. This speed boost is especially noticeable on mobile networks.
We’re happy to announce that 0-RTT is Continue reading
An AMP validator you can cURL
Cloudflare has been a long time supporter of AMP, an open-source markup language 1.5 billion web pages are using to accelerate their mobile web performance. Cloudflare runs Ampersand, the only alternative to Google’s AMP cache, and earlier this year we launched Accelerated Mobile Links, a way for sites on Cloudflare to open external links on their site in AMP format, as well as Firebolt, leveraging AMP to speed up ad performance.
One of the biggest challenges developers face in converting their web pages to AMP is testing their AMP pages for valid AMP syntax before deploying. It's not enough to make the templates work at dev time, you also need to validate individual pages before they’re published. Imagine, for example, a publishing company where content creators who are unfamiliar with AMP are modifying pages. Because the AMP markup language is so strict, one person adding an interactive element to a page can all of a sudden break the AMP formatting and stop the page from validating.
We wanted to make it as easy as possible to move webpages and sites to AMP so we built an AMP linter API for developers to check that their Continue reading
Cloudflare at Google NEXT 2017
The Cloudflare team is headed to Google NEXT 2017 from March 8th - 10th at Moscone Center in San Francisco, CA. We’re excited to meet with customers, partners, and new friends.
Come learn about Cloudflare’s recent partnership with Google Cloud Platform (CGP) through their CDN Interconnect Program. Cloudflare offers performance and security to over 25,000 Google Cloud Platform customers. The CDN Interconnect program allows Cloudflare’s servers to establish high-speed interconnections with Google Cloud Platform at various locations around the world, accelerating dynamic content while reducing bandwidth and egress billing costs.
We’ll be at booth C7 discussing the benefits of Cloudflare, our partnership with Google Cloud Platform, and handing out Cloudflare SWAG. In addition, our Co-Founder, Michelle Zatlyn, will be presenting “What is Google Cloud Platform’s CDN Interconnect Program?
Google Cloud Platform’s CDN Interconnect program allows select CDN providers to establish direct interconnect links with Google’s edge network at various locations. Customers egressing network traffic from Google Cloud Platform through one of these links will benefit from the direct connectivity to the CDN providers and will Continue reading
Quantifying the Impact of “Cloudbleed”
Last Thursday we released details on a bug in Cloudflare's parser impacting our customers. It was an extremely serious bug that caused data flowing through Cloudflare's network to be leaked onto the Internet. We fully patched the bug within hours of being notified. However, given the scale of Cloudflare, the impact was potentially massive.
The bug has been dubbed “Cloudbleed.” Because of its potential impact, the bug has been written about extensively and generated a lot of uncertainty. The burden of that uncertainty has been felt by our partners, customers, our customers’ customers. The question we’ve been asked the most often is: what risk does Cloudbleed pose to me?
We've spent the last twelve days using log data on the actual requests we’ve seen across our network to get a better grip on what the impact was and, in turn, provide an estimate of the risk to our customers. This post outlines our initial findings.
The summary is that, while the bug was very bad and had the potential to be much worse, based on our analysis so far: 1) we have found no evidence based on our logs that the bug was maliciously exploited before it was patched; Continue reading
Incident report on memory leak caused by Cloudflare parser bug
Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.
We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.
Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand Continue reading
LuaJIT Hacking: Getting next() out of the NYI list
At Cloudflare we’re heavy users of LuaJIT and in the past have sponsored many improvements to its performance.
LuaJIT is a powerful piece of software, maybe the highest performing JIT in the industry. But it’s not always easy to get the most out of it, and sometimes a small change in one part of your code can negatively impact other, already optimized, parts.
One of the first pieces of advice anyone receives when writing Lua code to run quickly using LuaJIT is “avoid the NYIs”: the language or library features that can’t be compiled because they’re NYI (not yet implemented). And that means they run in the interpreter.
CC BY-SA 2.0 image by Dwayne Bent
Another very attractive feature of LuaJIT is the FFI library, which allows Lua code to directly interface with C code and memory structures. The JIT compiler weaves these memory operations in line with the generated machine language, making it much more efficient than using the traditional Lua C API.
Unfortunately, if for any reason the Lua code using the FFI library has to run under the interpreter, it takes a very heavy performance hit. As it happens, under the interpreter the FFI is usually Continue reading
You can now use Google Authenticator and any TOTP app for Two-Factor Authentication
Since the very beginning, Cloudflare has offered two-factor authentication with Authy, and starting today we are expanding your options to keep your account safe with Google Authenticator and any Time-based One Time Password (TOTP) app of your choice.
If you want to get started right away, visit your account settings. Setting up Two-Factor with Google Authenticator or with any TOTP app is easy - just use the app to scan the barcode you see in the Cloudflare dashboard, enter the code the app returns, and you’re good to go.
Importance of Two-Factor Authentication
Often when you hear that an account was ‘hacked’, it really means that the password was stolen.
If the media stopped saying 'hacking' and instead said 'figured out their password', people would take password security more seriously.
— Khalil Sehnaoui (@sehnaoui) January 5, 2017
Two-Factor authentication is sometimes thought of as something that should be used to protect important accounts, but the best practice is to always enable it when it is available. Without a second factor, any mishap involving your password can lead to a compromise. Journalist Mat Honan’s high profile compromise in 2012 is a great example of the importance of two-factor authentication. When Continue reading
Discovering Great Talent with Path Forward
In the fall of 2016, I was just beginning my job search. I’d been lucky to lead HR at a number of great cutting-edge technology start-ups, and I was looking for my next adventure. I wanted to find a company that wasn’t just a great business--I wanted one that was also making a positive impact on the world, and one that had a mission I felt passionately about.
During my two decades running HR/People organizations, I’ve spent a lot of time working with--and talking to--parents in the workplace. I’ve been motivated to do so for a few reasons. According to the US census, mothers are the fastest-growing segment of the US workforce. Companies struggle to retain talented workers after they’ve become parents, especially mothers. It’s been reported that 43 percent of highly qualified women with children leave their careers. Millennials (who make up the majority of the US workforce) are reporting that they want to be more engaged parents and are placing a high value on companies that allow them to parent and still get promoted. Ultimately, I’ve come to believe that the skills you acquire while parenting are extremely relevant and valuable to the workforce.
So when Path Continue reading
NCC Group’s Cryptography Services audits our Go TLS 1.3 stack
The Cloudflare TLS 1.3 beta is run by a Go implementation of the protocol based on the Go standard library, crypto/tls. Starting from that excellent Go codebase allowed us to quickly start experimenting, to be the first wide server deployment of the protocol, and to effectively track the changes to the specification draft.
Of course, the security of a TLS implementation is critical, so we engaged NCC Group's Cryptography Services to perform an audit at the end of 2016.
You can find the codebase on the Cloudflare GitHub. It's a drop-in replacement for crypto/tls and comes with a go wrapper to patch the standard library as needed.
The code is developed in the open but is currently targeted only at internal use: the repository is frequently rebased and the API is not guaranteed to be stable or fully documented. You can take a sneak peek at the API here.
The final goal is to upstream the patches to the Go project so that all users of the Go standard library benefit from it. You can follow the process here.
Below we republish the article about the audit first appeared on the NCC Group's blog.
NCC Group's Cryptography Services Complete Continue reading
Want to see your DNS analytics? We have a Grafana plugin for that
Curious where your DNS traffic is coming from, how much DNS traffic is on your domain, and what records people are querying for that don’t exist? We now have a Grafana plugin for you.
Grafana is an open source data visualization tool that you can use to integrate data from many sources into one cohesive dashboard, and even use it to set up alerts. We’re big Grafana fans here - we use Grafana internally for our ops metrics dashboards.
In the Cloudflare Grafana plugin, you can see the response code breakdown of your DNS traffic. During a random prefix flood, a common type of DNS DDoS attack where an attacker queries random subdomains to bypass DNS caches and overwhelm the origin nameservers, you will see the number of NXDOMAIN responses increase dramatically. It is also common during normal traffic to have a small amount of negative answers due to typos or clients searching for missing records.
You can also see the breakdown of queries by data center and by query type to understand where your traffic is coming from and what your domains are being queried for. This is very useful to identify localized issues, and to see how your Continue reading
Cloudflare Crypto Meetup #5: February 28, 2017
Come join us on Cloudflare HQ in San Francisco on Tuesday, Febrary 28, 2017 for another cryptography meetup. We again had a great time at the last one, we decided to host another. It's becoming a pattern.
We’ll start the evening at 6:00p.m. with time for networking, followed up with short talks by leading experts starting at 6:30p.m. Pizza and beer are provided! RSVP here.
Here are the confirmed speakers:
Deirdre Connolly
Deirdre is a senior software engineer at Brightcove, where she is trying to secure old and new web applications. Her interests include applied cryptography, secure defaults, elliptic curves and their isogenies.
Post-quantum cryptography
Post-quantum cryptography is an active field of research in developing new cryptosystems that will be resistant to attack by future quantum computers. Recently a somewhat obscure area, isogeny-based cryptography, has been getting more attention, including impressive speed and compression optimizations and robust security analyses, bringing it into regular discussion alongside other post-quantum candidates. This talk will cover isogeny-based crypto, specifically these recents results regarding supersingular isogeny diffie-hellman, which is a possible replacement for the ephemeral key exchanges in use today.
Maya Kaczorowski
Maya Kaczorowski is a Product Manager at Google in Security Continue reading
DDoS Ransom: An Offer You Can Refuse
Cloudflare has covered DDoS ransom groups several times in the past. First, we reported on the copycat group claiming to be the Armada Collective and then not too long afterwards, we covered the "new" Lizard Squad. While in both cases the groups made threats that were ultimately empty, these types of security events can send teams scrambling to determine the correct response. Teams in this situation can choose from three types of responses: pay the ransom and enable these groups to continue their operations, not pay and hope for the best, or prepare an action plan to get protected.
Breaking the Ransom Cycle
We can’t stress enough that you should never pay the ransom. We fully understand that in the moment when your website is being attacked it might seem like a reasonable solution, but by paying the ransom, you only perpetuate the DDoS ransom group’s activities and entice other would be ransomers to start making similar threats. In fact, we have seen reports of victim organizations receiving multiple subsequent threats after they have paid the ransom. It would seem these groups are sharing lists of organizations that pay, and those organizations are more likely to be targeted again in Continue reading