The oldest trick in the ASCII book
If you're old enough (or interested enough) to have spent a lot of time messing around with the ASCII table then you might have run into a strange fact: it's possible to uppercase ASCII text using just bitwise AND.
And it turns out that in some situations this isn't just a curiosity, but actually useful. Here are the ASCII characters 0x20 (space) to 0x7E (tilde).
0123456789ABCDEF0123456789ABCDEF
+--------------------------------
0x20| !"#$%&'()*+,-./0123456789:;<=>?
0x40|@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_
0x60|`abcdefghijklmnopqrstuvwxyz{|}~
It's immediately obvious that each lowercase letter has an ASCII code 0x20 more than the corresponding uppercase letter. For example, lowercase m is 0x6D and uppercase M is 0x4D. And since 0x20 is a single bit then it's possible to uppercase an ASCII letter by taking its code and applying AND 0xDF (masking out the 0x20 bit).
Performing AND 0xDF has no effect on the first two rows above: they, including the uppercase letters, are unchanged. Only the third row is affected. There the lowercase letters get uppercased but there's some collateral damage: ` { | } ~ change to @ [ ] ^.
But if you know that a string has a limited character set then this trick can come in handy. Lots of old protocols Continue reading
Scaling out PostgreSQL for CloudFlare Analytics using CitusDB
When I joined CloudFlare about 18 months ago, we had just started to build out our new Data Platform. At that point, the log processing and analytics pipeline built in the early days of the company had reached its limits. This was due to the rapidly increasing log volume from our Edge Platform where we’ve had to deal with traffic growth in excess of 400% annually.
Our log processing pipeline started out like most everybody else’s: compressed log files shipped to a central location for aggregation by a motley collection of Perl scripts and C++ programs with a single PostgreSQL instance to store the aggregated data. Since then, CloudFlare has grown to serve millions of requests per second for millions of sites. Apart from the hundreds of terabytes of log data that has to be aggregated every day, we also face some unique challenges in providing detailed analytics for each of the millions of sites on CloudFlare.
For the next iteration of our Customer Analytics application, we wanted to get something up and running quickly, try out Kafka, write the aggregation application in Go, and see what could be done to scale out our trusty go-to database, PostgreSQL, from a Continue reading
CloudFlare’s Buenos Aires data center now online
Che, ya estamos en Argentina! It is con placer that we announce our 32nd data center in Buenos Aires, Argentina. Our Buenos Aires data center is our 5th in Latin America following deployments in Santiago, São Paulo, Medellin, and Lima. As of this moment, CloudFlare is now mere milliseconds away from nearly all of Latin America's 300 million Internet users.
Argentina may be better known as the land of bife and malbec, but it is also home to a thriving tech community, including several well known start-up accelerators such as Startup Buenos Aires, Wayra and NXTP Labs (a CloudFlare customer!). At CloudFlare, we know a thing or two about the challenges of building a technology company, and we're proud to support the fast delivery of Internet applications for users in Argentina, as well as those who create them.
Don't cry for me Argentina
Although not commonly known, the title of the famous song from the musical Evita originates from an epitaph on a plaque honoring Evita Peron, and roughly translates as: "Don't cry for me Argentina, I remain quite near to you." Unfortunately, when it comes to the Internet, there is plenty of Continue reading
Improving compression with a preset DEFLATE dictionary
A few years ago Google made a proposal for a new HTTP compression method, called SDCH (SanDwiCH). The idea behind the method is to create a dictionary of long strings that appear throughout many pages of the same domain (or popular search results). The compression is then simply searching for the appearance of the long strings in a dictionary and replacing them with references to the aforementioned dictionary. Afterwards the output is further compressed with DEFLATE.
CC BY SA 2.0 image by Quinn Dombrowski
With the right dictionary for the right page the savings can be spectacular, even 70% smaller than gzip alone. In theory, a whole file can be replaced by a single token.
The drawbacks of the method are twofold: first - the dictionary that is created is fairly large and must be distributed as a separate file, in fact the dictionary is often larger than the individual pages it compresses; second - the dictionary is usually absolutely useless for another set of pages.
For large domains that are visited repeatedly the advantage is huge: at a cost of single dictionary download, all the following page views can be compressed with much higher efficiency. Currently we aware Continue reading
A Go Gotcha: When Closures and Goroutines Collide
Here's a small Go gotcha that it's easy to fall into when using goroutines and closures. Here's a simple program that prints out the numbers 0 to 9:
(You can play with this in the Go Playground here)
package main
import "fmt"
func main() {
for i := 0; i < 10; i++ {
fmt.Printf("%d ", i)
}
}
It's output is easy to predict:
0 1 2 3 4 5 6 7 8 9
If you decided that it would be nice to run those fmt.Printfs concurrently using goroutines you might be surprised by the result. Here's a version of the code that runs each fmt.Printf in its own goroutine and uses a sync.WaitGroup to wait for the goroutines to terminate.
package main
import (
"fmt"
"runtime"
"sync"
)
func main() {
runtime.GOMAXPROCS(runtime.NumCPU())
var wg sync.WaitGroup
for i := 0; i < 10; i++ {
wg.Add(1)
go func() {
fmt.Printf("%d ", i)
wg.Done()
}()
}
wg.Wait()
}
(This code is in the Go Playground here). If you're thinking concurrently then you'll likely predict that the output will be the numbers 0 to 9 in some Continue reading
Integrating our Integrations: Getting WHMCS and cPanel Talking
CloudFlare provides integrations for several of the most popular hosting control panels and billing systems such as WHMCS, cPanel, and Plesk. Each of these integrations provide a simple interface for our partners’ customers to sign-up for CloudFlare and start adding domains almost immediately.
But what about partners that use more than one system? The best experience occurs when we can get our integrations talking to each other, as our recently updated WHMCS and cPanel plugins do.
Integration Basics
All of our hosting integrations speak directly to CloudFlare through our host API. With just a single click, the integration passes the necessary information for CloudFlare to create an account and provision the domain. We respond when the provisioning completes, and the integration finishes the setup by making the necessary changes locally (adding and adjusting several DNS records) to route traffic to the domain through CloudFlare.
This makes signing up through a hosting partner integration even easier than signing up directly with CloudFlare. These proven systems make DNS changes accurately in order to save a lot of headaches.
Where do I integrate CloudFlare?
Many hosting companies expose two different applications to their customers: a billing system and a hosting control panel. The Continue reading
OpenSSL Security Advisory of 19 March 2015
Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.
Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.
As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.
The individual vulnerabilities included in this announcement are:
- OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
- Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
- Multiblock corrupted pointer (CVE-2015-0290)
- Segmentation fault in DTLSv1_listen (CVE-2015-0207)
- Segmentation fault in ASN1TYPE Continue reading
Analysis: CloudFlare Keyless SSL Scales Down Internet Connections
Providing a web application on the Internet can be a risky business. DDOS attacks are commonly exceeding 40 Gigabits per second of data, crackers are web crawling the Internet looking for vulnerabilities and much more. As a result, the data centre Internet connection is scaled for a worst case scenario and not for customer need. […]
The post Analysis: CloudFlare Keyless SSL Scales Down Internet Connections appeared first on EtherealMind.
Announcing Virtual DNS: DDoS Mitigation and Global Distribution for DNS Traffic
It’s 9am and CloudFlare has already mitigated three billion malicious requests for our customers today. Six out of every one hundred requests we see is malicious, and increasingly, more of that is targeting DNS nameservers.
DNS is the phone book of the Internet and fundamental to the usability of the web, but is also a serious weak link in Internet security. One of the ways CloudFlare is trying to make DNS more secure is by implementing DNSSEC, cryptographic authentication for DNS responses. Another way is Virtual DNS, the authoritative DNS proxy service we are introducing today.
Virtual DNS provides CloudFlare’s DDoS mitigation and global distribution to DNS nameservers. DNS operators need performant, resilient infrastructure, and we are offering ours, the fastest of any providers, to any organization’s DNS servers.
Many organizations have legacy DNS infrastructure that is difficult to change. The hosting industry is a key example of this. A host may have given thousands of clients a set of nameservers but now realize that they don't have the performance or defensibility that their clients need.
Virtual DNS means that the host can get the benefits of a global, modern DNS infrastructure without having to contact every customer Continue reading
Deprecating the DNS ANY meta-query type
DNS, one of the oldest technologies running the Internet, keeps evolving. There is a constant stream of new developments, from DNSSEC, through DNS-over-TLS, to a plentiful supply of fresh EDNS extensions.
New DNS Resource Records types are being added all the time. As the Internet evolves, new RR’s gain traction while the usage of some old record types decreases. Did you know you can use DNS to express the location of your server on the planet's surface?
Today, we are announcing that we are deprecating the DNS ANY meta-query. In a few weeks we'll be responding to those queries with rcode 4 / Not Implemented.
“ANY” is one of the special “magic” types in DNS. Instead of being a query for a single type like A , AAAA or MX, ANY retrieves all the available types for a given name. Over the years there have been many arguments over the semantics of ANY with some people arguing it really means ALL. Answers to ANY queries are among the biggest that DNS servers give out. The original reason for adding the ANY to DNS was to aid in debugging and testing Continue reading
Unser neuer 31er Datacenter: Düsseldorf
Hallo Düsseldorf. Nestled in the center of the Lower Rhine basin lies the bustling city of Düsseldorf, capital of Germany’s most populous state, Northern Rhine-Westphalia. Provided its status as an international business and telecommunications hub, and serving a population larger than the Netherlands, our data center in Düsseldorf is an important addition to our European network. This means not only better performance in Germany and Northern Europe, but additional redundancy for our 10 other data centers throughout Europe, including our first German data center in Frankfurt.
For the local audience: Liebe Freunde in Düsseldorf, euer Internetanschluss ist schneller geworden und ihr könnt jetzt sicher surfen. Viel Spaß.
Not just any data center
Dusseldorf comes to life.
Our Düsseldorf data center holds a special place in the heart of our legal counsel Ken Carter. When he’s not helping to build a better Internet, he is likely to be found regaling the office with tales of his adventures in the quaint medieval town of Bad Honnef am Rhein, just south of our new data center. Ban Honnef, most famously known as the world-wide headquarters for Birkenstock, can now add one more tale of note. Equidistant between Frankfurt and Dusseldorf, it is Continue reading
No upgrade needed: CloudFlare sites already protected from FREAK
The newly announced FREAK vulnerability is not a concern for CloudFlare's SSL customers. We do not support 'export grade' cryptography (which, by its nature, is weak) and we upgraded to the non-vulnerable version of OpenSSL the day it was released in early January.
CC BY 2.0 image by Stuart Heath
Our OpenSSL configuration is freely available on our Github account here as are our patches to OpenSSL 1.0.2.
We strive to stay on top of vulnerabilities as they are announced; in this case no action was necessary as we were already protected by decisions to eliminate cipher suites and upgrade software.
We are also pro-active about disabling protocols and ciphers that are outdated (such as SSLv3, RC4) and keep up to date with the latest and most secure ciphers (such as ChaCha-Poly, forward secrecy and elliptic curves).
Protecting web origins with Authenticated Origin Pulls
As we have been discussing this week, securing the connection between CloudFlare and the origin server is arguably just as important as securing the connection between end users and CloudFlare. The origin certificate authority we announced this week will help CloudFlare verify that it is talking to the correct origin server. But what about verification in the opposite direction? How can the origin verify that the client talking to it is actually CloudFlare?
TLS Client Authentication
TLS (the modern version of SSL) allows a client to verify the identity of the server it is talking to. Normally, a TLS handshake is one-way, that is, the client is able to verify the server's identity, but the server is not able to verify the client's identity. What about when both sides need to verify each other's identity?
Enter TLS Client Authentication. In a client authenticated TLS handshake both sides provide a certificate to be verified. If the origin server is configured to only accept requests which use a valid client certificate from CloudFlare, requests which have not passed through CloudFlare will be dropped (as they will not have our certificate). This means that attackers cannot circumvent CloudFlare features such as our WAF Continue reading
Thoughts on Network Neutrality, the FCC, and the Future of Internet Governance
Today the United States Federal Communications Commission (FCC) voted to extend the rules that previously regulated the telephone industry to now regulate Internet Service Providers (ISPs). The Commission did this in order to preserve the principle of network neutrality. Broadly stated, this principle is that networks should not discriminate against content that passes through them.
At CloudFlare, we are strong proponents of network neutrality. My co-founder, Michelle Zatlyn, sat on the FCC's Open Internet Advisory Committee. The work of that committee played a role in guiding today's vote. So there is a large part of us that is celebrating today.
At the same time, I have deep concerns that proponents of a free and open Internet may look back on today not as a great victory, but as the first step in what may turn out to be a devastating loss. The Internet has largely been governed from the bottom up by technologists seeking rough consensus and running code. Today's action by the FCC may mark the beginning of a new era where the Internet is regulated by lawyers from the top down. As a technologist and recovering lawyer, that worries me.
The Threat to the Network
If you think Continue reading
Enforce Web Policy with HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this.
Downgrade attacks (also known as SSL stripping attacks) are a serious threat to web applications. This type of attack is a form of man-in-the-middle attack in which an attacker can redirect web browsers from a correctly configured HTTPS web server to an attacker controlled server. Once the attacker has successfully redirected a user, user data, including cookies, can be compromised. Unfortunately, this attack is outside the realm of pure SSL to prevent. This is why HSTS was created.
These attacks are very real: many major websites have been attacked through SSL stripping. They are a particularly powerful attack against otherwise well secured sites, as they bypass the protections of SSL.
HSTS headers consists of an HTTP header with several parameters -- including a configurable duration for client web browsers to cache and continue to enforce policy even if the site itself changes. Through CloudFlare, it is easy to configure on a per-domain basis with standard settings.
HSTS causes compliant browsers Continue reading
Universal SSL: Encryption all the way to the origin, for free
Last September, CloudFlare unveiled Universal SSL, enabling HTTPS support for all sites by default. All sites using CloudFlare now support strong cryptography from the browser to CloudFlare’s servers. One of the most popular requests for Universal SSL was to make it easier to encrypt the other half of the connection: from CloudFlare to the origin server.
Until today, encryption from CloudFlare to the origin required the purchase of a trusted certificate from a third party. The certificate purchasing process can be tedious and sometimes costly. To remedy this, CloudFlare has created a new Origin CA service in which we provide free limited-function certificates to customer origin servers.
Today we are excited to announce the public beta of this service, providing full encryption of all data from the browser to the origin, for free.
Encrypted all the way
CloudFlare offers three modes for HTTPS: Flexible, Full and Strict. In Flexible mode, traffic from browsers to CloudFlare is encrypted, but traffic from CloudFlare to a site's origin server is not. In Full and Strict modes, traffic between CloudFlare and the origin server is encrypted. Strict mode adds validation of the origin server’s certificate. We strongly encourage customers to select Strict mode Continue reading
TLS Session Resumption: Full-speed and Secure
At CloudFlare, making web sites faster and safer at scale is always a driving force for innovation. We introduced “Universal SSL” to dramatically increase the size of the encrypted web. In order for that to happen we knew we needed to efficiently handle large volumes of HTTPS traffic, and give end users the fastest possible performance.
CC BY 2.0 image by ecos systems
In this article, I’ll explain how we added speed to Universal SSL with session resumptions across multiple hosts, and explain the design decisions we made in this process. Currently, we use two standardized session resumption mechanisms that require two different data sharing designs: Session IDs RFC 5246, and Session Tickets RFC 5077.
Session ID Resumption
Resuming an encrypted session through a session ID means that the server keeps track of recent negotiated sessions using unique session IDs. This is done so that when a client reconnects to a server with a session ID, the server can quickly look up the session keys and resume the encrypted communication.
At each of CloudFlare’s PoPs (Point of Presence) there are multiple hosts handling HTTPS traffic. When the client attempts to resume a TLS connection with a Continue reading
Do the ChaCha: better mobile performance with cryptography
CC BY-ND 2.0 image image by Clinton Steeds
CloudFlare is always trying to improve customer experience by adopting the latest and best web technologies so that our customers (and their visitors) have a fast and a secure web browsing experience.
More and more web sites are now using HTTPS by default. This sea change has been spearheaded by many groups including CloudFlare enabling free SSL for millions of sites with Universal SSL, Google moving towards marking plain HTTP as insecure in Chrome, and the Let’s Encrypt project’s plans to make certificates free in 2015.
Not only is the encrypted web more secure, it can also be faster than the unencrypted web if the latest HTTPS features are implemented. HTTPS sites are blazing fast on CloudFlare because we keep up with the latest performance-enhancing features:
- SPDY 3.1 is on by default for all customers. SPDY enables faster-than-HTTP download speeds by enabling multiplexing
- OCSP stapling: faster revocation checking.
- Optimized certificate bundles using CFSSL, our open source SSL bundler: an optimized certificate chain provides faster validation of certificates in the browser
- ECDSA certificates for all free customers with Universal SSL: smaller certificates with smaller keys result in faster Continue reading
End of the road for RC4
Today, we completely disabled the RC4 encryption algorithm for all SSL/TLS connections to CloudFlare sites. It's no longer possible to connect to any site that uses CloudFlare using RC4.
Over a year ago, we disabled RC4 for connections for TLS 1.1 and above because there were more secure algorithms available. In May 2014, we deprecated RC4 by moving it to the lowest priority in our list of cipher suites. That forced any browser that had a good alternative to RC4 to use it. Those two changes meant that almost everyone who was using RC4 to connect to CloudFlare sites switched to a more secure protocol.
Back in May, we noted that some people still needed RC4, particularly people using old mobile phones and some Windows XP users. At the time, 4% of requests using RC4 came from a single phone type: the Nokia 6120.
At the time, we noted that roughly 0.000002% of requests to CloudFlare were using the RC4 protocol. In the last 9 months, that number is halved and so, although some people are still using RC4, we have decided to turn off the protocol. It's simply no longer secure.
The remaining users are almost Continue reading
SSL Week Means Less Weak SSL
I'm excited to announce that today kicks off SSL Week at CloudFlare. Over the course of this week, we'll make a series of announcements on what we're doing to improve encryption on the Internet.
Inherently, for encryption to be the most effective, it has to meet three criteria: 1) it needs to be easy and inexpensive to use; 2) it needs to be fast so it doesn't tax performance; and 3) it needs to be up to date and ahead of the latest vulnerabilities.
Easy, Fast & Secure
Throughout CloudFlare's history, these priorities have guided our approach to encryption. Last September, we announced Universal SSL and brought world class encryption to every CloudFlare customer, even those on our Free service plan. While that effort doubled the size of the encrypted web, our work is far from done. This week we're announcing a series of initiatives that further our efforts to ensure we provide the easiest, fastest, and most secure encryption.
While Universal SSL made it easy to ensure that the connection from a device to CloudFlare was secure, this week we're going to begin the process of making it easy (and free) to ensure the connection from CloudFlare back to Continue reading