Archive

Category Archives for "Security"

Know your SCM_RIGHTS

As TLS 1.3 was ratified earlier this year, I was recollecting how we got started with it here at Cloudflare. We made the decision to be early adopters of TLS 1.3 a little over two years ago. It was a very important decision, and we took it very seriously.

It is no secret that Cloudflare uses nginx to handle user traffic. A little less known fact, is that we have several instances of nginx running. I won’t go into detail, but there is one instance whose job is to accept connections on port 443, and proxy them to another instance of nginx that actually handles the requests. It has pretty limited functionality otherwise. We fondly call it nginx-ssl.

Back then we were using OpenSSL for TLS and Crypto in nginx, but OpenSSL (and BoringSSL) had yet to announce a timeline for TLS 1.3 support, therefore we had to implement our own TLS 1.3 stack. Obviously we wanted an implementation that would not affect any customer or client that would not enable TLS 1.3. We also needed something that we could iterate on quickly, because the spec was very fluid back then, and also something Continue reading

Knowledge of the “Truths in Your Network” is KEY

I am a huge believer in “knowledge is key”.  Yeah… I know… just reading that statement you are probably saying “well yeah… duh”.

Of course knowledge is key… duh, Fish!  We know that!  We love knowledge.  We are knowledge seekers and we love to learn!  I mean… if we didn’t love learning and knowledge why would we be reading this?   Okay… got it.  You love knowledge.  You want to grow your knowledge.   I hear you.  You are basically saying… bring on the knowledge… max the setting!   Got it.

So you most likely extend that desire for knowledge to most of the areas in your life.

For example….

  • Buying a House:  When buying a house you want the knowledge you can get by hiring a subject matter expert to walk thru the entirety of the house and inspect it.  You want knowledge of the truths of that house.
  • Hiring a Financial Advisor: When hiring a financial advisor you just go and “bare all” in reference to your financial situation so they can review every nuance of it.   You want knowledge of the truths of your finances.

Let’s Continue reading

L4Drop: XDP DDoS Mitigations

L4Drop: XDP DDoS Mitigations

Efficient packet dropping is a key part of Cloudflare’s distributed denial of service (DDoS) attack mitigations. In this post, we introduce a new tool in our packet dropping arsenal: L4Drop.

L4Drop: XDP DDoS Mitigations
Public domain image by US Air Force

We've written about our DDoS mitigation pipeline extensively in the past, covering:

  • Gatebot: analyzes traffic hitting our edge and deploys DDoS mitigations matching suspect traffic.
  • bpftools: generates Berkeley Packet Filter (BPF) bytecode that matches packets based on DNS queries, p0F signatures, or tcpdump filters.
  • Iptables: matches traffic against the BPF generated by bpftools using the xt_bpf module, and drops it.
  • Floodgate: offloads work from iptables during big attacks that could otherwise overwhelm the kernel networking stack. Incoming traffic bypasses the kernel to go directly to a BPF interpreter in userspace, which efficiently drops packets matching the BPF rules produced by bpftools.

Both iptables and Floodgate send samples of received traffic to Gatebot for analysis, and filter incoming packets using rules generated by bpftools. This ends up looking something like this:

L4Drop: XDP DDoS Mitigations
Floodgate based DDoS mitigation pipeline

This pipeline has served us well, but a lot has changed since we implemented Floodgate. Our new Gen9 and ARM servers use different network Continue reading

New Report: Major Online Retailers Increase Email Marketing Trustworthiness and Follow Unsubscribe Best Practices

Today, the Internet Society’s Online Trust Alliance released its fifth annual Email Marketing & Unsubscribe Audit. OTA researchers analyzed the email marketing practices of 200 of North America’s top online retailers and, based on this analysis, offer prescriptive advice to help marketers provide consumers with choice and control over when and what messages they receive. The Audit assesses the end-to-end user experience from signing up for emails, to receiving emails, to the unsubscribe process and its results.

In the 2018 Audit, seventy-four percent of the top online retailers received “Best of Class” designation, meaning they scored eighty percent or higher in OTA’s analysis of their email marketing. In addition, ten retailers received perfect scores, meaning they adopted all twelve of OTA’s best practices. They are: Dick’s Sporting Goods, Home Depot, Lands’ End, Musician’s Friend, Office Depot, OpticsPlanet, Sierra Trading Post, Staples, Talbots, and Walgreens.

In the subscribe process there were several positive findings. The percentage of sites that had subscribe forms that were easy for the user to find was 94% in 2018, up from 85% in 2017. In addition, one-quarter of sites offered incentives such as free shipping to entice users to subscribe, down slightly from 28% in 2018.

Continue reading

Towards usable checksums: automating the integrity verification of web downloads for the masses

Towards usable checksums: automating the integrity verification of web downloads for the masses Cherubini et al., CCS’18

If you tackled Monday’s paper on BEAT you deserve something a little easier to digest today, and ‘Towards usable checksums’ fits the bill nicely! There’s some great data-driven product management going on here as the authors set out to quantify current attitudes and behaviours regarding downloading files from the Internet, design a solution to improve security and ease-of-use, and then test their solution to gather feedback and prepare for a more widely deployed beta version.

When I was growing up we were all taught “Don’t talk to strangers”, and “Never get in a stranger’s car”. As has been well noted by others, so much for that advice! Perhaps the modern equivalent is “Don’t download unknown files from the Internet!” This paper specifically looks at applications made directly available from developer websites (vs downloads made through app stores).

A popular and convenient way to download programs is to use official app stores such as Apple’s Mac App Store and Microsoft’s Windows Store. Such platforms, however, have several drawbacks for developers, including long review and validation times, technical restrictions (e.g., sandboxing), Continue reading

OMG, VXLAN Is Still Insecure

A friend of mine told me about a “VXLAN is insecure, the sky is falling” presentation from RIPE-77 which claims that you can (under certain circumstances) inject packets into VXLAN virtual networks from the Internet.

Welcome back, Captain Obvious. Anyone looking at the VXLAN packet could immediately figure out that there’s no security in VXLAN. I pointed that out several times in my blog posts and presentations, including Cloud Computing Networking (EuroNOG, September 2011) and NSX Architecture webinar (August 2013).

Read more ...

Cybersecurity, Data Protection, and IoT Events in November & December

The end of the year has been very busy, with Internet Society staff members speaking at many events on data protection, security-by-design, and the Internet of Things (IoT). First, to recap the last month, you might want to read the Rough Guide to IETF 103, especially Steve Olshansky’s Internet of Things post. Dan York also talked about DNSSEC and the Root KSK Rollover at ICANN 63, and there were several staff members involved in security, privacy, and access discussions at the Internet Governance Forum. In addition, we submitted comments on NIST’s white paper on Internet of Things (IoT) Trust Concerns; the NTIA RFC on Developing the Administration’s Approach to Consumer Privacy; and the NIST draft “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”.

We also have several speaking engagements coming up in the next few weeks. Here’s a quick rundown of the events.

6th National Cybersecurity Conference
27-28 November
Mona, Jamaica

The Mona ICT Policy Centre at CARIMAC, University of the West Indies is hosting the 6th National Cyber Security Conference. The Conference theme this year is “Data Protection – Securing Big Data, Understanding Biometrics and Protecting National ID Systems.” Continue reading

CAA Records and Site Security

The little green lock—now being deprecated by some browsers—provides some level of comfort for many users when entering personal information on a web site. You probably know the little green lock means the traffic between the host and the site is encrypted, but you might not stop to ask the fundamental question of all cryptography: using what key? The quality of an encrypted connection is no better than the quality and source of the keys used to encrypt the data carried across the connection. If the key is compromised, then entire encrypted session is useless.

So where does the key pair come from to encrypt the session between a host and a server? The session key used for symmetric cryptography on each session is obtained using the public key of the server (thus through asymmetric cryptography). How is the public key of the server obtained by the host? Here is where things get interesting.

The older way of doing things was for a list of domains who were trusted to provide a public key for a particular server was carried in HTTP. The host would open a session with a server, which would then provide a list of domains where Continue reading

Some notes about HTTP/3

HTTP/3 is going to be standardized. As an old protocol guy, I thought I'd write up some comments.

Google (pbuh) has both the most popular web browser (Chrome) and the two most popular websites (#1 Google.com #2 Youtube.com). Therefore, they are in control of future web protocol development. Their first upgrade they called SPDY (pronounced "speedy"), which was eventually standardized as the second version of HTTP, or HTTP/2. Their second upgrade they called QUIC (pronounced "quick"), which is being standardized as HTTP/3.


SPDY (HTTP/2) is already supported by the major web browser (Chrome, Firefox, Edge, Safari) and major web servers (Apache, Nginx, IIS, CloudFlare). Many of the most popular websites support it (even non-Google ones), though you are unlikely to ever see it on the wire (sniffing with Wireshark or tcpdump), because it's always encrypted with SSL. While the standard allows for HTTP/2 to run raw over TCP, all the implementations only use it over SSL.

There is a good lesson here about standards. Outside the Internet, standards are often de jure, run by government, driven by getting all major stakeholders in a room and hashing it out, then using rules to force people to adopt it. Continue reading

El Buen Fin: Tips to Shop Smart

Last week I had the opportunity to participate in the first edition of the International Internet and Entrepreneurship Forum (FIIE), in Monterrey, Mexico. The event was convened by NIC Mexico and other organizations of the Internet community of Latin America and the Caribbean as part of the activities of INCmty, an entrepreneurial festival with several years of tradition. The intersection between both topics is a fertile ground for reflection, especially in relation to the security of Internet of Things (IoT) devices.

IoT for Innovation and Entrepreneurship

The Internet has been known as a technology for facilitating innovation and entrepreneurship. The pace of technological development, together with the evolution of the Internet, has given rise to new solutions that seek to make life easier. Such is the case of the various devices connected to the Internet, which form the Internet of Things ecosystem.

Therefore, one of the issues addressed during the Forum was the role of IoT devices in the entrepreneurial ecosystem in the LAC region. There I took the opportunity to share the Internet Society’s vision of IoT security: we want people to benefit from the use of these devices in a trustworthy environment. The issue is particularly Continue reading

1 70 71 72 73 74 178