Good-bye ESNI, hello ECH!

Good-bye ESNI, hello ECH!
Good-bye ESNI, hello ECH!

Most communication on the modern Internet is encrypted to ensure that its content is intelligible only to the endpoints, i.e., client and server. Encryption, however, requires a key and so the endpoints must agree on an encryption key without revealing the key to would-be attackers. The most widely used cryptographic protocol for this task, called key exchange, is the Transport Layer Security (TLS) handshake.

In this post we'll dive into Encrypted Client Hello (ECH), a new extension for TLS that promises to significantly enhance the privacy of this critical Internet protocol. Today, a number of privacy-sensitive parameters of the TLS connection are negotiated in the clear. This leaves a trove of metadata available to network observers, including the endpoints' identities, how they use the connection, and so on.

ECH encrypts the full handshake so that this metadata is kept secret. Crucially, this closes a long-standing privacy leak by protecting the Server Name Indication (SNI) from eavesdroppers on the network. Encrypting the SNI secret is important because it is the clearest signal of which server a given client is communicating with. However, and perhaps more significantly, ECH also lays the groundwork for adding future security features and performance Continue reading

OPAQUE: The Best Passwords Never Leave your Device

OPAQUE: The Best Passwords Never Leave your Device
OPAQUE: The Best Passwords Never Leave your Device

Passwords are a problem. They are a problem for reasons that are familiar to most readers. For us at Cloudflare, the problem lies much deeper and broader. Most readers will immediately acknowledge that passwords are hard to remember and manage, especially as password requirements grow increasingly complex. Luckily there are great software packages and browser add-ons to help manage passwords. Unfortunately, the greater underlying problem is beyond the reaches of software to solve.

The fundamental password problem is simple to explain, but hard to solve: A password that leaves your possession is guaranteed to sacrifice security, no matter its complexity or how hard it may be to guess. Passwords are insecure by their very existence.

You might say, “but passwords are always stored in encrypted format!” That would be great. More accurately, they are likely stored as a salted hash, as explained below. Even worse is that there is no way to verify the way that passwords are stored, and so we can assume that on some servers passwords are stored in cleartext. The truth is that even responsibly stored passwords can be leaked and broken, albeit (and thankfully) with enormous effort. An increasingly pressing problem stems from the Continue reading

Improving DNS Privacy with Oblivious DoH in 1.1.1.1

Improving DNS Privacy with Oblivious DoH in 1.1.1.1
Improving DNS Privacy with Oblivious DoH in 1.1.1.1

Today we are announcing support for a new proposed DNS standard — co-authored by engineers from Cloudflare, Apple, and Fastly — that separates IP addresses from queries, so that no single entity can see both at the same time. Even better, we’ve made source code available, so anyone can try out ODoH, or run their own ODoH service!

But first, a bit of context. The Domain Name System (DNS) is the foundation of a human-usable Internet. It maps usable domain names, such as cloudflare.com, to IP addresses and other information needed to connect to that domain. A quick primer about the importance and issues with DNS can be read in a previous blog post. For this post, it’s enough to know that, in the initial design and still dominant usage of DNS, queries are sent in cleartext. This means anyone on the network path between your device and the DNS resolver can see both the query that contains the hostname (or website) you want, as well as the IP address that identifies your device.

To safeguard DNS from onlookers and third parties, the IETF standardized DNS encryption with DNS over HTTPS (DoH) and DNS over TLS (DoT). Both protocols Continue reading

Lessons Learned: Automating Site Deployments

Some networking engineers renew their ipSpace.net subscription every year, and when they drop off the radar, I try to get in touch with them to understand whether they moved out of networking or whether we did a bad job.

One of them replied that he retired after building a fully automated site deployment solution (first lesson learned: you’re never too old to start automating your network), and graciously shared numerous lessons learned while building that solution.

Read more …

Lessons Learned: Automating Site Deployments

Some networking engineers renew their ipSpace.net subscription every year, and when they drop off the radar, I try to get in touch with them to understand whether they moved out of networking or whether we did a bad job.

One of them replied that he retired after building a fully automated site deployment solution (first lesson learned: you’re never too old to start automating your network), and graciously shared numerous lessons learned while building that solution.

Read more …

Using pidof and pgrep to list process IDs

The pidof and pgrep commands provide listings of process IDs (PIDs) for process names that you provide as arguments. This post shows how to use these commands and illustrates the differences between them with a series of examples.pidof There are a number of ways to determine the PID of a process running on a Linux system, but the easiest is probably a command called pidof. Read this as “PID of” and you’ll have an easy time remembering it. Using this command, you can get the PID of a process by typing “pidof” and specifying the process name. For example:$ pidof bash 1262005 If you were to run the ps command without arguments, you will get a list of the processes that you’re running in your current shell. The command below shows where the response above comes from:To read this article in full, please click here

Nutanix expands hybrid-cloud features to support unstructured data

Nutanix has expanded the capabilities of its Objects and Files unstructured-data storage offerings with new hybrid-cloud capabilities for deploying a scale-out storage fabric across their various cloud environments.These new storage services are built on the recently launched Nutanix Clusters, which support Nutanix’s hyperconverged infrastructure (HCI) software running in AWS and, eventually, Microsoft Azure. New features include cloud tiering for object storage, hybrid-cloud file storage, and simplified disaster recovery.“IT teams around the world are quickly moving to hybrid environments, and they’re looking for technology solutions to help them facilitate this transition, to help them manage disparate technologies and simplify operations,” says Rajiv Mirani, chief technology officer of Nutanix in a statement. “We recently extended our hyper-converged-infrastructure software to public cloud with the launch of Nutanix Clusters to help companies do just that. Now the focus is on strengthening the overall platform, including delivering an easy-to-use, scale out storage fabric across their different cloud environments.”To read this article in full, please click here

Bias in word embeddings

Bias in word embeddings, Papakyriakopoulos et al., FAT*’20

There are no (stochastic) parrots in this paper, but it does examine bias in word embeddings, and how that bias carries forward into models that are trained using them. There are definitely some dangers to be aware of here, but also some cause for hope as we also see that bias can be detected, measured, and mitigated.

…we want to provide a complete overview of bias in word embeddings: its detection in the embeddings, its diffusion in algorithms using the embeddings, and its mitigation at the embeddings level and at the level of the algorithm that uses them.

It’s been shown before (‘Man is to computer programmer as woman is to homemaker?’) that word embeddings contain bias. The dominant source of that bias is the input dataset itself, i.e. the text corpus that the embeddings are trained on. Bias in, bias out. David Hume put his finger on the fundamental issue at stake here back in 1737 when he wrote about the unjustified shift in stance from describing what is and is not to all of a sudden talking about what ought or ought not to be. Continue reading

Bookmarked Articles

Have you ever read a great article and thought. "That was interesting!" Then one day in the future you want to share said article with someone else and cannot for the life of you find it? To fight that tyrany, I am keeping the links to interesting articles I have read on a multitude of...continue reading

Bookmarked Articles

Have you ever read a great article and thought. "That was interesting!" Then one day in the future you want to share said article with someone else and cannot for the life of you find it? To fight that tyrany, I am keeping the links to interesting articles I have read on a multitude of...

Aruba unveils new data-center orchestration software, switches

Aruba has taken the wraps off new orchestration software and switches that target users looking to build and support distributed data-centers.Aruba Fabric Composer software simplifies leaf-and-spine network provisioning across the company’s CX switches and automates operations across a wide variety of virtualized, hyper-converged, and HPE compute and storage environments.The Fabric Composer runs as runs as a virtual machine and eliminates the need for networking teams to manually configure CX switches. It offers workflow automation and a view of workflows supported by networking fabrics, switches, hosts and other resources, said Steve Brar, senior director of product marketing for Aruba.To read this article in full, please click here

Aruba unveils new data-center orchestration software, switches

Aruba has taken the wraps off new orchestration software and switches that target users looking to build and support distributed data-centers.Aruba Fabric Composer software simplifies leaf-and-spine network provisioning across the company’s CX switches and automates operations across a wide variety of virtualized, hyper-converged, and HPE compute and storage environments.The Fabric Composer runs as runs as a virtual machine and eliminates the need for networking teams to manually configure CX switches. It offers workflow automation and a view of workflows supported by networking fabrics, switches, hosts and other resources, said Steve Brar, senior director of product marketing for Aruba.To read this article in full, please click here

Juniper reinforces its intent-based networking with Apstra buy

Looking to shore-up its intent-based networking software portfolio, Juniper has said it will buy Apstra for an undisclosed amount. Founded in 2014, Apstra’s claim to fame is its flagship Apstra Operating System (AOS) software which was developed from the start to support IBN features. Once deployed, AOS keeps a real-time repository of configuration, telemetry and validation information to constantly ensure the network is doing what the customer wants it to do.AOS also includes automation features to provide consistent network and security policies for workloads across physical and virtual infrastructures. Its intent-based analytics perform regular network checks to safeguard configurations and is hardware agnostic so it can be integrated to work with products from Cisco, Arista, Dell, Microsoft and Nvidia/Cumulus.To read this article in full, please click here

Social Networking Tips For Introverts

Are you an introvert and think that social networking is not for you? Then you need to think again as this is definitely not the case. Although a lot of introverts believe that they are not perfect for networking, we have seen many introverts who master the arts of networking. So, how did they actually achieve it? How did they gain the confidence of talking to a stranger? Are you also wondering all of these questions? If yes, then don’t worry, we have got you covered. Just keep reading and you will find everything that you need to know below.

Prepare In Advance

Going to a social networking event without any prior plan or preparation is just a waste of time. When you will not be able to achieve anything at the event, it will demotivate you more. This is why you need to have a plan in action. When you are prepared in advance, it will give you the confidence to talk to other people as well. So, the most important thing to do if you are an introvert is to have a plan in advance.

Take The Help From Others

You might feel nervous walking in a room Continue reading

Current Work in BGP Security

I’ve been chasing BGP security since before the publication of the soBGP drafts, way back in the early 2000’s (that’s almost 20 years for those who are math challenged). The most recent news largely centers on the RPKI, which is used to ensure the AS originating an advertisements is authorized to do so (or rather “owns” the resource or prefix). If you are not “up” on what the RPKI does, or how it works, you might find this old blog post useful—its actually the tenth post in a ten post series on the topic of BGP security.

Recent news in this space largely centers around the ongoing deployment of the RPKI. According to Wired, Google and Facebook have both recently adopted MANRS, and are adopting RPKI. While it might not seem like autonomous systems along the edge adopting BGP security best practices and the RPKI system can make much of a difference, but the “heavy hitters” among the content providers can play a pivotal role here by refusing to accept routes that appear to be hijacked. This not only helps these providers and their customers directly—a point the Wired article makes—this also helps the ‘net in a larger way Continue reading

1 865 866 867 868 869 3,873