Traveling back and forth between the UK and US I often find myself answering the question “What does CloudFlare do?”. That question gets posed by USCIS on arrival and I’ve honed a short and accurate answer: “CloudFlare protects web sites from hackers, makes web sites faster and ensures they work on your computer, phone or tablet.”
If anyone, border agents or others, wants more detail I usually say: “If you run a web site or API for an app and you are Amazon.com, Google, Yahoo or one of a handful of major Internet sites you have the expertise to stay on top of the latest technologies and attacks; you have the staff to accelerate your web site and keep it fully patched. Anyone else, and that’s almost every web site on the Internet, simply will not have the money, people, or knowledge to ‘be a Google’. That’s where CloudFlare comes in: we make sure to stay on top of the latest trends in the Internet so that every web site can ‘be Google’."
The author William Gibson has said many times: “The future is already here — it's just not very evenly distributed.” And that applies to the Internet as well. Companies like Google already have web sites that are ‘in the future’ compared to most of the Internet.
CloudFlare believes that the future should be evenly distributed and our service is designed to provide the most up to date Internet experience whether a web site is large or small without installing software or buying and maintaining hardware.
Time and Technology Wait for No Man
Although great effort is made to ensure that the web remains backwards compatible (yes, you can still surf the original Space Jam web site from 1996) users of the web expect a fast, safe experience and that means keeping up with changing technology. And they expect to be able to access the web on mobile devices and desktop computers. It’s not possible for a web site to stand still.
Organizations like the IETF and W3C are constantly working to improve the Internet with technologies like IPv6, HTTP/2, HTML5 and TLS 1.3, and there are constant micro-improvements (for example, the ever changing set of recommended SSL/TLS cipher suites or changes to hints to allow web browsers to preload content or new compression algorithms like Brotli). It’s almost impossible for someone managing a web site to stay up to date.
As well as changes to the underlying technology hackers and attackers are also innovating. Protecting web sites requires a layered defense that’s constantly updating as DDoS techniques change and volumes go up, and as vulnerabilities are found in web sites.
As the Internet itself grows and more and more people get online web sites face another problem: unexpected popularity. Large web properties, like Google, have big, fat connections to the Internet, lots of servers and load balancers to help their web sites cope with an influx of traffic. For others, unexpected popularity (be it a link on the front page of Reddit, a mention on a major TV program, or a sudden Twitter storm) can be a hug of death where the one time the web site definitely needs to be online it’s offline because it can’t cope.
Add to that the curse of DDoS attacks, which get directed at web sites large and small, it’s very hard for a web site operator to stay up to date and safe.
The End of Hardware
In the past web sites wanting to ‘be a Google’ often spent a small fortune on hardware devices and virtual appliances such as giant routers, DDoS mitigation boxes, specialized firewalls, load balancers and had to maintain piles of servers to deal with traffic spikes.
All that hardware brought its own problems: firmware needs updating and web sites are locked into the features that a particular vendor provides. If a front-end load balancer doesn’t provide support for HTTP/2 there’s little to be done other than make the expensive decision to switch to some other hardware.
Updates to hardware firmware first have to be made available by the vendors of the hardware and then scheduled. The hardware becomes yet another thing to maintain (at great initial and ongoing cost) and often lags behind the latest Internet innovations and attacks. And the hardware itself can lag behind as LAN technologies inevitably scale up from 1Gbps through 10Gbps onwards to 100Gbps and so on.
During the severe Heartbleed problem the hardware load balancers from one large vendor were vulnerable and leaking private information and it required an emergency patch by the vendor to be distributed to everyone who had a support contract for the hardware. Between the time the vulnerability was disclosed and the time end users patched their hardware the bug was being actively exploited across the Internet.
Mind The Gap
As I mentioned above in the case of Heartbleed, there’s an inherent gap between when a security problem is disclosed (and the black hat community immediately starts exploiting it) and the patching of end user hardware and software. This happens over and again.
Back in 2014 a nasty bug named Shellshock emerged that affected many, many web sites. CloudFlare immediately rolled out protection for all our customers. As Wikipedia points out there were reports of web sites hacked using Shellshock within one hour of its disclosure. A day later botnets had been created by exploiting this vulnerability and were performing DDoS attacks. Five days after the disclosure we'd blocked north of 1.1 million attacks attempting using Shellshock.
Recently, a vulnerability in the ImageMagick image manipulation software caused web sites to be hacked. Once again we rolled out protection for customers using our WAF and saw the vulnerability being exploited by black hats immediately.
This gap between when a vulnerability is made public (and starts getting exploited) and when a web site owner updates their software or firmware creates a real opportunity for hackers. CloudFlare protection buys web site owners time to update and protect themselves and prevents them getting hacked.
Rough Consensus and Running Code1
CloudFlare consistently pushes out new Internet technologies so that our customers have the latest, fastest and safest Internet experience, but it also does so for another reason: there’s nothing like actual experience with a technology. If you want to provide the most up to date technology you have to stay ahead of the future.
For both CloudFlare and our customers it makes sense to have the latest technologies available for testing and use as soon as possible. For example, a customer may want to start optimizing their web site for HTTP/1.1 and HTTP/2; because CloudFlare offers HTTP/2 service they can quickly start testing different configurations in the real world.
Or a customer may want to start experimenting with HTTP/2 Server Push to see how much of a speedup they can obtain for their web site or app. Once again, CloudFlare makes that available.
Or a customer may have realized that IPv6 is fast becoming an important technology because of it's faster than IPv4 in many cases. CloudFlare has provided IPv6 for years.
Equally, CloudFlare gains useful experience from testing and deploying new technologies. We recently spent time doing a deep analysis of the Brotli compression algorithm to understand how it would perform for our customers. It’s up and running on our public test server for those that like to live on the bleeding edge.
Equally, we've rolled cryptographic algorithms like ChaCha20-Poly1305 to give mobile users fast, secure connections with better battery life. We're now experimenting with TLS 1.3 to ensure that our customers stay up to date with the latest in secure Internet.
Web performance, web security and web attacks evolve and improve rapidly. People expect an almost instant response from web sites and apps, and to have high security. Web site and API owners need protection from the latest security vulnerabilities and to supply that fast, rich experience to users.
Hardware appliances no longer fit the bill. They get upgraded less frequently than their owners change mobile phones and the only people who think of them as an asset work in finance.
The full version of that is "We reject kings, presidents and voting. We believe in rough consensus and running code" ↩