Research Updates from the Cloudflare Blog
2024-11-08 How we prevent conflicts in authoritative DNS configuration using formal verification
We describe how Cloudflare uses a custom Lisp-like programming language and formal verifier (written in Racket and Rosette) to prevent logical contradictions in our authoritative DNS nameserver’s behavior.
2024-11-07 A look at the latest post-quantum signature standardization candidates
NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take measure of them and discover why we ended up with so many PQ signatures.
2024-09-25 Introducing Speed Brain: helping web pages load 45% faster
We are excited to announce the latest leap forward in speed – Speed Brain. Speed Brain uses the Speculation Rules API to prefetch content for the user's likely next navigations. The goal is to download a web page to the browser before a user navigates to it, allowing pages to load instantly.
2024-09-24 Cloudflare helps verify the security of end-to-end encrypted messages by auditing key transparency for WhatsApp
Cloudflare is now verifying WhatsApp’s Key Transparency audit proofs to ensure the security of end-to-end encrypted messaging conversations without having to manually check QR codes. We are publishing the results of the proof verification to https://dash.key-transparency.cloudflare.com for independent researchers and security experts to compare against WhatsApp’s. Cloudflare does not have access to underlying public key material or message metadata as part of this infrastructure.
2024-09-05 A global assessment of third-party connection tampering
Cloudflare brings visibility to the practice of connection tampering as observed from our global network.
2024-09-05 Bringing insights into TCP resets and timeouts to Cloudflare Radar
New TCP resets and timeouts dataset on Cloudflare Radar surfaces connection tampering, scanning, DoS attacks, and more.
2024-08-20 NIST’s first post-quantum standards
NIST has published the first cryptographic standards for protecting against attacks from quantum computers. Learn what this means for you and your organization.
2024-08-08 Introducing Automatic SSL/TLS: securing and simplifying origin connectivity
This new Automatic SSL/TLS setting will maximize and simplify the encryption modes Cloudflare uses to communicate with origin servers by using the SSL/TLS Recommender.
2024-03-05 The state of the post-quantum Internet
Today, nearly two percent of all TLS 1.3 connections established with Cloudflare are secured with post-quantum cryptography. What once was the topic of futuristic tech demos will soon be the new security baseline for the Internet
2024-01-04 Privacy Pass: upgrading to the latest protocol version
In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the Privacy Pass protocol — including a set of open-source templates that can be used to implement Privacy Pass Origins, Issuers, and Attesters
2023-12-22 Have your data and hide it too: an introduction to differential privacy
Providing software and web services that deliver value for users often requires measuring user behavior. In this blog we discuss emerging cryptographic and statistical techniques that enable collecting such measurements without violating user privacy
2023-10-02 Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups
Need a recap or refresher on all the big Birthday Week news this week? This recap has you covered
2023-09-29 Post-quantum cryptography goes GA
Cloudflare announces Post-Quantum Cryptography as a Generally Available system
2023-09-29 Encrypted Client Hello - the last puzzle piece to privacy
We're excited to announce a contribution to improving privacy for everyone on the Internet. Encrypted Client Hello, a new standard that prevents networks from snooping on which websites a user is visiting, is now available on all Cloudflare plans.
2023-09-29 Cloudflare now uses post-quantum cryptography to talk to your origin server
Starting today, you can secure the connection between Cloudflare and your origin server with post-quantum cryptography
2023-09-29 Privacy-preserving measurement and machine learning
Cloudflare is implementing DAP (Distributed Aggregation Protocol) – a way of aggregating data without exposing individual measurements that uses multi-party computation
2023-09-04 Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections
In this blog we’re going to take a closer look at “connection coalescing”, with specific focus on manage it at a large scale
2023-03-16 Post-quantum crypto should be free, so we’re including it for free, forever
Cloudflare makes the most advanced cryptography free for everyone, and it’s in beta today
2023-03-16 No, AI did not break post-quantum cryptography
The recent news reports of AI cracking post-quantum cryptography are greatly exaggerated. In this blog, we take a deep dive into the world of side-channel attacks and how AI has been used for more than a decade already to aid it
2023-01-27 Inside Geo Key Manager v2: re-imagining access control for distributed systems
Using the story of Geo Key Manager v2 as an example, let’s re-imagine access control for distributed systems using a variant of public-key cryptography, called attribute-based encryption.
2022-10-27 Stronger than a promise: proving Oblivious HTTP privacy properties
In this blog post, we describe a formal, computer-aided security analysis of Oblivious HTTP, an emerging IETF standard that applications can use to improve user privacy
2022-10-03 Defending against future threats: Cloudflare goes post-quantum
The future of a private and secure Internet is at stake; that is why today we have enabled post-quantum cryptography support for all our customers
2022-10-03 Automatic (secure) transmission: taking the pain out of origin connection security
Today we’re excited to announce that we will soon be offering a zero-configuration option for security on Cloudflare. If we find that we can automatically upgrade the security connection between Cloudflare and a user’s origin, we will
2022-10-03 Introducing post-quantum Cloudflare Tunnel
Every connection we make post-quantum secure, we remove one opportunity for compromise: that's why we are announcing post-quantum Cloudflare Tunnel to help you secure every connection to our network
2022-08-25 Deep dives & how the Internet works
We have amazing deep dives in our blog, but also research and how the Internet works kind of stories. Here are some highlights from 2022, and before (with glimpses of our history).
2022-08-04 Experiment with post-quantum cryptography today
The future is post quantum. Enable post-quantum key agreement on your test zone today and get a headstart
2022-07-08 NIST’s pleasant post-quantum surprise
On Tuesday, the US National Institute of Standards and Technology (NIST) announced which post-quantum cryptography they will standardize. We were already drafting this post with an educated guess on the choice NIST would make.
2022-06-28 Hertzbleed explained
Hertzbleed is a brand-new family of side-channel attacks that monitors changes on CPU frequency
2022-05-16 Proof of Stake and our next experiments in web3
Cloudflare is going to participate in the research and development of the core infrastructure that helps keep Ethereum secure, fast, as well as energy efficient for everyone
2022-05-16 Serving Cloudflare Pages sites to the IPFS network
Today, we're announcing we're bridging the two. We will make it possible for our customers to serve their sites on the IPFS network
2022-05-16 Gaining visibility in IPFS systems
We've developed the IPFS Gateway monitor, an observability tool that runs various IPFS scenarios on a given gateway endpoint. In this post, you'll learn how we use this tool and go over discoveries we made along the way
2022-04-15 Breaking down broadband nutrition labels
We commend Congress for including broadband nutrition labels in the Infrastructure Investment and Jobs Act, and the FCC for moving quickly to implement the labels
2022-03-31 Future-proofing SaltStack
This blogpost chronicles the recent CVEs investigation, our findings, and how we are helping secure Salt now and in the Quantum future
2022-03-20 Unlocking QUIC’s proxying potential with MASQUE
We continue our technical deep dive into traditional TCP proxying over HTTP
2022-03-19 A Primer on Proxies
A technical dive into traditional TCP proxying over HTTP
2022-03-08 Announcing experimental DDR in 1.1.1.1
The majority of DNS queries on the Internet today are unencrypted. This post describes a new protocol, called Discovery of Designated Resolvers (DDR), that allows clients to upgrade from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known.
2022-02-25 The post-quantum future: challenges and opportunities
The story and path of post-quantum cryptography is clear. But, what are the future challenges? In this blog post, we explore them
2022-02-25 Post-quantumify internal services: Logfwrdr, Tunnel, and gokeyless
A big challenge is coming: to change all internal connections at Cloudflare to use post-quantum cryptography. Read how we are tackling this challenge!
2022-02-24 HPKE: Standardizing public-key encryption (finally!)
HPKE (RFC 9180) was made to be simple, reusable, and future-proof by building upon knowledge from prior PKE schemes and software implementations. This article provides an overview of this new standard, going back to discuss its motivation, design goals, and development process
2022-02-24 Building Confidence in Cryptographic Protocols
This blogpost refers to the efforts to use formal/verification/implementation for post-quantum algorithms to achieve better assurance for them. It also touches on our Cloudflare efforts on this
2022-02-24 Using EasyCrypt and Jasmin for post-quantum verification
This blogpost will touch upon how to practically use Jasmin and EasyCrypt to achieve better security guarantees when verifying KEMs
2022-02-23 Making protocols post-quantum
Post-quantum key exchange and signature algorithms come with different trade-offs that we’re not used to. How do we handle that when updating protocols, and is this an opportunity to revisit the status quo?
2022-02-22 Deep dive into a post-quantum key encapsulation algorithm
In this blog post, we will look at what Key Encapsulation Mechanisms are and why they matter in a post-quantum world
2022-02-22 Deep dive into a post-quantum signature scheme
How can one attest to an identity and prove it belongs to one self? And how can one do it in the face of quantum computers? In this blog post, we examine these questions and explain what post-quantum signatures are
2022-02-21 The post-quantum state: a taxonomy of challenges
At Cloudflare, we strive to help build a better Internet, which means a quantum-protected one. In this post, we look at the challenges for migrating to post-quantum cryptography and what lies ahead using a taxonomy
2022-02-21 The quantum solace and spectre
What is quantum computing and what advances have been made so far on this front? In this blog post, we will answer this question and see how to protect against quantum adversaries
2021-11-08 Sizing Up Post-Quantum Signatures
How much room does TLS have for the big post-quantum signatures? We had a look: it’s tight.
2021-10-18 Tunnel: Cloudflare’s Newest Homeowner
Starting today, users who deploy and manage Cloudflare Tunnel at scale now have easier visibility into their Tunnel’s respective status, routes, uptime, connectors, cloudflared version, and much more through our new UI in the Cloudflare for Teams Dashboard.
2021-10-15 “Look, Ma, no probes!” — Characterizing CDNs’ latencies with passive measurement
A challenge with measuring and comparing network performance is the lack of large-scale global performance metrics, like RTT measurements. In this article we describe an alternative approach to active measurements, which accurately predicts network latencies using only passively collected data.
2021-10-15 Multi-User IP Address Detection
We’ve devised novel methods to detect multi-user IP addresses, and today we’re excited to announce their integration into our global threat intelligence products. These will improve the quality of our detection techniques and reduce false positives for our customers, and the clients that visit them.
2021-10-15 Geo Key Manager: Setting up a service for scale
Diagnosing scaling issues in a service associated with TLS termination through a deep dive into some of the incidents it caused.
2021-10-14 Privacy-Preserving Compromised Credential Checking
Announcing a public demo and open-sourced implementation of a privacy-preserving compromised credential checking service
2021-10-14 Unbuckling the narrow waist of IP: Addressing Agility for Names and Web Services
IP addresses associated with names, interfaces, and sockets, can tie these things together in a way that IP was never designed to support. This post describes Cloudflare efforts to decouple of IP addresses from names, the latest in a quest for something we’re calling Addressing Agility.
2021-10-14 Research Directions in Password Security
We've been studying password problems, including malicious logins using compromised credentials. Here's what we learned and here's where we think we can go from here with safer password systems.
2021-10-13 Cloudflare and the IETF
Cloudflare helps build a better Internet through collaboration on open and interoperable standards. This post will describe how Cloudflare contributes to the standardization process to enable incremental innovation and drive long-term architectural change.
2021-10-13 Pairings in CIRCL
Our Go cryptographic library CIRCL announces support for pairing-based cryptography.
2021-10-13 Exported Authenticators: The long road to RFC
Learn more about Exported Authenticators, a new extension to TLS, currently going through the IETF standardisation process.
2021-10-13 Coalescing Connections to Improve Network Privacy and Performance
Real world experiments for evaluating connection coalescing effects.
2021-10-12 Introducing SSL/TLS Recommender
Introducing customized recommendations to improve the security of your website.
2021-10-12 Dynamic Process Isolation: Research by Cloudflare and TU Graz
Cloudflare worked with TU Graz to study the impact of Spectre on Cloudflare Workers and to develop new defenses against it. Today we're publishing a paper about our research.
2021-10-12 Handshake Encryption: Endgame (an ECH update)
In this post, we’ll dig into ECH details and describe what this protocol does to move the needle to help build a better Internet.
2021-10-12 Privacy Pass v3: the new privacy bits
A new version of Privacy Pass for reducing the number of CAPTCHAs.
2021-10-11 Announcing Cloudflare Research Hub
Announcing a new landing page where you can learn more about our research and additional resources.
2021-10-11 Internship Experience: Research Engineer
Over the summer of 2020 I interned at Cloudflare Research. This invaluable experience contributed to Cloudflare’s support of ODoH protocol, and I was awarded the best student paper award at PETS 2021.
2021-10-11 Cloudflare invites visiting researchers
As part of Cloudflare’s effort to build collaborations with academia, we host research focused internships all year long. Interns collaborate cross-functionally in research projects and are encouraged to ship code and write a blog post and a peer-reviewed publication at the end of their internship.
2021-10-10 Cloudflare Research: Two Years In
What Cloudflare Research has been up to for the last two years.
2021-10-01 Announcing The Cloudflare Distributed Web Gateways Private Beta: Unlocking the Web3 Metaverse and Decentralized Finance for Everyone
Cloudflare announces the Private Beta of their Web3 gateways for Ethereum and IPFS. Unlocking the Metaverse, Web3, and Decentralized Finance for every developer.
2021-10-01 Web3 — A vision for a decentralized web
In this blog we start to explain Web3 in the context of the web's evolution, and how Cloudflare might help to support it.
2021-09-30 How Cloudflare provides tools to help keep IPFS users safe
The Cloudflare IPFS module protects users from threats like phishing and ransomware.
2021-08-12 More devices, fewer CAPTCHAs, happier users
Today, we are taking another step in helping to reduce the Internet’s reliance on CAPTCHAs to prove that you are not a robot. We are expanding the reach of our Cryptographic Attestation of Personhood experiment by adding support for a much wider range of devices.
2021-08-12 Introducing Zero-Knowledge Proofs for Private Web Attestation with Cross/Multi-Vendor Hardware
In Cryptographic Attestation of Personhood the server sends a message to the browser that the hardware security signs, demonstrating its authenticity.
2021-07-01 Account Takeover Protection and WAF mitigations to help stop Global Brute Force Campaigns
Today, we are making our Account Takeover Protection capabilities available to all paid plans at no additional charge.
2021-05-13 Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness
An experiment that uses hardware security keys (like a YubiKey) to replace CAPTCHAs completely. The idea is rather simple: if a real human is sitting at their keyboard or uses their phone, they can touch their security key’s button or bring it near their phone to demonstrate that they are human.
2021-01-15 KEMTLS: Post-quantum TLS without signatures
The TLS 1.3 protocol has been around for quite some time, but it will be broken once quantum computers arrive. What can we do? In this blog post, we will examine a technique for achieving full post-quantum security for TLS 1.3 in the face of quantum computers: KEMTLS.
2021-01-13 A Name Resolver for the Distributed Web
At Cloudflare, we have been exploring alternative ways to resolve queries to responses that align with these attributes. We are proud to announce a new resolver for the Distributed Web, where IPFS content indexed by the Ethereum Name Service (ENS) can be accessed.
2020-12-11 Securing the post-quantum world
As quantum computing continues to mature, research and development efforts in cryptography are keeping pace. We’re working with academia and industry peers to help create a new set of cryptography standards that are resilient to attack from quantum computers.
2020-12-08 Helping build the next generation of privacy-preserving protocols
Today, we’re making several announcements around improving Internet protocols with respect to something important to our customers and Internet users worldwide: privacy.
2020-12-08 OPAQUE: The Best Passwords Never Leave your Device
Imagine passwords for online services that never leave your device, encrypted or otherwise. OPAQUE is a new cryptographic protocol that makes this idea possible, giving you and only you full control of your password.
2020-12-08 Improving DNS Privacy with Oblivious DoH in 1.1.1.1
Oblivious DoH (ODoH) makes secure DNS over HTTPS (DoH) queries into private queries which prevent the leakage of client IP addresses to resolvers. The new proposed ODoH standard addresses this problem and today we are enabling users to use this protocol with 1.1.1.1
2020-12-08 Good-bye ESNI, hello ECH!
A deep dive into the Encrypted Client Hello, a standard that encrypts privacy-sensitive parameters sent by the client, as part of the TLS handshake.
2020-10-01 NTS is now an RFC
After much hard work, NTS finally becomes an official RFC.This means that Network Time Security (NTS) is officially part of the collection of protocols that makes the Internet work.
2019-11-01 Delegated Credentials for TLS
Today we’re happy to announce support for a new cryptographic protocol that helps make it possible to deploy encrypted services in a global network while still maintaining fast performance and tight control of private keys: Delegated Credentials for TLS.
2019-10-31 Announcing cfnts: Cloudflare's implementation of NTS in Rust
Several months ago we announced that we were providing a new public time service. Part of what we were providing was the first major deployment of the new Network Time Security protocol, with a newly written implementation of NTS in Rust.
2019-10-30 The TLS Post-Quantum Experiment
In June, we announced a wide-scale post-quantum experiment with Google. We implemented two post-quantum (i.e., not yet known to be broken by quantum computers) key exchanges, integrated them into our TLS stack and deployed the implementation on our edge servers and in Chrome Canary clients.
2019-10-29 DNS Encryption Explained
The Domain Name System (DNS) is the address book of the Internet. When you visit cloudflare.com or any other site, your browser will ask a DNS resolver for the IP address where the website can be found. Unfortunately, these DNS queries and answers are typically unprotected.
2019-10-28 Supporting the latest version of the Privacy Pass Protocol
At Cloudflare, we are committed to supporting and developing new privacy-preserving technologies that benefit all Internet users. In November 2017, we announced server-side support for the Privacy Pass protocol, a piece of work developed in collaboration with the academic community.
2019-09-18 Cloudflare’s Approach to Research
Cloudflare’s mission is to help build a better Internet. One of the tools used in pursuit of this goal is computer science research. We’ve learned that some of the difficult problems to solve are best approached through research
2019-06-21 Introducing time.cloudflare.com
Cloudflare has always been a leader in deploying secure versions of insecure Internet protocols and making them available for free for anyone to use. In 2014, we launched one of the world’s first free, secure HTTPS service (Universal SSL) to go along with our existing free HTTP plan.
2019-06-20 The Quantum Menace
The impact of quantum computing on cryptography conducts research and development towards a Post-Quantum era.
2019-06-20 Introducing CIRCL: An Advanced Cryptographic Library
Today we are proud to release the source code of a cryptographic library we’ve been working on: a collection of cryptographic primitives written in Go, called CIRCL.
2019-06-19 Cloudflare's Ethereum Gateway
Today, we are excited to announce Cloudflare's Ethereum Gateway, where you can interact with the Ethereum network without installing any software on your computer.
2019-03-18 Monsters in the Middleboxes: Introducing Two New Tools for Detecting HTTPS Interception
The practice of HTTPS interception continues to be commonplace on the Internet. This blog post discusses types of monster-in-the-middle devices and software, and how to detect them.
2018-09-21 Roughtime: Securing Time with Digital Signatures
When you visit a secure website, it offers you a TLS certificate that asserts its identity. Every certificate has an expiration date, and when it’s passed due, it is no longer valid.
2018-09-17 Cloudflare goes InterPlanetary - Introducing Cloudflare’s IPFS Gateway
Today we’re excited to introduce Cloudflare’s IPFS Gateway, an easy way to access content from the the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer.
2018-08-11 A Detailed Look at RFC 8446 (a.k.a. TLS 1.3)
TLS 1.3 (RFC 8446) was published today. This article provides a deep dive into the changes introduced in TLS 1.3 and its impact on the future of internet security.
2018-03-23 Introducing Certificate Transparency and Nimbus
Certificate Transparency (CT) is an ambitious project to help improve security online by bringing accountability to the system that protects HTTPS. Cloudflare is announcing support for this project by introducing two new public-good services.
2017-12-26 Why TLS 1.3 isn't in browsers yet
Upgrading a security protocol in an ecosystem as complex as the Internet is difficult. You need to update clients and servers and make sure everything in between continues to work correctly. The Internet is in the middle of such an upgrade right now.
2017-12-26 Concise (Post-Christmas) Cryptography Challenges
It's the day after Christmas; or, depending on your geography, Boxing Day. With the festivities over, you may still find yourself stuck at home and somewhat bored.
2017-12-14 Inside the infamous Mirai IoT Botnet: A Retrospective Analysis
This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices.
2017-11-09 Privacy Pass - “The Math”
During a recent internship at Cloudflare, I had the chance to help integrate support for improving the accessibility of websites that are protected by the Cloudflare edge network.