Research Updates from the Cloudflare Blog
2022-08-25 Deep dives & how the Internet works
We have amazing deep dives in our blog, but also research and how the Internet works kind of stories. Here are some highlights from 2022, and before (with glimpses of our history).
The future is post quantum. Enable post-quantum key agreement on your test zone today and get a headstart
2022-07-08 NIST’s pleasant post-quantum surprise
On Tuesday, the US National Institute of Standards and Technology (NIST) announced which post-quantum cryptography they will standardize. We were already drafting this post with an educated guess on the choice NIST would make.
2022-06-28 Hertzbleed explained
Hertzbleed is a brand-new family of side-channel attacks that monitors changes on CPU frequency
Cloudflare is going to participate in the research and development of the core infrastructure that helps keep Ethereum secure, fast, as well as energy efficient for everyone
Today, we're announcing we're bridging the two. We will make it possible for our customers to serve their sites on the IPFS network
2022-05-16 Gaining visibility in IPFS systems
We've developed the IPFS Gateway monitor, an observability tool that runs various IPFS scenarios on a given gateway endpoint. In this post, you'll learn how we use this tool and go over discoveries we made along the way
2022-04-15 Breaking down broadband nutrition labels
We commend Congress for including broadband nutrition labels in the Infrastructure Investment and Jobs Act, and the FCC for moving quickly to implement the labels
2022-03-31 Future-proofing SaltStack
This blogpost chronicles the recent CVEs investigation, our findings, and how we are helping secure Salt now and in the Quantum future
We continue our technical deep dive into traditional TCP proxying over HTTP
2022-03-19 A Primer on Proxies
A technical dive into traditional TCP proxying over HTTP
2022-03-08 Announcing experimental DDR in 18.104.22.168
The majority of DNS queries on the Internet today are unencrypted. This post describes a new protocol, called Discovery of Designated Resolvers (DDR), that allows clients to upgrade from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known.
The story and path of post-quantum cryptography is clear. But, what are the future challenges? In this blog post, we explore them
A big challenge is coming: to change all internal connections at Cloudflare to use post-quantum cryptography. Read how we are tackling this challenge!
HPKE (RFC 9180) was made to be simple, reusable, and future-proof by building upon knowledge from prior PKE schemes and software implementations. This article provides an overview of this new standard, going back to discuss its motivation, design goals, and development process
This blogpost refers to the efforts to use formal/verification/implementation for post-quantum algorithms to achieve better assurance for them. It also touches on our Cloudflare efforts on this
This blogpost will touch upon how to practically use Jasmin and EasyCrypt to achieve better security guarantees when verifying KEMs
2022-02-23 Making protocols post-quantum
Post-quantum key exchange and signature algorithms come with different trade-offs that we’re not used to. How do we handle that when updating protocols, and is this an opportunity to revisit the status quo?
In this blog post, we will look at what Key Encapsulation Mechanisms are and why they matter in a post-quantum world
How can one attest to an identity and prove it belongs to one self? And how can one do it in the face of quantum computers? In this blog post, we examine these questions and explain what post-quantum signatures are
At Cloudflare, we strive to help build a better Internet, which means a quantum-protected one. In this post, we look at the challenges for migrating to post-quantum cryptography and what lies ahead using a taxonomy
2022-02-21 The quantum solace and spectre
What is quantum computing and what advances have been made so far on this front? In this blog post, we will answer this question and see how to protect against quantum adversaries
2021-11-08 Sizing Up Post-Quantum Signatures
How much room does TLS have for the big post-quantum signatures? We had a look: it’s tight.
A challenge with measuring and comparing network performance is the lack of large-scale global performance metrics, like RTT measurements. In this article we describe an alternative approach to active measurements, which accurately predicts network latencies using only passively collected data.
2021-10-15 Multi-User IP Address Detection
We’ve devised novel methods to detect multi-user IP addresses, and today we’re excited to announce their integration into our global threat intelligence products. These will improve the quality of our detection techniques and reduce false positives for our customers, and the clients that visit them.
Diagnosing scaling issues in a service associated with TLS termination through a deep dive into some of the incidents it caused.
Announcing a public demo and open-sourced implementation of a privacy-preserving compromised credential checking service
IP addresses associated with names, interfaces, and sockets, can tie these things together in a way that IP was never designed to support. This post describes Cloudflare efforts to decouple of IP addresses from names, the latest in a quest for something we’re calling Addressing Agility.
2021-10-14 Research Directions in Password Security
We've been studying password problems, including malicious logins using compromised credentials. Here's what we learned and here's where we think we can go from here with safer password systems.
2021-10-13 Cloudflare and the IETF
Cloudflare helps build a better Internet through collaboration on open and interoperable standards. This post will describe how Cloudflare contributes to the standardization process to enable incremental innovation and drive long-term architectural change.
2021-10-13 Pairings in CIRCL
Our Go cryptographic library CIRCL announces support for pairing-based cryptography.
Learn more about Exported Authenticators, a new extension to TLS, currently going through the IETF standardisation process.
Real world experiments for evaluating connection coalescing effects.
2021-10-12 Introducing SSL/TLS Recommender
Introducing customized recommendations to improve the security of your website.
Cloudflare worked with TU Graz to study the impact of Spectre on Cloudflare Workers and to develop new defenses against it. Today we're publishing a paper about our research.
In this post, we’ll dig into ECH details and describe what this protocol does to move the needle to help build a better Internet.
2021-10-12 Privacy Pass v3: the new privacy bits
A new version of Privacy Pass for reducing the number of CAPTCHAs.
2021-10-11 Announcing Cloudflare Research Hub
Announcing a new landing page where you can learn more about our research and additional resources.
2021-10-11 Internship Experience: Research Engineer
Over the summer of 2020 I interned at Cloudflare Research. This invaluable experience contributed to Cloudflare’s support of ODoH protocol, and I was awarded the best student paper award at PETS 2021.
2021-10-11 Cloudflare invites visiting researchers
As part of Cloudflare’s effort to build collaborations with academia, we host research focused internships all year long. Interns collaborate cross-functionally in research projects and are encouraged to ship code and write a blog post and a peer-reviewed publication at the end of their internship.
2021-10-10 Cloudflare Research: Two Years In
What Cloudflare Research has been up to for the last two years.
2021-10-01 Announcing The Cloudflare Distributed Web Gateways Private Beta: Unlocking the Web3 Metaverse and Decentralized Finance for Everyone
Cloudflare announces the Private Beta of their Web3 gateways for Ethereum and IPFS. Unlocking the Metaverse, Web3, and Decentralized Finance for every developer.
2021-10-01 Web3 — A vision for a decentralized web
In this blog we start to explain Web3 in the context of the web's evolution, and how Cloudflare might help to support it.
The Cloudflare IPFS module protects users from threats like phishing and ransomware.
2021-08-12 More devices, fewer CAPTCHAs, happier users
Today, we are taking another step in helping to reduce the Internet’s reliance on CAPTCHAs to prove that you are not a robot. We are expanding the reach of our Cryptographic Attestation of Personhood experiment by adding support for a much wider range of devices.
2021-08-12 Introducing Zero-Knowledge Proofs for Private Web Attestation with Cross/Multi-Vendor Hardware
In Cryptographic Attestation of Personhood the server sends a message to the browser that the hardware security signs, demonstrating its authenticity.
2021-07-01 Account Takeover Protection and WAF mitigations to help stop Global Brute Force Campaigns
Today, we are making our Account Takeover Protection capabilities available to all paid plans at no additional charge.
An experiment that uses hardware security keys (like a YubiKey) to replace CAPTCHAs completely. The idea is rather simple: if a real human is sitting at their keyboard or uses their phone, they can touch their security key’s button or bring it near their phone to demonstrate that they are human.
2021-01-15 KEMTLS: Post-quantum TLS without signatures
The TLS 1.3 protocol has been around for quite some time, but it will be broken once quantum computers arrive. What can we do? In this blog post, we will examine a technique for achieving full post-quantum security for TLS 1.3 in the face of quantum computers: KEMTLS.
2021-01-13 A Name Resolver for the Distributed Web
At Cloudflare, we have been exploring alternative ways to resolve queries to responses that align with these attributes. We are proud to announce a new resolver for the Distributed Web, where IPFS content indexed by the Ethereum Name Service (ENS) can be accessed.
2020-12-11 Securing the post-quantum world
As quantum computing continues to mature, research and development efforts in cryptography are keeping pace. We’re working with academia and industry peers to help create a new set of cryptography standards that are resilient to attack from quantum computers.
2020-12-08 Good-bye ESNI, hello ECH!
A deep dive into the Encrypted Client Hello, a standard that encrypts privacy-sensitive parameters sent by the client, as part of the TLS handshake.
Imagine passwords for online services that never leave your device, encrypted or otherwise. OPAQUE is a new cryptographic protocol that makes this idea possible, giving you and only you full control of your password.
Oblivious DoH (ODoH) makes secure DNS over HTTPS (DoH) queries into private queries which prevent the leakage of client IP addresses to resolvers. The new proposed ODoH standard addresses this problem and today we are enabling users to use this protocol with 22.214.171.124
Today, we’re making several announcements around improving Internet protocols with respect to something important to our customers and Internet users worldwide: privacy.
2020-10-01 NTS is now an RFC
After much hard work, NTS finally becomes an official RFC.This means that Network Time Security (NTS) is officially part of the collection of protocols that makes the Internet work.
2019-11-01 Delegated Credentials for TLS
Today we’re happy to announce support for a new cryptographic protocol that helps make it possible to deploy encrypted services in a global network while still maintaining fast performance and tight control of private keys: Delegated Credentials for TLS.
Several months ago we announced that we were providing a new public time service. Part of what we were providing was the first major deployment of the new Network Time Security protocol, with a newly written implementation of NTS in Rust.
2019-10-30 The TLS Post-Quantum Experiment
In June, we announced a wide-scale post-quantum experiment with Google. We implemented two post-quantum (i.e., not yet known to be broken by quantum computers) key exchanges, integrated them into our TLS stack and deployed the implementation on our edge servers and in Chrome Canary clients.
2019-10-29 DNS Encryption Explained
The Domain Name System (DNS) is the address book of the Internet. When you visit cloudflare.com or any other site, your browser will ask a DNS resolver for the IP address where the website can be found. Unfortunately, these DNS queries and answers are typically unprotected.
At Cloudflare, we are committed to supporting and developing new privacy-preserving technologies that benefit all Internet users. In November 2017, we announced server-side support for the Privacy Pass protocol, a piece of work developed in collaboration with the academic community.
2019-09-18 Cloudflare’s Approach to Research
Cloudflare’s mission is to help build a better Internet. One of the tools used in pursuit of this goal is computer science research. We’ve learned that some of the difficult problems to solve are best approached through research
2019-06-21 Introducing time.cloudflare.com
Cloudflare has always been a leader in deploying secure versions of insecure Internet protocols and making them available for free for anyone to use. In 2014, we launched one of the world’s first free, secure HTTPS service (Universal SSL) to go along with our existing free HTTP plan.
2019-06-20 The Quantum Menace
The impact of quantum computing on cryptography conducts research and development towards a Post-Quantum era.
Today we are proud to release the source code of a cryptographic library we’ve been working on: a collection of cryptographic primitives written in Go, called CIRCL.
2019-06-19 Cloudflare's Ethereum Gateway
Today, we are excited to announce Cloudflare's Ethereum Gateway, where you can interact with the Ethereum network without installing any software on your computer.
The practice of HTTPS interception continues to be commonplace on the Internet. This blog post discusses types of monster-in-the-middle devices and software, and how to detect them.
When you visit a secure website, it offers you a TLS certificate that asserts its identity. Every certificate has an expiration date, and when it’s passed due, it is no longer valid.
Today we’re excited to introduce Cloudflare’s IPFS Gateway, an easy way to access content from the the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer.
2018-08-11 A Detailed Look at RFC 8446 (a.k.a. TLS 1.3)
TLS 1.3 (RFC 8446) was published today. This article provides a deep dive into the changes introduced in TLS 1.3 and its impact on the future of internet security.
Certificate Transparency (CT) is an ambitious project to help improve security online by bringing accountability to the system that protects HTTPS. Cloudflare is announcing support for this project by introducing two new public-good services.
2017-12-26 Why TLS 1.3 isn't in browsers yet
Upgrading a security protocol in an ecosystem as complex as the Internet is difficult. You need to update clients and servers and make sure everything in between continues to work correctly. The Internet is in the middle of such an upgrade right now.
This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices.
2017-11-09 Privacy Pass - “The Math”
During a recent internship at Cloudflare, I had the chance to help integrate support for improving the accessibility of websites that are protected by the Cloudflare edge network.
2017-11-09 Cloudflare supports Privacy Pass
Cloudflare supports Privacy Pass, a recently-announced privacy-preserving protocol developed in collaboration with researchers from Royal Holloway and the University of Waterloo.
2017-09-26 Geo Key Manager: How It Works
Today we announced Geo Key Manager, a feature that gives customers control over where their private keys are stored with Cloudflare. This builds on a previous Cloudflare innovation called Keyless SSL and a novel cryptographic access control mechanism.
At Cloudflare our focus is making the internet faster and more secure. Today we are announcing a new enhancement to our HTTPS service: High-Reliability OCSP stapling.