Cloudflare Research logo

Research Updates from the Cloudflare Blog

2024-03-05 The state of the post-quantum Internet

Today, nearly two percent of all TLS 1.3 connections established with Cloudflare are secured with post-quantum cryptography. What once was the topic of futuristic tech demos will soon be the new security baseline for the Internet

2024-01-04 Privacy Pass: upgrading to the latest protocol version

In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the Privacy Pass protocol — including a set of open-source templates that can be used to implement Privacy Pass Origins, Issuers, and Attesters

2023-12-22 Have your data and hide it too: an introduction to differential privacy

Providing software and web services that deliver value for users often requires measuring user behavior. In this blog we discuss emerging cryptographic and statistical techniques that enable collecting such measurements without violating user privacy

2023-10-02 Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

Need a recap or refresher on all the big Birthday Week news this week? This recap has you covered

2023-09-29 Post-quantum cryptography goes GA

Cloudflare announces Post-Quantum Cryptography as a Generally Available system

2023-09-29 Encrypted Client Hello - the last puzzle piece to privacy

We're excited to announce a contribution to improving privacy for everyone on the Internet. Encrypted Client Hello, a new standard that prevents networks from snooping on which websites a user is visiting, is now available on all Cloudflare plans.

2023-09-29 Privacy-preserving measurement and machine learning

Cloudflare is implementing DAP (Distributed Aggregation Protocol) – a way of aggregating data without exposing individual measurements that uses multi-party computation

2023-09-29 Cloudflare now uses post-quantum cryptography to talk to your origin server

Starting today, you can secure the connection between Cloudflare and your origin server with post-quantum cryptography

2023-09-04 Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections

In this blog we’re going to take a closer look at “connection coalescing”, with specific focus on manage it at a large scale

2023-03-16 No, AI did not break post-quantum cryptography

The recent news reports of AI cracking post-quantum cryptography are greatly exaggerated. In this blog, we take a deep dive into the world of side-channel attacks and how AI has been used for more than a decade already to aid it

2023-03-16 Post-quantum crypto should be free, so we’re including it for free, forever

Cloudflare makes the most advanced cryptography free for everyone, and it’s in beta today

2023-01-27 Inside Geo Key Manager v2: re-imagining access control for distributed systems

Using the story of Geo Key Manager v2 as an example, let’s re-imagine access control for distributed systems using a variant of public-key cryptography, called attribute-based encryption.

2022-10-27 Stronger than a promise: proving Oblivious HTTP privacy properties

In this blog post, we describe a formal, computer-aided security analysis of Oblivious HTTP, an emerging IETF standard that applications can use to improve user privacy

2022-10-03 Defending against future threats: Cloudflare goes post-quantum

The future of a private and secure Internet is at stake; that is why today we have enabled post-quantum cryptography support for all our customers

2022-10-03 Introducing post-quantum Cloudflare Tunnel

Every connection we make post-quantum secure, we remove one opportunity for compromise: that's why we are announcing post-quantum Cloudflare Tunnel to help you secure every connection to our network

2022-10-03 Automatic (secure) transmission: taking the pain out of origin connection security

Today we’re excited to announce that we will soon be offering a zero-configuration option for security on Cloudflare. If we find that we can automatically upgrade the security connection between Cloudflare and a user’s origin, we will

2022-08-25 Deep dives & how the Internet works

We have amazing deep dives in our blog, but also research and how the Internet works kind of stories. Here are some highlights from 2022, and before (with glimpses of our history).

2022-08-04 Experiment with post-quantum cryptography today

The future is post quantum. Enable post-quantum key agreement on your test zone today and get a headstart

2022-07-08 NIST’s pleasant post-quantum surprise

On Tuesday, the US National Institute of Standards and Technology (NIST) announced which post-quantum cryptography they will standardize. We were already drafting this post with an educated guess on the choice NIST would make.

2022-06-28 Hertzbleed explained

Hertzbleed is a brand-new family of side-channel attacks that monitors changes on CPU frequency

2022-05-16 Proof of Stake and our next experiments in web3

Cloudflare is going to participate in the research and development of the core infrastructure that helps keep Ethereum secure, fast, as well as energy efficient for everyone

2022-05-16 Serving Cloudflare Pages sites to the IPFS network

Today, we're announcing we're bridging the two. We will make it possible for our customers to serve their sites on the IPFS network

2022-05-16 Gaining visibility in IPFS systems

We've developed the IPFS Gateway monitor, an observability tool that runs various IPFS scenarios on a given gateway endpoint. In this post, you'll learn how we use this tool and go over discoveries we made along the way

2022-04-15 Breaking down broadband nutrition labels

We commend Congress for including broadband nutrition labels in the Infrastructure Investment and Jobs Act, and the FCC for moving quickly to implement the labels

2022-03-31 Future-proofing SaltStack

This blogpost chronicles the recent CVEs investigation, our findings, and how we are helping secure Salt now and in the Quantum future

2022-03-20 Unlocking QUIC’s proxying potential with MASQUE

We continue our technical deep dive into traditional TCP proxying over HTTP

2022-03-19 A Primer on Proxies

A technical dive into traditional TCP proxying over HTTP

2022-03-08 Announcing experimental DDR in

The majority of DNS queries on the Internet today are unencrypted. This post describes a new protocol, called Discovery of Designated Resolvers (DDR), that allows clients to upgrade from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known.

2022-02-25 The post-quantum future: challenges and opportunities

The story and path of post-quantum cryptography is clear. But, what are the future challenges? In this blog post, we explore them

2022-02-25 Post-quantumify internal services: Logfwrdr, Tunnel, and gokeyless

A big challenge is coming: to change all internal connections at Cloudflare to use post-quantum cryptography. Read how we are tackling this challenge!

2022-02-24 HPKE: Standardizing public-key encryption (finally!)

HPKE (RFC 9180) was made to be simple, reusable, and future-proof by building upon knowledge from prior PKE schemes and software implementations. This article provides an overview of this new standard, going back to discuss its motivation, design goals, and development process

2022-02-24 Building Confidence in Cryptographic Protocols

This blogpost refers to the efforts to use formal/verification/implementation for post-quantum algorithms to achieve better assurance for them. It also touches on our Cloudflare efforts on this

2022-02-24 Using EasyCrypt and Jasmin for post-quantum verification

This blogpost will touch upon how to practically use Jasmin and EasyCrypt to achieve better security guarantees when verifying KEMs

2022-02-23 Making protocols post-quantum

Post-quantum key exchange and signature algorithms come with different trade-offs that we’re not used to. How do we handle that when updating protocols, and is this an opportunity to revisit the status quo?

2022-02-22 Deep dive into a post-quantum key encapsulation algorithm

In this blog post, we will look at what Key Encapsulation Mechanisms are and why they matter in a post-quantum world

2022-02-22 Deep dive into a post-quantum signature scheme

How can one attest to an identity and prove it belongs to one self? And how can one do it in the face of quantum computers? In this blog post, we examine these questions and explain what post-quantum signatures are

2022-02-21 The post-quantum state: a taxonomy of challenges

At Cloudflare, we strive to help build a better Internet, which means a quantum-protected one. In this post, we look at the challenges for migrating to post-quantum cryptography and what lies ahead using a taxonomy

2022-02-21 The quantum solace and spectre

What is quantum computing and what advances have been made so far on this front? In this blog post, we will answer this question and see how to protect against quantum adversaries

2021-11-08 Sizing Up Post-Quantum Signatures

How much room does TLS have for the big post-quantum signatures? We had a look: it’s tight.

2021-10-18 Tunnel: Cloudflare’s Newest Homeowner

Starting today, users who deploy and manage Cloudflare Tunnel at scale now have easier visibility into their Tunnel’s respective status, routes, uptime, connectors, cloudflared version, and much more through our new UI in the Cloudflare for Teams Dashboard.

2021-10-15 “Look, Ma, no probes!” — Characterizing CDNs’ latencies with passive measurement

A challenge with measuring and comparing network performance is the lack of large-scale global performance metrics, like RTT measurements. In this article we describe an alternative approach to active measurements, which accurately predicts network latencies using only passively collected data.

2021-10-15 Multi-User IP Address Detection

We’ve devised novel methods to detect multi-user IP addresses, and today we’re excited to announce their integration into our global threat intelligence products. These will improve the quality of our detection techniques and reduce false positives for our customers, and the clients that visit them.

2021-10-15 Geo Key Manager: Setting up a service for scale

Diagnosing scaling issues in a service associated with TLS termination through a deep dive into some of the incidents it caused.

2021-10-14 Privacy-Preserving Compromised Credential Checking

Announcing a public demo and open-sourced implementation of a privacy-preserving compromised credential checking service

2021-10-14 Unbuckling the narrow waist of IP: Addressing Agility for Names and Web Services

IP addresses associated with names, interfaces, and sockets, can tie these things together in a way that IP was never designed to support. This post describes Cloudflare efforts to decouple of IP addresses from names, the latest in a quest for something we’re calling Addressing Agility.

2021-10-14 Research Directions in Password Security

We've been studying password problems, including malicious logins using compromised credentials. Here's what we learned and here's where we think we can go from here with safer password systems.

2021-10-13 Cloudflare and the IETF

Cloudflare helps build a better Internet through collaboration on open and interoperable standards. This post will describe how Cloudflare contributes to the standardization process to enable incremental innovation and drive long-term architectural change.

2021-10-13 Pairings in CIRCL

Our Go cryptographic library CIRCL announces support for pairing-based cryptography.

2021-10-13 Exported Authenticators: The long road to RFC

Learn more about Exported Authenticators, a new extension to TLS, currently going through the IETF standardisation process.

2021-10-13 Coalescing Connections to Improve Network Privacy and Performance

Real world experiments for evaluating connection coalescing effects.

2021-10-12 Introducing SSL/TLS Recommender

Introducing customized recommendations to improve the security of your website.

2021-10-12 Dynamic Process Isolation: Research by Cloudflare and TU Graz

Cloudflare worked with TU Graz to study the impact of Spectre on Cloudflare Workers and to develop new defenses against it. Today we're publishing a paper about our research.

2021-10-12 Handshake Encryption: Endgame (an ECH update)

In this post, we’ll dig into ECH details and describe what this protocol does to move the needle to help build a better Internet.

2021-10-12 Privacy Pass v3: the new privacy bits

A new version of Privacy Pass for reducing the number of CAPTCHAs.

2021-10-11 Announcing Cloudflare Research Hub

Announcing a new landing page where you can learn more about our research and additional resources.

2021-10-11 Internship Experience: Research Engineer

Over the summer of 2020 I interned at Cloudflare Research. This invaluable experience contributed to Cloudflare’s support of ODoH protocol, and I was awarded the best student paper award at PETS 2021.

2021-10-11 Cloudflare invites visiting researchers

As part of Cloudflare’s effort to build collaborations with academia, we host research focused internships all year long. Interns collaborate cross-functionally in research projects and are encouraged to ship code and write a blog post and a peer-reviewed publication at the end of their internship.

2021-10-10 Cloudflare Research: Two Years In

What Cloudflare Research has been up to for the last two years.

2021-10-01 Announcing The Cloudflare Distributed Web Gateways Private Beta: Unlocking the Web3 Metaverse and Decentralized Finance for Everyone

Cloudflare announces the Private Beta of their Web3 gateways for Ethereum and IPFS. Unlocking the Metaverse, Web3, and Decentralized Finance for every developer.

2021-10-01 Web3 — A vision for a decentralized web

In this blog we start to explain Web3 in the context of the web's evolution, and how Cloudflare might help to support it.

2021-09-30 How Cloudflare provides tools to help keep IPFS users safe

The Cloudflare IPFS module protects users from threats like phishing and ransomware.

2021-08-12 More devices, fewer CAPTCHAs, happier users

Today, we are taking another step in helping to reduce the Internet’s reliance on CAPTCHAs to prove that you are not a robot. We are expanding the reach of our Cryptographic Attestation of Personhood experiment by adding support for a much wider range of devices.

2021-08-12 Introducing Zero-Knowledge Proofs for Private Web Attestation with Cross/Multi-Vendor Hardware

In Cryptographic Attestation of Personhood the server sends a message to the browser that the hardware security signs, demonstrating its authenticity.

2021-07-01 Account Takeover Protection and WAF mitigations to help stop Global Brute Force Campaigns

Today, we are making our Account Takeover Protection capabilities available to all paid plans at no additional charge.

2021-05-13 Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness

An experiment that uses hardware security keys (like a YubiKey) to replace CAPTCHAs completely. The idea is rather simple: if a real human is sitting at their keyboard or uses their phone, they can touch their security key’s button or bring it near their phone to demonstrate that they are human.

2021-01-15 KEMTLS: Post-quantum TLS without signatures

The TLS 1.3 protocol has been around for quite some time, but it will be broken once quantum computers arrive. What can we do? In this blog post, we will examine a technique for achieving full post-quantum security for TLS 1.3 in the face of quantum computers: KEMTLS.

2021-01-13 A Name Resolver for the Distributed Web

At Cloudflare, we have been exploring alternative ways to resolve queries to responses that align with these attributes. We are proud to announce a new resolver for the Distributed Web, where IPFS content indexed by the Ethereum Name Service (ENS) can be accessed.

2020-12-11 Securing the post-quantum world

As quantum computing continues to mature, research and development efforts in cryptography are keeping pace. We’re working with academia and industry peers to help create a new set of cryptography standards that are resilient to attack from quantum computers.

2020-12-08 Good-bye ESNI, hello ECH!

A deep dive into the Encrypted Client Hello, a standard that encrypts privacy-sensitive parameters sent by the client, as part of the TLS handshake.

2020-12-08 Helping build the next generation of privacy-preserving protocols

Today, we’re making several announcements around improving Internet protocols with respect to something important to our customers and Internet users worldwide: privacy.

2020-12-08 Improving DNS Privacy with Oblivious DoH in

Oblivious DoH (ODoH) makes secure DNS over HTTPS (DoH) queries into private queries which prevent the leakage of client IP addresses to resolvers. The new proposed ODoH standard addresses this problem and today we are enabling users to use this protocol with

2020-12-08 OPAQUE: The Best Passwords Never Leave your Device

Imagine passwords for online services that never leave your device, encrypted or otherwise. OPAQUE is a new cryptographic protocol that makes this idea possible, giving you and only you full control of your password.

2020-10-01 NTS is now an RFC

After much hard work, NTS finally becomes an official RFC.This means that Network Time Security (NTS) is officially part of the collection of protocols that makes the Internet work.

2019-11-01 Delegated Credentials for TLS

Today we’re happy to announce support for a new cryptographic protocol that helps make it possible to deploy encrypted services in a global network while still maintaining fast performance and tight control of private keys: Delegated Credentials for TLS.

2019-10-31 Announcing cfnts: Cloudflare's implementation of NTS in Rust

Several months ago we announced that we were providing a new public time service. Part of what we were providing was the first major deployment of the new Network Time Security protocol, with a newly written implementation of NTS in Rust.

2019-10-30 The TLS Post-Quantum Experiment

In June, we announced a wide-scale post-quantum experiment with Google. We implemented two post-quantum (i.e., not yet known to be broken by quantum computers) key exchanges, integrated them into our TLS stack and deployed the implementation on our edge servers and in Chrome Canary clients.

2019-10-29 DNS Encryption Explained

The Domain Name System (DNS) is the address book of the Internet. When you visit or any other site, your browser will ask a DNS resolver for the IP address where the website can be found. Unfortunately, these DNS queries and answers are typically unprotected.

2019-10-28 Supporting the latest version of the Privacy Pass Protocol

At Cloudflare, we are committed to supporting and developing new privacy-preserving technologies that benefit all Internet users. In November 2017, we announced server-side support for the Privacy Pass protocol, a piece of work developed in collaboration with the academic community.

2019-09-18 Cloudflare’s Approach to Research

Cloudflare’s mission is to help build a better Internet. One of the tools used in pursuit of this goal is computer science research. We’ve learned that some of the difficult problems to solve are best approached through research

2019-06-21 Introducing

Cloudflare has always been a leader in deploying secure versions of insecure Internet protocols and making them available for free for anyone to use. In 2014, we launched one of the world’s first free, secure HTTPS service (Universal SSL) to go along with our existing free HTTP plan.

2019-06-20 The Quantum Menace

The impact of quantum computing on cryptography conducts research and development towards a Post-Quantum era.

2019-06-20 Introducing CIRCL: An Advanced Cryptographic Library

Today we are proud to release the source code of a cryptographic library we’ve been working on: a collection of cryptographic primitives written in Go, called CIRCL.

2019-06-19 Cloudflare's Ethereum Gateway

Today, we are excited to announce Cloudflare's Ethereum Gateway, where you can interact with the Ethereum network without installing any software on your computer.

2019-03-18 Monsters in the Middleboxes: Introducing Two New Tools for Detecting HTTPS Interception

The practice of HTTPS interception continues to be commonplace on the Internet. This blog post discusses types of monster-in-the-middle devices and software, and how to detect them.

2018-09-21 Roughtime: Securing Time with Digital Signatures

When you visit a secure website, it offers you a TLS certificate that asserts its identity. Every certificate has an expiration date, and when it’s passed due, it is no longer valid.

2018-09-17 Cloudflare goes InterPlanetary - Introducing Cloudflare’s IPFS Gateway

Today we’re excited to introduce Cloudflare’s IPFS Gateway, an easy way to access content from the the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer.

2018-08-11 A Detailed Look at RFC 8446 (a.k.a. TLS 1.3)

TLS 1.3 (RFC 8446) was published today. This article provides a deep dive into the changes introduced in TLS 1.3 and its impact on the future of internet security.

2018-03-23 Introducing Certificate Transparency and Nimbus

Certificate Transparency (CT) is an ambitious project to help improve security online by bringing accountability to the system that protects HTTPS. Cloudflare is announcing support for this project by introducing two new public-good services.

2017-12-26 Why TLS 1.3 isn't in browsers yet

Upgrading a security protocol in an ecosystem as complex as the Internet is difficult. You need to update clients and servers and make sure everything in between continues to work correctly. The Internet is in the middle of such an upgrade right now.

2017-12-26 Concise (Post-Christmas) Cryptography Challenges

It's the day after Christmas; or, depending on your geography, Boxing Day. With the festivities over, you may still find yourself stuck at home and somewhat bored.

2017-12-14 Inside the infamous Mirai IoT Botnet: A Retrospective Analysis

This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices.

2017-11-09 Privacy Pass - “The Math”

During a recent internship at Cloudflare, I had the chance to help integrate support for improving the accessibility of websites that are protected by the Cloudflare edge network.

2017-11-09 Cloudflare supports Privacy Pass

Cloudflare supports Privacy Pass, a recently-announced privacy-preserving protocol developed in collaboration with researchers from Royal Holloway and the University of Waterloo.

2017-09-26 Geo Key Manager: How It Works

Today we announced Geo Key Manager, a feature that gives customers control over where their private keys are stored with Cloudflare. This builds on a previous Cloudflare innovation called Keyless SSL and a novel cryptographic access control mechanism.

2017-07-10 High-reliability OCSP stapling and why it matters

At Cloudflare our focus is making the internet faster and more secure. Today we are announcing a new enhancement to our HTTPS service: High-Reliability OCSP stapling.