All posts by Dina Kozlov

How we ensure Cloudflare customers aren’t affected by Let’s Encrypt’s certificate chain change

Post Syndicated from Dina Kozlov original

Let’s Encrypt, a publicly trusted certificate authority (CA) that Cloudflare uses to issue TLS certificates, has been relying on two distinct certificate chains. One is cross-signed with IdenTrust, a globally trusted CA that has been around since 2000, and the other is Let’s Encrypt’s own root CA, ISRG Root X1. Since Let’s Encrypt launched, ISRG Root X1 has been steadily gaining its own device compatibility.

On September 30, 2024, Let’s Encrypt’s certificate chain cross-signed with IdenTrust will expire. After the cross-sign expires, servers will no longer be able to serve certificates signed by the cross-signed chain. Instead, all Let’s Encrypt certificates will use the ISRG Root X1 CA.

Most devices and browser versions released after 2016 will not experience any issues as a result of the change since the ISRG Root X1 will already be installed in those clients’ trust stores. That’s because these modern browsers and operating systems were built to be agile and flexible, with upgradeable trust stores that can be updated to include new certificate authorities.

The change in the certificate chain will impact legacy devices and systems, such as devices running Android version 7.1.1 (released in 2016) or older, as those exclusively rely on the cross-signed chain and lack the ISRG X1 root in their trust store. These clients will encounter TLS errors or warnings when accessing domains secured by a Let’s Encrypt certificate. We took a look at the data ourselves and found that, of all Android requests, 2.96% of them come from devices that will be affected by the change. That’s a substantial portion of traffic that will lose access to the Internet. We’re committed to keeping those users online and will modify our certificate pipeline so that we can continue to serve users on older devices without requiring any manual modifications from our customers.

A better Internet, for everyone

In the past, we invested in efforts like “No Browsers Left Behind” to help ensure that we could continue to support clients as SHA-1 based algorithms were being deprecated. Now, we’re applying the same approach for the upcoming Let’s Encrypt change.

We have made the decision to remove Let’s Encrypt as a certificate authority from all flows where Cloudflare dictates the CA, impacting Universal SSL customers and those using SSL for SaaS with the “default CA” choice.

Starting in June 2024, one certificate lifecycle (90 days) before the cross-sign chain expires, we’ll begin migrating Let’s Encrypt certificates that are up for renewal to use a different CA, one that ensures compatibility with older devices affected by the change. That means that going forward, customers will only receive Let’s Encrypt certificates if they explicitly request Let’s Encrypt as the CA.

The change that Let’s Encrypt is making is a necessary one. For us to move forward in supporting new standards and protocols, we need to make the Public Key Infrastructure (PKI) ecosystem more agile. By retiring the cross-signed chain, Let’s Encrypt is pushing devices, browsers, and clients to support adaptable trust stores.

However, we’ve observed changes like this in the past and while they push the adoption of new standards, they disproportionately impact users in economically disadvantaged regions, where access to new technology is limited.

Our mission is to help build a better Internet and that means supporting users worldwide. We previously published a blog post about the Let’s Encrypt change, asking customers to switch their certificate authority if they expected any impact. However, determining the impact of the change is challenging. Error rates due to trust store incompatibility are primarily logged on clients, reducing the visibility that domain owners have. In addition, while there might be no requests incoming from incompatible devices today, it doesn’t guarantee uninterrupted access for a user tomorrow.

Cloudflare’s certificate pipeline has evolved over the years to be resilient and flexible, allowing us to seamlessly adapt to changes like this without any negative impact to our customers.  

How Cloudflare has built a robust TLS certificate pipeline

Today, Cloudflare manages tens of millions of certificates on behalf of customers. For us, a successful pipeline means:

  1. Customers can always obtain a TLS certificate for their domain
  2. CA related issues have zero impact on our customer’s ability to obtain a certificate
  3. The best security practices and modern standards are utilized
  4. Optimizing for future scale
  5. Supporting a wide range of clients and devices

Every year, we introduce new optimizations into our certificate pipeline to maintain the highest level of service. Here’s how we do it…

Ensuring customers can always obtain a TLS certificate for their domain

Since the launch of Universal SSL in 2014, Cloudflare has been responsible for issuing and serving a TLS certificate for every domain that’s protected by our network. That might seem trivial, but there are a few steps that have to successfully execute in order for a domain to receive a certificate:

  1. Domain owners need to complete Domain Control Validation for every certificate issuance and renewal.
  2. The certificate authority needs to verify the Domain Control Validation tokens to issue the certificate.
  3. CAA records, which dictate which CAs can be used for a domain, need to be checked to ensure only authorized parties can issue the certificate.
  4. The certificate authority must be available to issue the certificate.

Each of these steps requires coordination across a number of parties — domain owners, CDNs, and certificate authorities. At Cloudflare, we like to be in control when it comes to the success of our platform. That’s why we make it our job to ensure each of these steps can be successfully completed.

We ensure that every certificate issuance and renewal requires minimal effort from our customers. To get a certificate, a domain owner has to complete Domain Control Validation (DCV) to prove that it does in fact own the domain. Once the certificate request is initiated, the CA will return DCV tokens which the domain owner will need to place in a DNS record or an HTTP token. If you’re using Cloudflare as your DNS provider, Cloudflare completes DCV on your behalf by automatically placing the TXT token returned from the CA into your DNS records. Alternatively, if you use an external DNS provider, we offer the option to Delegate DCV to Cloudflare for automatic renewals without any customer intervention.

Once DCV tokens are placed, Certificate Authorities (CAs) verify them. CAs conduct this verification from multiple vantage points to prevent spoofing attempts. However, since these checks are done from multiple countries and ASNs (Autonomous Systems), they may trigger a Cloudflare WAF rule which can cause the DCV check to get blocked. We made sure to update our WAF and security engine to recognize that these requests are coming from a CA to ensure they’re never blocked so DCV can be successfully completed.

Some customers have CA preferences, due to internal requirements or compliance regulations. To prevent an unauthorized CA from issuing a certificate for a domain, the domain owner can create a Certification Authority Authorization (CAA) DNS record, specifying which CAs are allowed to issue a certificate for that domain. To ensure that customers can always obtain a certificate, we check the CAA records before requesting a certificate to know which CAs we should use. If the CAA records block all of the CAs that are available in Cloudflare’s pipeline and the customer has not uploaded a certificate from the CA of their choice, then we add CAA records on our customers’ behalf to ensure that they can get a certificate issued. Where we can, we optimize for preference. Otherwise, it’s our job to prevent an outage by ensuring that there’s always a TLS certificate available for the domain, even if it does not come from a preferred CA.

Today, Cloudflare is not a publicly trusted certificate authority, so we rely on the CAs that we use to be highly available. But, 100% uptime is an unrealistic expectation. Instead, our pipeline needs to be prepared in case our CAs become unavailable.

Ensuring that CA-related issues have zero impact on our customer’s ability to obtain a certificate

At Cloudflare, we like to think ahead, which means preventing incidents before they happen. It’s not uncommon for CAs to become unavailable — sometimes this happens because of an outage, but more commonly, CAs have maintenance periods every so often where they become unavailable for some period of time.

It’s our job to ensure CA redundancy, which is why we always have multiple CAs ready to issue a certificate, ensuring high availability at all times. If you’ve noticed different CAs issuing your Universal SSL certificates, that’s intentional. We evenly distribute the load across our CAs to avoid any single point of failure. Plus, we keep a close eye on latency and error rates to detect any issues and automatically switch to a different CA that’s available and performant. You may not know this, but one of our CAs has around 4 scheduled maintenance periods every month. When this happens, our automated systems kick in seamlessly, keeping everything running smoothly. This works so well that our internal teams don’t get paged anymore because everything just works.

Adopting best security practices and modern standards  

Security has always been, and will continue to be, Cloudflare’s top priority, and so maintaining the highest security standards to safeguard our customer’s data and private keys is crucial.

Over the past decade, the CA/Browser Forum has advocated for reducing certificate lifetimes from 5 years to 90 days as the industry norm. This shift helps minimize the risk of a key compromise. When certificates are renewed every 90 days, their private keys remain valid for only that period, reducing the window of time that a bad actor can make use of the compromised material.

We fully embrace this change and have made 90 days the default certificate validity period. This enhances our security posture by ensuring regular key rotations, and has pushed us to develop tools like DCV Delegation that promote automation around frequent certificate renewals, without the added overhead. It’s what enables us to offer certificates with validity periods as low as two weeks, for customers that want to rotate their private keys at a high frequency without any concern that it will lead to certificate renewal failures.

Cloudflare has always been at the forefront of new protocols and standards. It’s no secret that when we support a new protocol, adoption skyrockets. This month, we will be adding ECDSA support for certificates issued from Google Trust Services. With ECDSA, you get the same level of security as RSA but with smaller keys. Smaller keys mean smaller certificates and less data passed around to establish a TLS connection, which results in quicker connections and faster loading times.

Optimizing for future scale

Today, Cloudflare issues almost 1 million certificates per day. With the recent shift towards shorter certificate lifetimes, we continue to improve our pipeline to be more robust. But even if our pipeline can handle the significant load, we still need to rely on our CAs to be able to scale with us. With every CA that we integrate, we instantly become one of their biggest consumers. We hold our CAs to high standards and push them to improve their infrastructure to scale. This doesn’t just benefit Cloudflare’s customers, but it helps the Internet by requiring CAs to handle higher volumes of issuance.

And now, with Let’s Encrypt shortening their chain of trust, we’re going to add an additional improvement to our pipeline — one that will ensure the best device compatibility for all.

Supporting all clients — legacy and modern

The upcoming Let’s Encrypt change will prevent legacy devices from making requests to domains or applications that are protected by a Let’s Encrypt certificate. We don’t want to cut off Internet access from any part of the world, which means that we’re going to continue to provide the best device compatibility to our customers, despite the change.

Because of all the recent enhancements, we are able to reduce our reliance on Let’s Encrypt without impacting the reliability or quality of service of our certificate pipeline. One certificate lifecycle (90 days) before the change, we are going to start shifting certificates to use a different CA, one that’s compatible with the devices that will be impacted. By doing this, we’ll mitigate any impact without any action required from our customers. The only customers that will continue to use Let’s Encrypt are ones that have specifically chosen Let’s Encrypt as the CA.

What to expect of the upcoming Let’s Encrypt change

Let’s Encrypt’s cross-signed chain will expire on September 30th, 2024. Although Let’s Encrypt plans to stop issuing certificates from this chain on June 6th, 2024, Cloudflare will continue to serve the cross-signed chain for all Let’s Encrypt certificates until September 9th, 2024.

90 days or one certificate lifecycle before the change, we are going to start shifting Let’s Encrypt certificates to use a different certificate authority. We’ll make this change for all products where Cloudflare is responsible for the CA selection, meaning this will be automatically done for customers using Universal SSL and SSL for SaaS with the “default CA” choice.

Any customers that have specifically chosen Let’s Encrypt as their CA will receive an email notification with a list of their Let’s Encrypt certificates and information on whether or not we’re seeing requests on those hostnames coming from legacy devices.

After September 9th, 2024, Cloudflare will serve all Let’s Encrypt certificates using the ISRG Root X1 chain. Here is what you should expect based on the certificate product that you’re using:

Universal SSL

With Universal SSL, Cloudflare chooses the CA that is used for the domain’s certificate. This gives us the power to choose the best certificate for our customers. If you are using Universal SSL, there are no changes for you to make to prepare for this change. Cloudflare will automatically shift your certificate to use a more compatible CA.

Advanced Certificates

With Advanced Certificate Manager, customers specifically choose which CA they want to use. If Let’s Encrypt was specifically chosen as the CA for a certificate, we will respect the choice, because customers may have specifically chosen this CA due to internal requirements, or because they have implemented certificate pinning, which we highly discourage.

If we see that a domain using an Advanced certificate issued from Let’s Encrypt will be impacted by the change, then we will send out email notifications to inform those customers which certificates are using Let’s Encrypt as their CA and whether or not those domains are receiving requests from clients that will be impacted by the change. Customers will be responsible for changing the CA to another provider, if they chose to do so.

SSL for SaaS

With SSL for SaaS, customers have two options: using a default CA, meaning Cloudflare will choose the issuing authority, or specifying which CA to use.

If you’re leaving the CA choice up to Cloudflare, then we will automatically use a CA with higher device compatibility.

If you’re specifying a certain CA for your custom hostnames, then we will respect that choice. We will send an email out to SaaS providers and platforms to inform them which custom hostnames are receiving requests from legacy devices. Customers will be responsible for changing the CA to another provider, if they chose to do so.

Custom Certificates

If you directly integrate with Let’s Encrypt and use Custom Certificates to upload your Let’s Encrypt certs to Cloudflare then your certificates will be bundled with the cross-signed chain, as long as you choose the bundle method “compatible” or “modern” and upload those certificates before September 9th, 2024. After September 9th, we will bundle all Let’s Encrypt certificates with the ISRG Root X1 chain. With the “user-defined” bundle method, we always serve the chain that’s uploaded to Cloudflare. If you upload Let’s Encrypt certificates using this method, you will need to ensure that certificates uploaded after September 30th, 2024, the date of the CA expiration, contain the right certificate chain.

In addition, if you control the clients that are connecting to your application, we recommend updating the trust store to include the ISRG Root X1. If you use certificate pinning, remove or update your pin. In general, we discourage all customers from pinning their certificates, as this usually leads to issues during certificate renewals or CA changes.


Internet standards will continue to evolve and improve. As we support and embrace those changes, we also need to recognize that it’s our responsibility to keep users online and to maintain Internet access in the parts of the world where new technology is not readily available. By using Cloudflare, you always have the option to choose the setup that’s best for your application.

For additional information regarding the change, please refer to our developer documentation.

Upcoming Let’s Encrypt certificate chain change and impact for Cloudflare customers

Post Syndicated from Dina Kozlov original

Let’s Encrypt, a publicly trusted certificate authority (CA) that Cloudflare uses to issue TLS certificates, has been relying on two distinct certificate chains. One is cross-signed with IdenTrust, a globally trusted CA that has been around since 2000, and the other is Let’s Encrypt’s own root CA, ISRG Root X1. Since Let’s Encrypt launched, ISRG Root X1 has been steadily gaining its own device compatibility.

On September 30, 2024, Let’s Encrypt’s certificate chain cross-signed with IdenTrust will expire. To proactively prepare for this change, on May 15, 2024, Cloudflare will stop issuing certificates from the cross-signed chain and will instead use Let’s Encrypt’s ISRG Root X1 chain for all future Let’s Encrypt certificates.

The change in the certificate chain will impact legacy devices and systems, such as Android devices version 7.1.1 or older, as those exclusively rely on the cross-signed chain and lack the ISRG X1 root in their trust store. These clients may encounter TLS errors or warnings when accessing domains secured by a Let’s Encrypt certificate.

According to Let’s Encrypt, more than 93.9% of Android devices already trust the ISRG Root X1 and this number is expected to increase in 2024, especially as Android releases version 14, which makes the Android trust store easily and automatically upgradable.

We took a look at the data ourselves and found that, from all Android requests, 2.96% of them come from devices that will be affected by the change. In addition, only 1.13% of all requests from Firefox come from affected versions, which means that most (98.87%) of the requests coming from Android versions that are using Firefox will not be impacted.

Preparing for the change

If you’re worried about the change impacting your clients, there are a few things that you can do to reduce the impact of the change. If you control the clients that are connecting to your application, we recommend updating the trust store to include the ISRG Root X1. If you use certificate pinning, remove or update your pin. In general, we discourage all customers from pinning their certificates, as this usually leads to issues during certificate renewals or CA changes.

If you experience issues with the Let’s Encrypt chain change, and you’re using Advanced Certificate Manager or SSL for SaaS on the Enterprise plan, you can choose to switch your certificate to use Google Trust Services as the certificate authority instead.

For more information, please refer to our developer documentation.

While this change will impact a very small portion of clients, we support the shift that Let’s Encrypt is making as it supports a more secure and agile Internet.

Embracing change to move towards a better Internet

Looking back, there were a number of challenges that slowed down the adoption of new technologies and standards that helped make the Internet faster, more secure, and more reliable.

For starters, before Cloudflare launched Universal SSL, free certificates were not attainable. Instead, domain owners had to pay around $100 to get a TLS certificate. For a small business, this is a big cost and without browsers enforcing TLS, this significantly hindered TLS adoption for years. Insecure algorithms have taken decades to deprecate due to lack of support of new algorithms in browsers or devices. We learned this lesson while deprecating SHA-1.

Supporting new security standards and protocols is vital for us to continue improving the Internet. Over the years, big and sometimes risky changes were made in order for us to move forward. The launch of Let’s Encrypt in 2015 was monumental. Let’s Encrypt allowed every domain to get a TLS certificate for free, which paved the way to a more secure Internet, with now around 98% of traffic using HTTPS.

In 2014, Cloudflare launched elliptic curve digital signature algorithm (ECDSA) support for Cloudflare-issued certificates and made the decision to issue ECDSA-only certificates to free customers. This boosted ECDSA adoption by pressing clients and web operators to make changes to support the new algorithm, which provided the same (if not better) security as RSA while also improving performance. In addition to that, modern browsers and operating systems are now being built in a way that allows them to constantly support new standards, so that they can deprecate old ones.

For us to move forward in supporting new standards and protocols, we need to make the Public Key Infrastructure (PKI) ecosystem more agile. By retiring the cross-signed chain, Let’s Encrypt is pushing devices, browsers, and clients to support adaptable trust stores. This allows clients to support new standards without causing a breaking change. It also lays the groundwork for new certificate authorities to emerge.

Today, one of the main reasons why there’s a limited number of CAs available is that it takes years for them to become widely trusted, that is, without cross-signing with another CA. In 2017, Google launched a new publicly trusted CA, Google Trust Services, that issued free TLS certificates. Even though they launched a few years after Let’s Encrypt, they faced the same challenges with device compatibility and adoption, which caused them to cross-sign with GlobalSign’s CA. We hope that, by the time GlobalSign’s CA comes up for expiration, almost all traffic is coming from a modern client and browser, meaning the change impact should be minimal.

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

Post Syndicated from Dina Kozlov original

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

This year, Cloudflare officially became a teenager, turning 13 years old. We celebrated this milestone with a series of announcements that benefit both our customers and the Internet community.

From developing applications in the age of AI to securing against the most advanced attacks that are yet to come, Cloudflare is proud to provide the tools that help our customers stay one step ahead.

We hope you’ve had a great time following along and for anyone looking for a recap of everything we launched this week, here it is:



In a sentence…

Switching to Cloudflare can cut emissions by up to 96%

Switching enterprise network services from on-prem to Cloudflare can cut related carbon emissions by up to 96%. 

Cloudflare Trace

Use Cloudflare Trace to see which rules and settings are invoked when an HTTP request for your site goes through our network. 

Cloudflare Fonts

Introducing Cloudflare Fonts. Enhance privacy and performance for websites using Google Fonts by loading fonts directly from the Cloudflare network. 

How Cloudflare intelligently routes traffic

Technical deep dive that explains how Cloudflare uses machine learning to intelligently route traffic through our vast network. 

Low Latency Live Streaming

Cloudflare Stream’s LL-HLS support is now in open beta. You can deliver video to your audience faster, reducing the latency a viewer may experience on their player to as little as 3 seconds. 

Account permissions for all

Cloudflare account permissions are now available to all customers, not just Enterprise. In addition, we’ll show you how you can use them and best practices. 

Incident Alerts

Customers can subscribe to Cloudflare Incident Alerts and choose when to get notified based on affected products and level of impact. 



In a sentence…

Welcome to the connectivity cloud

Cloudflare is the world’s first connectivity cloud — the modern way to connect and protect your cloud, networks, applications and users. 

Amazon’s $2bn IPv4 tax — and how you can avoid paying it 

Amazon will begin taxing their customers $43 for IPv4 addresses, so Cloudflare will give those \$43 back in the form of credits to bypass that tax. 


Minimize egress fees by using Sippy to incrementally migrate your data from AWS to R2. 

Cloudflare Images

All Image Resizing features will be available under Cloudflare Images and we’re simplifying pricing to make it more predictable and reliable.  

Traffic anomalies and notifications with Cloudflare Radar

Cloudflare Radar will be publishing anomalous traffic events for countries and Autonomous Systems (ASes).

Detecting Internet outages

Deep dive into how Cloudflare detects Internet outages, the challenges that come with it, and our approach to overcome these problems. 



In a sentence…

The best place on Region: Earth for inference

Now available: Workers AI, a serverless GPU cloud for AI, Vectorize so you can build your own vector databases, and AI Gateway to help manage costs and observability of your AI applications. 

Cloudflare delivers the best infrastructure for next-gen AI applications, supported by partnerships with NVIDIA, Microsoft, Hugging Face, Databricks, and Meta.

Workers AI 

Launching Workers AI — AI inference as a service platform, empowering developers to run AI models with just a few lines of code, all powered by our global network of GPUs. 

Partnering with Hugging Face 

Cloudflare is partnering with Hugging Face to make AI models more accessible and affordable to users. 


Cloudflare’s vector database, designed to allow engineers to build full-stack, AI-powered applications entirely on Cloudflare's global network — available in Beta. 

AI Gateway

AI Gateway helps developers have greater control and visibility in their AI apps, so that you can focus on building without worrying about observability, reliability, and scaling. AI Gateway handles the things that nearly all AI applications need, saving you engineering time so you can focus on what you're building.


You can now use WebGPU in Cloudflare Workers

Developers can now use WebGPU in Cloudflare Workers. Learn more about why WebGPUs are important, why we’re offering them to customers, and what’s next. 

What AI companies are building with Cloudflare

Many AI companies are using Cloudflare to build next generation applications. Learn more about what they’re building and how Cloudflare is helping them on their journey. 

Writing poems using LLama 2 on Workers AI

Want to write a poem using AI? Learn how to run your own AI chatbot in 14 lines of code, running on Cloudflare’s global network. 



In a sentence…


Cloudflare launches a new product, Hyperdrive, that makes existing regional databases much faster by dramatically speeding up queries that are made from Cloudflare Workers.

D1 Open Beta

D1 is now in open beta, and the theme is “scale”: with higher per-database storage limits and the ability to create more databases, we’re unlocking the ability for developers to build production-scale applications on D1.

Pages Build Caching

Build cache is a feature designed to reduce your build times by caching and reusing previously computed project components — now available in Beta. 

Running serverless Puppeteer with Workers and Durable Objects

Introducing the Browser Rendering API, which enables developers to utilize the Puppeteer browser automation library within Workers, eliminating the need for serverless browser automation system setup and maintenance

Cloudflare partners with Microsoft to power their Edge Secure Network

We partnered with Microsoft Edge to provide a fast and secure VPN, right in the browser. Users don’t have to install anything new or understand complex concepts to get the latest in network-level privacy: Edge Secure Network VPN is available on the latest consumer version of Microsoft Edge in most markets, and automatically comes with 5GB of data. 

Re-introducing the Cloudflare Workers playground

We are revamping the playground that demonstrates the power of Workers, along with new development tooling, and the ability to share your playground code and deploy instantly to Cloudflare’s global network

Cloudflare integrations marketplace expands

Introducing the newest additions to Cloudflare’s Integration Marketplace. Now available: Sentry, Momento and Turso. 

A Socket API that works across Javascript runtimes — announcing WinterCG spec and polyfill for connect()

Engineers from Cloudflare and Vercel have published a draft specification of the connect() sockets API for review by the community, along with a Node.js compatible polyfill for the connect() API that developers can start using.

New Workers pricing

Announcing new pricing for Cloudflare Workers, where you are billed based on CPU time, and never for the idle time that your Worker spends waiting on network requests and other I/O.



In a sentence…

Post Quantum Cryptography goes GA 

Cloudflare is rolling out post-quantum cryptography support to customers, services, and internal systems to proactively protect against advanced attacks. 

Encrypted Client Hello

Announcing a contribution that helps improve privacy for everyone on the Internet. Encrypted Client Hello, a new standard that prevents networks from snooping on which websites a user is visiting, is now available on all Cloudflare plans. 

Email Retro Scan 

Cloudflare customers can now scan messages within their Office 365 Inboxes for threats. The Retro Scan will let you look back seven days to see what threats your current email security tool has missed. 

Turnstile is Generally Available

Turnstile, Cloudflare’s CAPTCHA replacement, is now generally available and available for free to everyone and includes unlimited use. 

AI crawler bots

Any Cloudflare user, on any plan, can choose specific categories of bots that they want to allow or block, including AI crawlers. We are also recommending a new standard to robots.txt that will make it easier for websites to clearly direct how AI bots can and can’t crawl.

Detecting zero-days before zero-day

Deep dive into Cloudflare’s approach and ongoing research into detecting novel web attack vectors in our WAF before they are seen by a security researcher. 

Privacy Preserving Metrics

Deep dive into the fundamental concepts behind the Distributed Aggregation Protocol (DAP) protocol with examples on how we’ve implemented it into Daphne, our open source aggregator server. 

Post-quantum cryptography to origin

We are rolling out post-quantum cryptography support for outbound connections to origins and Cloudflare Workers fetch() calls. Learn more about what we enabled, how we rolled it out in a safe manner, and how you can add support to your origin server today. 

Network performance update

Cloudflare’s updated benchmark results regarding network performance plus a dive into the tools and processes that we use to monitor and improve our network performance. 

One More Thing

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

When Cloudflare turned 12 last year, we announced the Workers Launchpad Funding Program – you can think of it like a startup accelerator program for companies building on Cloudlare’s Developer Platform, with no restrictions on your size, stage, or geography.

A refresher on how the Launchpad works: Each quarter, we admit a group of startups who then get access to a wide range of technical advice, mentorship, and fundraising opportunities. That includes our Founders Bootcamp, Open Office Hours with our Solution Architects, and Demo Day. Those who are ready to fundraise will also be connected to our community of 40+ leading global Venture Capital firms.

In exchange, we just ask for your honest feedback. We want to know what works, what doesn’t and what you need us to build for you. We don’t ask for a stake in your company, and we don’t ask you to pay to be a part of the program.

Over the past year, we’ve received applications from nearly 60 different countries. We’ve had a chance to work closely with 50 amazing early and growth-stage startups admitted into the first two cohorts, and have grown our VC partner community to 40+ firms and more than $2 billion in potential investments in startups building on Cloudflare.

Next up: Cohort #3! Between recently wrapping up Cohort #2 (check out their Demo Day!), celebrating the Launchpad’s 1st birthday, and the heaps of announcements we made last week, we thought that everyone could use a little extra time to catch up on all the news – which is why we are extending the deadline for Cohort #3 a few weeks to October 13, 2023. AND we’re reserving 5 spots in the class for those who are already using any of last Wednesday’s AI announcements. Just be sure to mention what you’re using in your application.

So once you’ve had a chance to check out the announcements and pour yourself a cup of coffee, check out the Workers Launchpad. Applying is a breeze — you’ll be done long before your coffee gets cold.

Until next time

That’s all for Birthday Week 2023. We hope you enjoyed the ride, and we’ll see you at our next innovation week!

Die Birthday Week im Rückblick: alle unsere Ankündigungen und eine KI-gestützte Chance für Start-ups

Post Syndicated from Dina Kozlov original

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

Dieses Jahr ist Cloudflare offiziell ins Teenager-Alter eingetreten, denn wir feiern unser 13-jähriges Firmenjubiläum. Anlässlich dieses Meilensteins haben wir eine Reihe von neuen Produkten vorgestellt, von denen sowohl unseren Kunden als auch die Internet-Community im Allgemeinen profitieren werden.

Von der Anwendungsentwicklung im Zeitalter der KI bis hin zum Schutz vor den ausgefeiltesten Angriffen, die noch erdacht werden müssen: Mit den Werkzeugen von Cloudflare sind unsere Kunden dem Geschehen immer einen Schritt voraus.

Wir hoffen, dass unsere Ankündigungen für Sie von Interesse waren. Sollten Sie befürchten, etwas verpasst zu haben, finden Sie hier noch einmal ein Überblick über alles, was wir während der Birthday Week eingeführt haben:



Das Wichtigste in Kürze

Ein Wechsel zu Cloudflare ermöglicht Emissionseinsparungen von bis zu 96 %

Durch die Verlagerung der von Unternehmen benötigten Netzwerkdienste von lokalen Geräten auf Cloudflare lassen sich die mit diesen Services verbundenen Emissionen um bis zu 96 % reduzieren. 

Cloudflare Trace

Mit Cloudflare Trace können Sie sehen, welche Regeln und Einstellungen zum Tragen kommen, wenn eine HTTP-Anfrage an Ihre Website unser Netzwerk durchläuft. 

Cloudflare Fonts

Wir präsentieren Cloudflare Fonts. Indem Sie Schriftarten direkt aus dem Cloudflare-Netzwerk laden, können Sie Datenschutz und Performance bei Websites verbessern, die Google Fonts verwenden. 

Smartes Routen von Traffic mit Cloudflare

Eine gründliche technische Analyse dazu, wie wir mithilfe von maschinellem Lernen Traffic auf smarte Weise durch unser großes Netzwerk leiten. 

Latenzarmes Livestreaming

Die LL-HLS-Unterstützung bei Cloudflare Stream ist jetzt in der Open Beta-Version verfügbar. Sie können Ihrem Publikum Videos schneller bereitstellen und die auf dem Player eventuell wahrgenommene Latenz auf teilweise nur noch drei Sekunden reduzieren. 

Kontoberechtigungen für alle

Cloudflare-Kontoberechtigungen sind ab sofort nicht mehr Enterprise-Kunden vorbehalten, sondern stehen allen unseren Kunden zur Verfügung. Wir zeigen Ihnen auch, wie Sie diese verwenden können und stellen Best Practices vor. 


Kunden können jetzt die Vorfallmeldungen von Cloudflare abonnieren und festlegen, wann sie je nach betroffenem Produkt und Ausmaß der Beeinträchtigung informiert werden möchten. 



Das Wichtigste in Kürze

Willkommen in der Connectivity Cloud

Cloudflare ist die weltweit erste Connectivity Cloud – die moderne Art, Clouds, Netzwerke, Anwendungen und Nutzer zu vernetzen und zu schützen. 

Wie Sie die 2 Mrd. USD schwere IPv4-Steuer von Amazon vermeiden können 

Amazon plant, Kunden für IPv4-Adressen 43 USD zu berechnen. Cloudflare wird Ihnen diese „Steuer“ in Form von Gutschriften zurückerstatten. 


Mit Sippy können Sie Ihre Gebühren für ausgehenden Traffic auf ein Minimum reduzieren, um ihre Daten schrittweise von AWS zu R2 umzuziehen. 

Cloudflare Images

Alle Bildanpassungsfunktionen werden unter Cloudflare Images verfügbar sein und wir vereinfachen die Preisgestaltung, um sie transparenter und kalkulierbarer zu machen.  

Traffic-Anomalien und Benachrichtigungen mit Cloudflare Radar

Cloudflare Radar wird anomale Traffic-Ereignisse für Länder und Autonome Systeme (ASe) veröffentlichen.

Erkennung von Internetausfällen

Wir schauen uns genauer an, wie Cloudflare Internetausfälle erkennt, welche Herausforderungen damit verbunden sind und welchen Ansatz wir verfolgen, um diese Probleme zu lösen. 



Das Wichtigste in Kürze

Der weltweit beste Ort für Inferenz-Aufgaben

Jetzt verfügbar: Workers AI, eine Serverless-GPU-Cloud für KI, das Tool Vectorize, mit dem Sie Ihre eigenen Vektordatenbanken erstellen können, und die Lösung AI Gateway, die Ihnen hilft, Kosten und Beobachtbarkeit Ihrer KI-Anwendungen im Griff zu behalten. 

Cloudflare bietet die beste Infrastruktur für KI-Anwendungen der nächsten Generation, unterstützt durch Partnerschaften mit NVIDIA, Microsoft, Hugging Face, Databricks und Meta.

Workers AI 

Einführung von Workers AI: Wir stellen KI-Inferenz auf einer Dienstplattform bereit, über die Entwickler KI-Modelle mit nur wenigen Zeilen Quellcode ausführen können – unterstützt durch unser globales Netzwerk von Grafikprozessoren. 

Partnerschaft mit Hugging Face 

Cloudflare geht eine Partnerschaft mit Hugging Face ein, um KI-Modelle für Nutzer besser zugänglich und erschwinglicher zu machen. 


Die Vektordatenbank von Cloudflare, mit der Softwareingenieure komplette KI-Anwendungen auf dem globalen Netzwerk von Cloudflare entwickeln können, ist jetzt in der Beta-Version verfügbar. 

AI Gateway

AI Gateway bietet Entwicklern mehr Kontrolle und einen besseren Überblick über ihre KI-Anwendungen. So können sie sich auf das Programmieren konzentrieren, ohne sich Gedanken über Beobachtbarkeit, Zuverlässigkeit und Skalierung machen zu müssen. AI Gateway kümmert sich um die Dinge, die für fast alle KI-Applikationen benötigt werden, und spart Entwicklungszeit, damit Sie Ihre Aufmerksamkeit auf Ihre eigentliche Arbeit richten können.


WebGPU kann jetzt bei Cloudflare Workers verwendet werden

Entwickler haben jetzt die Möglichkeit, WebGPU in Cloudflare Workers zu verwenden. Erfahren Sie mehr darüber, weshalb WebGPU wichtig sind, warum wir sie unseren Kunden anbieten und was in diesem Bereich als Nächstes ansteht. 

Was KI-Unternehmen mit Cloudflare entwickeln

Viele KI-Unternehmen nutzen Cloudflare zur Erstellung von Anwendungen der nächsten Generation. Erfahren Sie mehr darüber, was genau geschaffen wird und wie Cloudflare dabei Unterstützung bietet. 

Gedichte schreiben mit LLama 2 bei Workers AI

Haben Sie Lust, mit KI-Unterstützung ein Gedicht zu verfassen? Finden Sie heraus, wie Sie Ihren eigenen KI-Chatbot mit nur 14 Zeilen Quellcode auf dem globalen Netzwerk von Cloudflare betreiben können. 



Das Wichtigste in Kürze


Cloudflare bringt ein neues Produkt auf den Markt: Hyperdrive. Die Lösung macht regionale Datenbanken deutlich schneller, indem sie die Bearbeitung der von Cloudflare Workers gestellten Abfragen drastisch beschleunigt.

D1: Open Beta

D1 befindet sich jetzt in der Open Beta-Phase, wobei sich alles um die Skalierung dreht: Mit höheren Speicherlimits pro Datenbank und der Möglichkeit, mehr Datenbanken zu erstellen, bieten wir Entwicklern die Möglichkeit, Anwendungen im Produktivmaßstab bei D1 zu erstellen.

Build Cache bei Pages

Build Cache ist eine Funktion, die Ihre Build-Dauer durch Zwischenspeicherung und das Wiederverwenden von zuvor berechneten Projektkomponenten verkürzt. Ab sofort ist sie in der Beta-Version verfügbar. 

Ausführung von Serverless-Puppeteer mit Workers und Durable Objects

Wir führen eine Browser Rendering-API ein, die es Entwicklern ermöglicht, die Browser-Automatisierungsbibliothek Puppeteer in Workers zu nutzen. Dadurch entfällt die Einrichtung und Wartung eines Browser-Automatisierungssystems im Serverless-Modell entfällt.

Cloudflare unterstützt das Edge Secure Network von Microsoft

Wir sind eine Partnerschaft mit Microsoft Edge eingegangen, um ein schnelles und sicheres VPN direkt im Browser bereitstellen zu können. Die Nutzer müssen nichts Neues installieren oder komplexe Konzepte verstehen, um von Datenschutz auf dem neuesten Stand der Technik auf Netzwerkebene zu profitieren: Der VPN-Dienst Edge Secure Network ist in der neuesten Consumer-Version von Microsoft Edge für die meisten Märkte verfügbar und wird automatisch mit 5 GB Datenvolumen bereitgestellt. 

Der Playground von Cloudflare Workers ist zurück

Wir überarbeiten den Playground, der die Leistungsfähigkeit von Workers demonstriert, mit neuen Entwicklungswerkzeugen und der Möglichkeit, Ihren Quellcode aus dem Playground zu veröffentlichen und sofort im weltumspannenden Netzwerk von Cloudflare bereitzustellen.

Erweiterung des Marktplatzes für Cloudflare-Integrationen

Wir stellen Ihnen die jüngsten Neuzugänge am Cloudflare-Marktplatz für Integrationen vor. Jetzt verfügbar: Sentry, Momento und Turso. 

Eine mit verschiedenen JavaScript-Laufzeitumgebungen kompatible Socket API – wir kündigen eine WinterCG-Spezifikation und eine Polyfill-Funktion für connect() an.

Die Softwareingenieure von Cloudflare und Vercel haben eine vorläufige Spezifikation der connect()-Socket-API zur Überprüfung durch die Community veröffentlicht – zusammen mit einem Node.js kompatiblen Polyfill für die connect()-API, den Entwickler nun nutzen können.

Neue Tarife für Workers

Wir kündigen eine neue Preisgestaltung für Cloudflare Workers an. Ab sofort wird nur noch nach CPU-Zeit abgerechnet und nicht mehr nach ungenutzter Prozessorzeit, in der Ihr Worker auf Rückmeldungen auf Netzwerkanfragen und andere E/A wartet.



Das Wichtigste in Kürze

Post-Quanten-Kryptographie allgemein verfügbar 

Cloudflare führt eine Unterstützung von Post-Quanten-Kryptographie für Kunden, Dienste und interne Systeme ein, damit Sie sich proaktiv vor raffinierten Angriffen schützen können. 

Encrypted Client Hello

Wir kündigen einen Beitrag zur allgemeinen Stärkung des Datenschutzes im Internet an: Encrypted Client Hello ist ein neuer Standard, der verhindert, dass Netzwerke ausspähen, welche Websites ein Nutzer aufruft. Er ist jetzt für alle Cloudflare-Tarifoptionen verfügbar. 

Retro Scan für E-Mails 

Cloudflare-Kunden können jetzt Nachrichten in ihren Office 365-Postfächern auf Bedrohungen hin prüfen. Mit dem Retro Scan können Sie jeweils die vergangenen sieben Tage unter die Lupe nehmen, um zu sehen, welche Bedrohungen Ihrem aktuellen E-Mail-Sicherheitstool entgangen sind. 

Turnstile jetzt allgemein verfügbar

Turnstile, der CAPTCHA-Ersatz von Cloudflare, ist jetzt allgemein verfügbar und kann von jedem kostenlos und unbegrenzt genutzt werden. 

KI-gestützte Crawler-Bots

Jeder Cloudflare-Nutzer kann unabhängig der von ihm genutzten Tarifoption bestimmte Kategorien von Bots auswählen, die er zulassen oder blockieren möchte. Dazu gehören auch KI-gestützte Crawler. Wir empfehlen außerdem einen neuen Standard für robots.txt. Dieser erleichtert es Websites, klar festzulegen, auf welche Weise KI-gestützte Bots das Crawling durchgeführen dürfen.

Zero Day-Bedrohungen schon im Vorfeld erkennen

Wir befassen uns eingehender mit dem Cloudflare-Ansatz und der derzeitigen Forschung bezüglich der Erkennung neuer Web-Angriffsvektoren in unserer WAF, noch bevor diese von Sicherheitsforschern identifiziert werden. 

Metriken zur Wahrung des Datenschutzes

Wir tauchen tief in die grundlegenden Konzepte hinter dem Distributed Aggregation Protocol (DAP) ein und liefern Beispiele dazu, wie wir es in unseren quellofenen Aggregatorserver Daphne implementiert haben. 

Post-Quanten-Kryptographie für Ursprungsserver

Wir führen eine Unterstützung von Post-Quanten-Kryptographie für an Ursprungsserver gerichtete ausgehende Verbindungen und Cloudflare Workers fetch()-Aufrufe ein. Erfahren Sie mehr darüber, was wir freigeschaltet haben, wie die Lösung von uns auf sichere Art und Weise eingeführt wurde und wie Sie die Unterstützung noch heute Ihrem Ursprungsserver hinzufügen können. 

Update zur Netzwerk-Performance

Wir liefern die neuesten Benchmark-Ergebnisse von Cloudflare zur Netzwerkperformance sowie einen Einblick in die Tools und Prozesse, die wir zur Überwachung und Verbesserung unserer Netzwerkleistung verwenden. 

Noch eine letzte Sache

Anlässlich des zwölfjährigen Firmenjubiläums von Cloudflare im vergangenen Jahr haben wir das Workers Launchpad Funding Program vorgestellt. Sie können es sich ähnlich wie ein Accelerator-Programm für Start-ups vorstellen. Es richtet sich an Unternehmen, die auf der Entwicklerplattform von Cloudlare Produkte schaffen, und unterliegt keinerlei Einschränkungen hinsichtlich Größe, Entwicklungsstand oder geografischem Standort.

Auffrischung zur Funktionsweise des Launchpad: Jedes Quartal wählen wir eine Gruppe von Start-ups aus, die Zugang zu einer breiten Palette an technischer Beratung, Mentorenschaft und Möglichkeiten zur Mittelbeschaffung erhalten. Dies umfasst unser Founders Bootcamp, „Sprechstunden“ bei unseren Lösungsarchitekten und den „Demo Day“. Außerdem stellen wir bei Bedarf den Kontakt zu einer Community aus mehr als 40 führenden, weltweit aktiven Risikokapitalfirmen her.

Im Gegenzug bitten wir Sie um ehrliches Feedback. Wir möchten wissen, was funktioniert, was nicht funktioniert und was wir für Sie entwickeln sollen. Wir verlangen weder eine Beteiligung an Ihrem Unternehmen noch müssen Sie für die Teilnahme an unserem Programm bezahlen.

Im vergangenen Jahr haben wir Bewerbungen aus fast 60 Ländern erhalten. Wir hatten die Gelegenheit, eng mit 50 erstaunlichen Start-ups in der Früh- und Wachstumsphase zusammenzuarbeiten, die in die ersten beiden Kohorten aufgenommen wurden. Darüber hinaus haben wir unsere Community aus VC-Partnern auf über 40 Firmen und mehr als 2 Milliarden USD an potenziellen Investitionen in Start-ups, die Cloudflare für die Entwicklung nutzen, erweitert.

Der nächste Schritt: Kohorte Nr. 3! Angesichts des kürzlich erfolgten Abschlusses des Programms für Kohorte Nr. 2 (sehen Sie sich ihren Demo Day an!), der Feier des ersten Jahrestags von Launchpad und unserer zahlreichen Ankündigungen in der letzten Woche dachten wir, dass alle ein klein wenig mehr Zeit gut gebrauchen könnten, um sich über diese ganze Neuigkeiten zu informieren. Deshalb verlängern wir die Bewerbungsfrist für Kohorte Nr. 3 um einige Wochen, und zwar bis zum 13. Oktober 2023. Außerdem reservieren wir fünf Plätze für Firmen, die bereits eine der letzten Mittwoch von uns vorgestellten AI-gestützten Lösungen nutzen. Achten Sie also einfach darauf, in Ihrer Bewerbung zu erwähnen, was Sie verwenden.

Wenn Sie die Gelegenheit hatten, sich bei einer schönen Tasse Kaffee unsere Ankündigungen durchzulesen, sollten Sie sich Workers Launchpad ansehen. Die Bewerbung ist ein Kinderspiel: Sie werden damit fertig sein, lange bevor Ihr Kaffee kalt ist.

Bis zum nächsten Mal!

Damit schließen wir unsere Birthday Week 2023 ab. Wir hoffen, es hat Ihnen gefallen, und freuen uns schon auf ein Wiedersehen bei unserer nächsten Innovation Week!

Récapitulatif de la Semaine anniversaire : tout ce que nous avons annoncé, ainsi qu'une opportunité fondée sur l'IA et dédiée aux start-ups

Post Syndicated from Dina Kozlov original

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

Cette année, Cloudflare est officiellement entrée dans l’adolescence, puisque l’entreprise a fêté ses 13 ans. Nous avons fêté cet événement avec une série d’annonces qui profitent à la fois à nos clients et à la communauté Internet.

Du développement d’applications à l’ère de l’IA à la sécurisation contre des attaques extrêmement avancées et encore inconnues, Cloudflare est fière de fournir des outils qui aident nos clients à garder une longueur d’avance.

Nous espérons que vous avez passé un excellent moment à suivre notre actualité, et pour tous ceux qui souhaiteraient pouvoir consulter un récapitulatif de toutes les innovations que nous avons inaugurées cette semaine, le voici :



En quelques mots…

L’adoption de Cloudflare peut réduire jusqu’à 96 % les émissions de carbone

La migration des services de réseau d’entreprise équipements locaux vers les services de Cloudflare peut permettre de réduire de jusqu’à 96 % les émissions de carbone correspondantes. 

Cloudflare Trace

Utilisez Cloudflare Trace pour découvrir quels paramètres et règles sont invoqués lorsqu’une requête HTTP pour votre site transite sur notre réseau. 

Cloudflare Fonts

Découvrez Cloudflare Fonts. Améliorez la confidentialité et les performances des sites web utilisant Google Fonts en chargeant les polices de caractères directement depuis le réseau Cloudflare. 

Comment Cloudflare achemine intelligemment le trafic

Une analyse technique approfondie qui explique comment Cloudflare utilise l’apprentissage automatique pour acheminer intelligemment le trafic sur notre vaste réseau. 

Diffusion en direct à faible latence

La prise en charge de LL-HLS par Cloudflare Stream est désormais en version bêta ouverte. Vous pouvez diffuser des vidéos à votre public plus rapidement, en réduisant à 3 secondes seulement la latence que peut ressentir un spectateur dans son lecteur. 

Autorisations de compte pour tous

Les autorisations de compte Cloudflare sont désormais disponibles pour tous les clients, et non plus seulement pour les clients Enterprise. De plus, nous vous montrerons comment les utiliser et quelles sont les bonnes pratiques à adopter. 

Alertes sur les incidents

Les clients peuvent s’abonner aux alertes sur les incidents de Cloudflare et choisir à quel moment ils recevront une notification, en fonction des produits affectés et de l’importance de l’impact. 



En quelques mots…

Bienvenue dans la connectivité cloud

Cloudflare est la première solution de connectivité cloud du monde : l’approche moderne pour connecter et protéger votre cloud, vos réseaux, vos applications et vos utilisateurs 

La taxe à 2 milliards de dollars sur IPv4 d’Amazon – et comment vous pouvez éviter de la payer

Amazon va commencer à facturer à ses clients un montant de 43 dollars pour l’utilisation d’adresses IPv4. Cloudflare restituera donc ces 43 dollars sous forme de crédit, afin de contourner cette taxe. 


Avec Sippy, minimisez les frais de trafic sortant lorsque vous effectuez la migration progressive de vos données d’AWS vers R2. 

Cloudflare Images

Toutes les fonctionnalités de redimensionnement d’images seront disponibles sous Cloudflare Images, et nous simplifions la tarification afin de la rendre plus prévisible et plus fiable.  

Anomalies du trafic et notifications avec Cloudflare Radar

Cloudflare Radar publiera les événements relatifs aux anomalies du trafic pour les pays et les systèmes autonomes (AS).

Détecter les pannes d’Internet

Découvrez comment Cloudflare détecte les pannes d’Internet, les défis qui en résultent, ainsi que notre approche pour surmonter ces problèmes. 



En quelques mots…

Le meilleur endroit de la région : Terre pour l’inférence

Disponible maintenant : Workers AI, un cloud de processeurs graphiques serverless dédié à l’IA ; Vectorize, pour vous permettre de développer vos propres bases de données vectorielles ; et AI Gateway, pour simplifier la gestion des coûts et l’observabilité de vos applications basées sur l’IA. 

Cloudflare fournit la meilleure infrastructure pour les applications basées sur l’IA de nouvelle génération, soutenue par des partenariats avec NVIDIA, Microsoft, Hugging Face, Databricks et Meta.

Workers AI 

Lancement de Workers AI – Nous sommes ravis d’inaugurer Workers AI, une plateforme d’inférence IA en tant que service permettant aux développeurs d’exécuter des modèles d’IA avec seulement quelques lignes de code, reposant sur notre réseau mondial de processeurs graphiques. 

Partenariat avec Hugging Face 

Cloudflare annonce un partenariat avec Hugging Face, afin de rendre les modèles d’IA plus accessibles et plus abordables pour les utilisateurs. 


La base de données vectorielle de Cloudflare, conçue pour vous permettre aux ingénieurs de développer des applications full-stack, basées sur l’IA, entièrement sur le réseau mondial de Cloudflare – désormais disponible en version bêta ! 

AI Gateway

AI Gateway aide les développeurs à bénéficier d’un meilleur contrôle et une meilleure visibilité sur leurs applications IA, vous permettant de vous concentrer sur le développement sans vous préoccuper de l’observabilité, de la fiabilité et de l’évolutivité.AI Gateway gère tous les aspects nécessaires à la quasi-totalité des applications d’IA, vous permettant ainsi d’économiser le temps consacré au développement afin de vous concentrer sur ce que vous créez.


Vous pouvez maintenant utiliser WebGPU dans Cloudflare Workers

Les développeurs peuvent désormais utiliser WebGPU dans Cloudflare Workers. Découvrez pourquoi les WebGPU sont importants, pourquoi nous les proposons à nos clients et quelles sont les prochaines étapes. 

Ce que créent les entreprises spécialistes de l’IA avec Cloudflare

De nombreuses entreprises de développement d’IA utilisent Cloudflare pour créer des applications de nouvelle génération. Découvrez ce qu’ils développent et comment Cloudflare les aide dans leur démarche. 

Écrire des poèmes avec Llama 2 dans Workers AI

Vous voulez utiliser l’IA pour écrire un poème ? Apprenez à créer votre propre chatbot IA en 14 lignes de code et à l’exécuter sur le réseau mondial de Cloudflare. 



En quelques mots…


Cloudflare lance un nouveau produit, Hyperdrive, qui rend les bases de données régionales existantes beaucoup plus rapides en accélérant considérablement les requêtes effectuées depuis Cloudflare Workers.

Bêta ouverte de D1

D1 est désormais disponible en version bêta ouverte, et le thème de cette version est « l’étendue » : avec des limites de stockage par base de données plus élevées et la possibilité de créer un plus grand nombre de bases de données, nous libérons la capacité des développeurs à créer, dans D1, des applications à la mesure des environnements de production.

Pages Build Caching

Ce service de mise en cache des versions est une fonctionnalité conçue pour réduire les délais de développement, grâce à la mise en cache et la réutilisation des composants de projet précédemment calculés – désormais disponible en version bêta. 

Exécuter Serverless Puppeteer avec Workers et Durable Objects

Découvrez l’API Browser Rendering, qui permet aux développeurs d’utiliser Puppeteer, la bibliothèque de tâches d’automatisation du navigateur, dans Workers, éliminant ainsi le besoin de configuration et de maintenance d’un système d’automatisation serverless du navigateur.

Cloudflare conclut un partenariat avec Microsoft pour exécuter sa solution Edge Secure Network

Nous avons conclu un partenariat avec Microsoft Edge afin de proposer un VPN rapide et sécurisé, directement dans le navigateur. Les utilisateurs n’ont pas besoin d’installer de nouvelles applications, ni de comprendre des concepts complexes pour bénéficier des dernières avancées en matière de confidentialité au niveau du réseau : le VPN Edge Secure Network est disponible dans la dernière version grand public de Microsoft Edge, sur la plupart des marchés, et est automatiquement fourni avec 5 Go de données. 

Redécouvrez le bac à sable Cloudflare Workers Playground

Nous sommes en train de refondre le bac à sable qui démontre la puissance de Workers, tout en proposant de nouveaux outils de développement, ainsi que la possibilité de partager le code de votre bac à sable et de le déployer instantanément sur le réseau mondial de Cloudflare.

La marketplace d’intégrations de Cloudflare se développe

Découvrez les nouveaux ajouts à la plateforme Integrations Marketplace de Cloudflare. Désormais disponibles : Sentry, Momento et Turso. 

Une API Socket qui s’exécute sur l’ensemble des runtimes JavaScript – annonce d’une spécification WinterCG et d’un polyfill pour connect()

Les ingénieurs de Cloudflare et Vercel ont publié un projet de spécification de l’API Sockets connect(), afin qu’elle soit examinée par la communauté, ainsi qu’un polyfill compatible avec Node.js pour l’API connect(), que les développeurs peuvent commencer à utiliser.

Nouvelle tarification de Workers

Annonce d’une nouvelle tarification pour Cloudflare Workers : la facturation sera établie en fonction du temps de processeur, et le temps d’inactivité pendant lequel votre instance Workers attend des requêtes réseau et d’autres E/S ne sera jamais facturé.



En quelques mots…

La cryptographie post-quantique passe en disponibilité générale

Cloudflare déploie la prise en charge de la cryptographie post-quantique pour les clients, les services et les systèmes internes, afin d’assurer une protection proactive contre les attaques avancées. 

Encrypted Client Hello

Annonce d’une contribution qui aidera à améliorer la confidentialité pour tous les utilisateurs d’Internet. Encrypted Client Hello, une nouvelle norme qui empêche les réseaux d’espionner les sites web consultés par un utilisateur, est désormais disponible dans toutes les offres Cloudflare. 

Email Retro Scan 

Les clients de Cloudflare peuvent désormais analyser les messages de leurs boîtes de réception Office 365 afin de rechercher d’éventuelles menaces. Le service Retro Scan vous permet de revenir sept jours en arrière, afin d’identifier les menaces qui n’ont pas été détectées par votre outil de sécurité actuel. 

Turnstile est proposé en disponibilité générale

Turnstile, le remplaçant du CAPTCHA de Cloudflare, est maintenant disponible gratuitement pour tous et inclut une utilisation illimitée. 

Bots d’indexation IA

Quelle que soit l’offre souscrite, tout utilisateur de Cloudflare peut choisir des catégories spécifiques de bots qu’il souhaite autoriser ou bloquer, notamment les bots d’indexation. Nous recommandons également une nouvelle norme pour le fichier robots.txt, qui permettra aux sites web d’indiquer plus facilement et clairement les contenus que les bots IA sont ou non autorisés à indexer.

Détecter les menaces zero-day avant le jour zéro

Découvrez dans le détail l’approche et les recherches en cours de Cloudflare visant à détecter les nouveaux vecteurs d’attaque web dans notre pare-feu WAF avant qu’ils ne soient identifiés par un chercheur spécialiste de la sécurité. 

Indicateurs préservant la confidentialité

Consultez une analyse approfondie des concepts fondamentaux du protocole DAP (Distributed Aggregation Protocol), avec des exemples de son implémentation dans Daphne, notre serveur d’agrégation open source. 

Cryptographie post-quantique pour les connexions aux serveurs d’origine

Nous déployons actuellement la cryptographie post-quantique pour les connexions sortantes vers les serveurs d’origine et les appels fetch() à Cloudflare Workers. Apprenez-en davantage sur ce que nous avons mis en œuvre, comment nous avons sécurisé le déploiement et comment vous pouvez dès aujourd’hui ajouter la prise en charge à votre serveur d’origine. 

Mise à jour concernant les performances réseau

Consultez les résultats des indicateurs de référence actualisés de Cloudflare concernant les performances du réseau, ainsi qu’une analyse approfondie des outils et processus que nous utilisons pour surveiller et améliorer les performances de notre réseau. 

Encore une chose

Lorsque Cloudflare a fêté son douzième anniversaire l’année dernière, nous avons annoncé le programme de financement Workers Launchpad, que l’on peut considérer comme un programme d’accélération de start-ups dédié aux entreprises qui créent des solutions sur la plateforme de développement de Cloudlare, sans restriction de taille, de phase ou de secteur géographique.

Un rappel concernant le fonctionnement de Launchpad : chaque trimestre, nous acceptons un groupe de jeunes entreprises qui bénéficient ensuite d’un accès à un large éventail de conseils techniques, d’offres de mentorat et d’opportunités de collecte de fonds, parmi lesquelles les initiatives Founders Bootcamp, Open Office Hours avec nos spécialistes Solution Architect et Demo Day. Les entreprises prêtes à effectuer une levée des fonds seront également mises en contact avec notre communauté de plus de 40 éminentes sociétés de capital-risque, dans le monde entier.

Tout ce que nous vous demandons, en échange, c’est simplement de nous faire part de vos commentaires, en toute honnêteté. Nous voulons savoir ce qui fonctionne, ce qui ne fonctionne pas et ce que vous souhaitez nous demander de développer. Nous ne demandons aucune participation dans votre entreprise, et la participation au programme n’est pas payante.

Au cours de l’année passée, nous avons reçu des candidatures provenant de près de 60 pays. Nous avons eu l’opportunité de collaborer avec 50 incroyables start-ups en phase de lancement ou de croissance, qui ont été admises dans les deux premières promotions ; nous avons également étendu notre communauté de partenaires de capital-risque à plus de 40 sociétés, avec plus de 2 milliards de dollars d’investissements potentiels dans des start-ups développant des applications avec Cloudflare.

Prochainement : promotion no. 3 ! Entre la conclusion de la promotion no. 2 (allez voir l’événement Demo Day correspondant !), la célébration du premier anniversaire de l’initiative Launchpad et les nombreuses annonces que nous avons effectuées la semaine dernière, nous avons pensé chacun aurait besoin d’un peu plus de temps pour faire le point sur toute l’actualité – c’est pourquoi nous prolongeons de quelques semaines la date limite de la promotion no. 3, jusqu’au 13 octobre 2023. De plus, nous réservons 5 places dans le groupe pour les entreprises qui utilisent déjà l’une des innovations IA annoncées mercredi dernier. N’oubliez pas d’indiquer, dans votre candidature, le produit que vous utilisez.

Alors, lorsque vous aurez trouvé le temps de consulter les annonces et de vous servir un café, venez découvrir l’initiative Workers Launchpad. Déposer votre candidature est un jeu d’enfant – vous aurez terminé bien avant que votre café n’ait eu le temps de refroidir !

À la prochaine !

C’est tout pour la Semaine anniversaire 2023 Nous espérons que vous avez passé un bon moment, et nous vous donnons rendez-vous lors de notre future Innovation Week !


Post Syndicated from Dina Kozlov original

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups









Cloudflare Trace

Cloudflare Traceの使用により、お客様のサイトへのHTTPリクエストが当社のネットワークを通過する際、呼び出されるルールや設定を確認できます。 

Cloudflare Fonts

Cloudflare Fontsの概要紹介。Cloudflareネットワークから直接フォントを読み込むことで、Google Fontsを使用するWebサイトのプライバシーとパフォーマンスを強化します。 




Cloudflare StreamのLL-HLSサポート、オープンベータ版で公開されました。より高速な視聴者への動画配信で低遅延を実現し、視聴者の最長待機時間を最長3秒にまで抑えることができるようになりました。 




Cloudflare Incident Alertsの受信申込により、影響を受ける製品と影響のレベルを基に通知を受けるタイミングを選択できるようになります。 






AmazonによるIPv4への20億ドルの課金 — 支払いを回避する方法




Cloudflare Images

すべての画像リサイズ機能がCloudflare Imagesで利用できるようになり、より予測可能で信頼性を高めるため価格設定を簡素化します。  

Cloudflare Radarによるトラフィックの異常および通知

Cloudflare Radarは、国と自律システム(AS)への異常なトラフィックイベントを公開します。







AI用サーバーレスGPUクラウド「Workers AI」、独自のベクターデータベースを構築できる「Vectorize」、AIアプリのコストと観測可能性の管理を支援する「AI Gateway」がご利用いただけるようになりました。 

Cloudflareは、NVIDIA、Microsoft、Hugging Face、Databricks、Metaとのパートナーシップに支えられ、次世代AIアプリのための最高のインフラストラクチャを提供しています。

Workers AI 

Workers AIの立ち上げ—グローバルなGPUネットワークの利用により、わずか数行のコードでAIモデルを実行できるAIインターフェース・アズ・ア・サービスプラットフォームとして、開発者を支えていきます。 

Hugging Faceとの提携 

CloudflareはHugging Faceと提携し、AIモデルをユーザーにとってより身近で手頃なものにします。 



AI Gateway

AI Gatewayを使用することで開発者はAIアプリの制御性と可視性を高めることができるため、観測性、信頼性、拡張性を心配することなく開発に集中することができます。AI Gatewayは、ほぼすべてのAIアプリケーションが必要とする処理を実行できるため、エンジニアリングの時間を節約し、開発に集中できるようになります。


Cloudflare WorkersでWebGPUが使用できるようになりました

Cloudflare Workersで開発者にWebGPUをご利用いただけるようになりました。WebGPUの重要性、当社が顧客にWebGPUを提供する理由、そして次なる開発予定の詳細をご覧ください。 



Workers AIでLLama 2を使い、詩を書く






Cloudflareは、Cloudflare Workersからのクエリを劇的に高速化することで、既存の各地域のデータベースを大幅に高速化する新製品Hyperdriveを発表しました。





WorkersとDurable ObjectsによるサーバーレスPuppeteerの実行



当社はMicrosoft Edgeとの提携により、ブラウザ上で高速かつ安全なVPNを提供しています。最新のネットワーク・レベルPrivacy Edge セキュアネットワークVPNを利用するために新たに何かをインストールしたり、複雑な概念を理解したりする必要はありません。ほとんどの市場で、最新のコンシューマー版マイクロソフト・エッジで利用可能で、自動的に5GBのデータが付いてきます。 

Cloudflare Workers Playgroundの再度の紹介


Cloudflare Integration Marketplaceの拡大

CloudflareのIntegration Marketplaceに新しく追加されたものをご紹介しています。現在、Sentry、Momento、Tursoがご利用いただけます。 

JavaScriptランタイム全体で動作するSocket API — WinterCGの仕様とconnect()用のポリフィルを発表



CPU時間に基づく、そしてWorkerがネットワークリクエストとその他I/Oを待つアイドルタイムは一切除外した、当たらなCloudflare Workersのご請求モデルを発表します。






Encrypted Client Hello

インターネット上のすべての人のプライバシーを向上させる製品の発表です。ネットワークによりユーザーがどのWebサイトを訪問しているかを盗み見られることを防ぐ新しい規格となるEncrypted Client Helloが、現在すべてのCloudflareプランでご利用いただけます。 

Email Retro Scan

Cloudflareのお客様は、Office 365の受信箱内のメッセージをスキャンして脅威を検出できるようになりました。Retro Scanでは、その時点でメールセキュリティツールが見逃している脅威を7日前にさかのぼり確認できます。 








DAP(Distributed Aggregation Protocol、分散型集積プロトコル)の基本概念を、オープンソースのアグリゲーター・サーバーであるDaphneへの実装例を交えて深く掘り下げています。 


オリジンへのアウトバウンド接続とCloudflare Workersのfetch()呼び出しに対し、ポスト量子暗号による対応を始めます。当社が可能にしたこと、その安全な方法での展開方法、そして今すぐ貴社の配信元サーバーにサポートを追加する方法について、詳細をご覧ください。 

ネットワーク パフォーマンス更新



Cloudflareが昨年12周年を迎えた折、Workers Launchpad Funding Programを発表しました。クラウドレアのデベロッパー・プラットフォーム上に構築する企業のためのスタートアップ加速プログラムのようなもので、企業の規模、ステージ、地域に制限はありません。




次は、コホート#3となります。 先日、第2コホートが終了し(デモ・デーをぜひご覧ください)、Launchpadの1歳の誕生日を祝い、そして先週行ったたくさんの発表の間に、皆様にすべてのニュースにキャッチアップしていただくために十分な時間をとることが必要だと考えました。そのため、第3コホートの締め切りを数週間延長し、2023年10月13日とします。また、先週水曜日に発表されたAIのいずれかをすでに利用している方のために、5名分の枠を確保しています。応募時には、現在お使いいただいているものを明記していただけるよう、お願いいたします。

お知らせをチェックし、コーヒーを飲んで休んだら、Workers Launchpadをチェックしてみてください。応募は簡単です。コーヒーが冷めないうちに、応募は完了するでしょう。



창립기념일 주간 요약: Cloudflare에서 발표한 모든 내용 및 스타트업을 위한 AI를 기반으로 한 기회

Post Syndicated from Dina Kozlov original

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

올해 Cloudflare에서는 공식적으로 13주년을 맞습니다. 우리는 이 이정표를 고객과 인터넷 커뮤니티 모두에 이점을 선사하는 다양한 발표로 기념했습니다.

AI 시대에 애플리케이션을 개발하는 것부터 아직 등장하지도 않은 최신 위협으로부터 보호하는 것까지 Cloudflare에서는 고객이 한 발자국 앞서 있을 수 있도록 도구를 제공한다는 사실을 자랑스럽게 여깁니다.

이러한 발표를 지켜보며 즐거운 시간이 되셨기를 바랍니다. 이번 주에 출시한 제품의 요약은 다음과 같습니다.



한 문장으로 요약하면…

배출량을 최대 96% 줄일 수 있는 Cloudflare로의 전환

엔터프라이즈 네트워크 서비스를 온프레미스에서 Cloudflare로 전환하면 관련 탄소 배출량을 최대 96% 줄일 수 있습니다. 

Cloudflare Trace

Cloudflare Trace를 사용하여 여러분의 사이트를 위한 HTTP 요청이 당사 네트워크를 거칠 때 어떤 규칙과 설정이 호출되는지 확인하세요. 

Cloudflare Fonts

Cloudflare Fonts를 소개합니다. Cloudflare 네트워크에서 바로 글꼴을 로딩하여 Google Fonts를 사용해 웹 사이트의 개인정보 보호 및 성능을 개선합니다. 

Cloudflare에서 트래픽을 지능적으로 라우팅하는 방법

Cloudflare에서 머신 러닝을 사용하여 방대한 당사 네트워크를 통해 트래픽을 지능적으로 라우팅하는 방법을 설명하는 기술 심층 탐구입니다. 

대기 시간이 짧은 라이브 스트리밍

이제 Cloudflare Stream의 LL-HLS 지원이 오픈 베타로 제공됩니다. 잠재 고객에게 동영상을 더 빠르게 전달함으로써 플레이어에서 시청자의 대기 시간을 3초로 단축할 수 있습니다. 

모두를 위한 계정 권한

Cloudflare 계정 권한이 이제 Enterprise 고객만이 아니라 모든 고객에게 제공됩니다. 또한, 이를 사용하는 방법과 모범 사례를 보여드립니다. 

Incident Alerts

이제 고객은 Cloudflare Incident Alerts를 구독하고 피해를 입은 제품 및 피해의 심각도에 따라 알림을 받을 시기를 선택할 수 있습니다. 



한 문장으로 요약하면…

클라우드 연결성에 오신 것을 환영합니다

Cloudflare는 세계 최초 클라우드 연결성으로 클라우드, 네트워크, 애플리케이션, 사용자를 연결하고 보호하기 위한 최신 방법입니다. 

Amazon의 20억 달러 규모의 IPv4 징수, 그리고 이를 피하는 방법 

Amazon에서는 IPv4 주소에 대해 43달러를 징수하기 시작할 예정입니다. 그렇기에 Cloudflare에서는 이러한 징수를 우회하기 위해 크레딧의 형태로 43달러를 돌려드릴 계획입니다. 


Sippy를 사용해 송신료를 최소화하여 데이터를 AWS에서 R2로 점진적으로 마이그레이션하세요. 

Cloudflare Images

모든 Image Resizing 기능이 Cloudflare Images에서 제공될 예정이며 Cloudflare에서는 더 예측 가능하고 신뢰할 수 있도록 가격을 단순하게 책정하고 있습니다.  

트래픽 이상과 Cloudflare Radar 알림

Cloudflare Radar는 국가와 자율 시스템(ASes)을 위해 비정상적인 트래픽 이벤트를 게시할 것입니다.

인터넷 중단 감지

Cloudflare에서 인터넷 중단을 감지하는 방법, 이에 따른 과제, 이러한 문제를 극복하기 위한 접근법을 심층적으로 알아봅니다. 



한 문장으로 요약하면…

리전에서 가장 좋은 장소: 추론을 위한 지구

AI를 위한 서버리스 GPU 클라우드인 Workers AI, 자체 벡터 데이터베이스를 구축하기 위한 Vectorize, AI 애플리케이션의 비용 및 관찰 가능성을 관리하기 위한 AI Gateway를 이제 제공합니다. 

Cloudflare에서는 차세대 AI 애플리케이션을 위한 최고의 인프라를 제공합니다. 이 인프라는 NVIDIA, Microsoft, Hugging Face, Databricks, Meta와 체결한 파트너십에 따라 지원됩니다.

Workers AI 

개발자가 단 몇 줄의 코드만으로 AI 모델을 실행할 수 있도록 지원하는 서비스형 AI 추론 플랫폼인 Workers AI를 출시하며 이는 Cloudflare의 GPU 전역 네트워크를 기반으로 합니다. 

Hugging Face와의 파트너십 

Cloudflare에서 Hugging Face와 파트너십을 체결함에 따라 사용자는 합리적인 가격에 AI 모델에 더 쉽게 액세스할 수 있게 되었습니다. 


베타로 제공되고 있는 이 Cloudflare의 벡터 데이터베이스는 엔지니어가 Cloudflare의 전역 네트워크에서만 전체 스택 AI 기반 애플리케이션을 구축할 수 있도록 설계되었습니다. 

AI Gateway

AI Gateway는 개발자가 AI 앱에 대한 제어 능력을 강화하고 가시성을 확보할 수 있도록 지원하므로 관찰 가능성, 안정성 및 확장에 대한 걱정 없이 빌드에만 집중할 수 있습니다. AI Gateway는 거의 모든 AI 앱에 필요한 것들을 처리하여 엔지니어링 시간을 절약할 수 있으므로 개발자는 빌드에 집중할 수 있도록 합니다.


이제 Cloudflare Workers에서 WebGPU를 사용할 수 있습니다

개발자는 이제 Cloudflare Workers에서 WebGPU를 사용할 수 있습니다. WebGPU가 중요한 이유, 이를 고객에게 제공하는 이유, 앞으로의 계획 등을 자세히 알아보세요. 

AI 회사에서 Cloudflare와 함께 구축한 사항 알아보기

많은 AI 회사에서는 Cloudflare를 이용하여 차세대 애플리케이션을 구축하고 있습니다. 구축하고 있는 제품과 Cloudflare가 이러한 여정에서 도움이 되는 방법을 자세히 알아보세요. 

Workers AI에서 LLama 2를 이용하여 시 창작

AI를 이용하여 시를 쓰고 싶으신가요? Cloudflare의 전역 네트워크에서 실행되는 14줄의 코드로 자체 AI 챗봇을 실행하는 방법을 알아보세요. 



한 문장으로 요약하면…


Cloudflare에서는 Cloudflare Workers에서 만들어진 쿼리의 속도를 대폭 개선하여 기존의 지역 데이터베이스를 훨씬 더 빠르게 만드는 신제품 Hyperdrive를 출시합니다.

D1 오픈 베타

D1의 현재 베타 버전은 “확장”을 중심으로 합니다. 데이터베이스당 스토리지 한도를 늘리고 더 많은 데이터베이스를 생성할 수 있는 기능을 통해 개발자가 D1에서 프로덕션 규모의 응용 프로그램을 구축할 수 있도록 지원합니다.

Pages 빌드 캐싱

이제 베타로 제공되는 빌드 캐시는 이전에 처리된 프로젝트 구성 요소를 캐싱하고 재사용하여 빌드 시간을 단축하도록 설계된 기능입니다. 

Workers 및 Durable Objects로 서버리스 Puppeteer 실행

개발자가 서버리스 브라우저 자동화 시스템을 설정하거나 유지 관리하지 않고 Workers 내에서 Puppeteer 브라우저 자동화 라이브러리를 활용할 수 있게 하는 브라우저 렌더링 API를 소개합니다

Edge Secure Network를 지원하기 위해 Microsoft와 파트너십을 체결한 Cloudflare

Cloudflare에서는 Microsoft Edge와 파트너십을 체결하여 브라우저 내에서 빠르고 안전한 VPN을 제공합니다. 사용자는 네트워크 수준의 최신 개인정보 보호를 위해 새로운 프로그램을 설치하거나 복잡한 개념을 이해할 필요가 없습니다. Edge Secure Network VPN은 대부분의 시장에서의 최신 소비자 버전의 Microsoft Edge에서 사용할 수 있으며, 5GB의 데이터가 자동으로 제공됩니다. 

Cloudflare Workers Playground 다시 도입

Workers의 위력을 선보이는 플레이그라운드를 개선하고 새로운 개발 툴링 및 플레이그라운드 코드를 공유하며 즉각적으로 이를 Cloudflare의 전역 네트워크에 배포할 수 있는 기능을 개발하고 있습니다

Cloudflare 통합 마켓플레이스의 확대

Cloudflare의 통합 마켓플레이스에 가장 최근에 추가된 것을 소개합니다. 이제 Sentry, Momento, Turso를 제공합니다. 

Javascript 런타임 전반에서 작동하는 소켓 API — WinterCG 사양 및 connect()를 위한 폴리필 발표

Cloudflare와 Vercel의 엔지니어들은 커뮤니티에서 검토할 수 있도록 connect() 소켓 API의 초기 사양을 공개하고 아울러 개발자가 사용을 시작할 수 있도록 connect() API를 위한 Node.js와 호환 가능한 폴리필을 공개했습니다.

새로운 Workers 가격

여러분의 Worker가 네트워크 요청 및 기타 I/O를 기다리는 유휴 시간이 아닌 CPU 시간에 따라 요금이 청구되는 Cloudflare Workers에 대한 새로운 요금제를 발표합니다.



한 문장으로 요약하면…

포스트 퀀텀 암호화, 일반 사용자도 이용 가능(GA) 

Cloudflare에서는 포스트 퀀텀 암호화 지원을 출시하여 고객, 서비스, 내부 시스템을 최신 공격으로부터 능동적으로 보호합니다. 

암호화된 Client Hello

모든 인터넷 사용자의 개인정보 보호를 강화하는 데 기여하는 제품을 발표합니다. 사용자가 방문하고 있는 웹 사이트를 누군가 염탐하지 못하도록 네트워크를 보호하는 새로운 기준인 암호화된 Client Hello가 이제 모든 Cloudflare 요금제에서 제공됩니다. 

이메일 Retro Scan 

Cloudflare 고객은 이제 Office 365 수신함의 메시지에서 위협을 스캔할 수 있습니다. Retro Scan은 7일 전까지의 메시지를 확인하여 현재 이메일 보안 도구에서 놓친 위협이 있는지 찾습니다. 

Turnstile, 일반 사용자도 이용 가능(GA)

Cloudflare의 캡차 대체품인 Turnstile이 이제 일반 사용자에게 제공되며 모든 사람이 무료로, 무제한으로 사용할 수 있습니다. 

AI 크롤러 봇

Cloudflare 사용자는 어떤 요금제를 사용하더라도 AI 크롤러를 포함하여 허용하거나 차단할 특정 봇 카테고리를 선택할 수 있습니다. Cloudflare에서는 웹 사이트에서 AI 봇이 크롤링할 수 있거나 없는 것을 더 쉽게 명시할 수 있게 하는 robots.txt에 대한 새로운 기준을 권장하고 있습니다.

제로 데이 이전에 제로 데이 탐지하기

보안 리서치 도구에서 식별하기 전에 WAF에서 심각한 웹 공격 벡터를 감지하는 Cloudflare의 접근법과 지속적인 연구를 심층적으로 알아봅니다. 

개인정보 보호 유지 메트릭

분산 집계 프로토콜(DAP)에 숨겨진 기본 개념과 더불어 Cloudflare에서 이를 당사 오픈 소스 애그리게이터 서버인 Daphne에 구현한 방법을 심층적으로 알아봅니다. 

원본에 대한 포스트 퀀텀 암호화

원본 및 Cloudflare Workers fetch() 호출에 대한 아웃바운드 연결을 위한 포스트 퀀텀 암호화 지원을 출시합니다. 활성화한 제품, 이를 안전한 방식으로 출시한 방법, 지금 원본 서버에 지원을 추가할 방법 등을 자세히 알아보세요. 

네트워크 성능 업데이트

네트워크 성능에 대한 Cloudflare의 업데이트된 벤치마크 결과와 네트워크 성능을 모니터링하고 개선하기 위해 사용하는 도구 및 프로세스를 심층적으로 알아봅니다. 

추가 내용

Cloudflare에서는 12주년을 맞이했을 때 Workers Launchpad 자금 조달 프로그램을 발표했습니다. 이는 규모, 단계, 지리와는 관계없이 Cloudflare의 개발자 플랫폼에서 구축하고 있는 회사를 위한 스타트업 지원 프로그램이라고 생각하시면 됩니다.

Launchpad가 어떻게 작동하는지 다시 간략하게 알려드리겠습니다. 분기마다 Cloudflare에서는 스타트업을 모집하여 다양한 기술 조언, 멘토링, 자금 조달 기회를 제공합니다. 이러한 기회로는 Cloudflare의 Founders 부트캠프, 솔루션 아키텍트와 함께하는 열린 업무 시간, 데모 데이 등이 있습니다. 자금을 조달할 준비가 된 스타트업은 40여 개의 선도적인 글로벌 벤처 캐피털 회사로 구성된 Cloudflare 커뮤니티와 만나게 됩니다.

이 모든 기회를 제공하는 대신 여러분의 솔직한 피드백만을 요청합니다. 도움이 된 부분, 도움이 되지 않은 부분, 여러분을 위해 구축해주었으면 하는 제품을 알려 주세요. Cloudflare에서는 귀사의 지분을 요구하지 않습니다. 프로그램 참여의 대가로 금전을 요구하지도 않습니다.

지난 몇 년간 60개에 가까운 국가로부터 신청서를 받았습니다. Cloudflare는 첫 2개의 그룹에 참여한 초기 단계와 성장 단계에 있는 50개의 엄청난 스타트업과 긴밀하게 협업할 기회가 있었습니다. 이를 통해 Cloudflare의 벤처 캐피털 파트너 커뮤니티에 40여 개의 회사가 참여하게 되었으며 Cloudflare에서 구축하는 스타트업에 잠재적으로 20억 달러 이상을 투자할 수 있게 되었습니다.

다음 계획: 그룹 #3! 최근 그룹 #2(이 그룹의 데모 데이를 확인해 보세요!)가 마무리되고, Launchpad 1주년을 기념하며, 지난주에 발표한 수많은 내용 사이에 모든 소식을 소화할 약간의 시간이 있으면 좋겠다고 생각했습니다. 그래서 그룹 #3의 기한을 몇 주 늦추어 2023년 10월 13일로 정했습니다. 그리고 다섯 자리를 지난 수요일의 AI 발표를 이미 사용하고 있는 스타트업을 위해 남겨두었습니다. 여러분의 애플리케이션에서 무엇을 사용하고 있는지 꼭 말씀해 주세요.

발표 내용을 확인하고 커피도 한 잔 마실 시간을 드렸습니다. Workers Launchpad를 확인해 보세요. 커피가 채 식기도 전에 쉽게 지원할 수 있습니다.

다음에 또 뵙겠습니다

이렇게 2023 창립기념일 주간이 끝났습니다. 즐거운 시간이 되셨기를 바라며 다음 혁신 주간에서 뵙겠습니다!

生日周回顾:我们宣布的所有内容,以及为初创企业提供的 AI 驱动机会

Post Syndicated from Dina Kozlov original

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

今年,Cloudflare 正式成为踏入青春阶段,迎来了 13 岁生日。为了庆祝这个里程碑,我们发布了一系列公告,我们的客户和互联网社区都会从中受益。

从在人工智能时代开发应用,到防御尚未出现的最先进攻击,Cloudflare 很高兴能提供帮助我们的客户保持领先一步的工具。





改用 Cloudflare 可以减少高达 96% 的排放量

将企业网络服务从本地设备更换为 Cloudflare 服务可将相关碳排放减少多达 96%。 

Cloudflare Trace

使用 Cloudflare Trace 查看当站点 HTTP 请求通过我们的网络时调用了哪些规则和设置。 

Cloudflare Fonts

推出 Cloudflare Fonts。通过直接从 Cloudflare 网络加载字体,为使用 Google 字体的网站增强隐私保护和性能。 

Cloudflare 如何智能路由流量

深入解释 Cloudflare 如何利用机器学习智能路由流量通过我们庞大的网络。 


Cloudflare Stream 的 LL-HLS 支持现已推出测试版。您能够以更快的速度将视频传输给观众,将可能的播放延迟缩短至 3 秒。 


原 Enterprise 专享的 Cloudflare 账户许可现已向所有客户开放。此外,我们将向您展示账户许可的使用方式及最佳实践。 


客户现可订阅 Cloudflare 事件警报,选择何时收到基于受影响产品和影响程度的通知。 





Cloudflare 是全球首款全球连通云——连接和保护云、网络、应用和用户的现代方式。 

Amazon 的 20 亿美元 IPv4 税费 — 以及如何避免支付这笔费用

Amazon 将开始对其客户征收 43 美元的 IPv4 地址费用,因此 Cloudflare 将以积分形式返还这 43 美元。 


通过使用 Sippy 逐步将数据从 AWS 迁移到 R2,最大程度地减少出口费用。 

Cloudflare Images

所有图像调整大小功能将在 Cloudflare Images 下可用,我们正在简化定价以使其更可预测和可靠。  

使用 Cloudflare Radar 检测流量异常并发送通知

Cloudflare Radar 将发布有关国家和自治系统(AS)的异常流量事件。


深入探讨 Cloudflare 如何检测互联网中断、面临的挑战以及我们克服这些问题的方法。 





现已推出:Workers AI —— 用于 AI 的无服务器 GPU 云;Vectorize —— 用于构建自己的矢量数据库;以及 AI Gateway —— 帮助管理 AI 应用的成本和可观察性。 

通过与 NVIDIA、Microsoft、Hugging Face、Databricks 和 Meta 等的合作伙伴关系,Cloudflare 为下一代 AI 应用程序提供最佳的基础设施。

Workers AI 

隆重推出 Workers AI——AI 推理即服务平台,使开发人员只需几行代码即可运行 AI 模型,由我们的全球 GPU 网络提供支持。 

与 Hugging Face 携手合作 

Cloudflare 与 Hugging Face 合作,旨在使 AI 模型对用户更易使用和经济实惠。 


Vectorize 是 Cloudflare 新推出的矢量数据库产品,旨在让您完全在 Cloudflare 的全球网络上构建 AI 加持的全栈应用,现已提供测试版。 

AI Gateway

AI Gateway 使开发人员在他们的 AI 应用中拥有更好的控制力和可见性,能够专注构建,不用担心可观察性、可靠性和可扩展性。AI Gateway 可以处理几乎所有 AI 应用程序需要的内容,节省工程时间,使您专注构建内容。


您现在可以在 Cloudflare Workers 中使用 WebGPU

开发人员现在可在 Cloudflare Workers 中使用 WebGPU。进一步了解为什么 WebGPU 很重要,为什么我们向客户提供它们,以及接下来的计划。 

AI 公司使用 Cloudflare 构建的内容

很多 AI 公司正在使用 Cloudflare 来构建下一代应用。进一步了解他们正在构建什么应用,以及 Cloudflare 如何在这方面提供帮助。 

在 Workers AI 上使用 LLama 2 写诗

想用 AI 写诗吗?学习如何在 Cloudflare 的全球网络上用 14 行代码运行自己的 AI 聊天机器人。 





Cloudflare 推出全新产品 Hyperdrive,显著加快 Cloudflare Workers 的查询速度,大幅提高了现有区域数据库的速度。

D1 开放测试

D1 现在处于公测阶段,主旋律是“规模”:每数据库的存储限制更高,并且能够创建更多数据库,我们正在解锁开发人员在 D1 上构建生产规模应用程序的能力。

Pages 构建缓存


通过 Workers 和 Durable Objects 运行 Serverless Puppeteer

推出浏览器渲染 API,使开发人员能够在 Workers 中利用 Puppeteer 浏览器自动化库,消除了无服务器浏览器自动化系统设置和维护的需要。

Cloudflare 与 Microsoft 合作,为 Edge 安全网络提供支持

我们与 Microsoft Edge 合作在浏览器中提供一种快速、安全的 VPN。用户不需要安装任何新东西或理解复杂的概念,就能获得最新的网络级隐私:Edge 安全网络 VPN 在大多数市场上都可以在最新的 Microsoft Edge 消费者版本上使用,并自动附带 5 GB 数据。 

重新引入 Cloudflare Workers 操练场

我们正在改造展示 Workers 强大功能的操练场,并提供新的开发工具,还可以共享操练场代码并立即部署到 Cloudflare 全球网络。

Cloudflare 集成市场扩大

推出 Cloudflare 集成市场的新增项目。现已可用:Sentry、Momento 和 Turso。 

跨 JavaScript 运行时工作的 Socket API——发布 WinterCG 规范和 polyfill for connect()

Cloudflare 和 Vercel 的工程师已经发布了 connect() 套接字 API 的规范草案,供社区审查,同时还发布了一个兼容 Node.js 的 polyfill for connect() API,供开发人员开始使用。

Workers 新定价方案

宣布推出全新 Cloudflare Workers 定价方案,按 CPU 时间计费,绝不对 Worker 用于等待网络请求和其他 I/O 的空闲时间计费。





Cloudflare 推出对客户、服务和内部系统的后量子加密支持,以主动防御高级攻击。 

Encrypted Client Hello

宣布为改善互联网每个人的隐私而做出贡献。Encrypted Client Hello 是一项新标准,可防止网络窥探用户访问什么网站,现已提供给所有 Cloudflare 计划使用。 

Email Retro Scan 

Cloudflare 客户现在可以扫描其 Office 365 收件箱中的消息以寻找威胁。Retro Scan 功能可以让您回溯七天,检查当前电子邮件安全工具所漏检的威胁。 

Turnstile 现已正式发布

Turnstile,Cloudflare 的验证码替代方案,现已正式发布,免费提供给所有人无限使用。 

AI 爬虫机器人

任何 Cloudflare 用户,无论使用什么计划,都可以选择他们想要允许或阻止的特定类别机器人,包括 AI 爬虫。我们还推荐了一个 robots.txt 的新标准,可让网站更易清晰指示 AI 机器人的可爬行范围。

检测 zero-day 攻击并避免受害

深入剖析 Cloudflare 在 WAF 早于安全研究人员检测出新型网络攻击手段的方式和进行中的研究。 


深入介绍分布式聚合协议(DAP)协议背后的基本概念,并通过示例说明我们如何将其实现到我们的开源聚合服务器 Daphne 中。 


推出后量子加密,支持到源服务器和 Cloudflare Workers fetch() 调用的出站连接。详细了解我们支持什么,如何以安全的方式推出,以及您今天如何为自己的源服务器添加支持。 


Cloudflare 网络性能基准测试结果更新,并深入介绍我们用于监测和改进网络性能的工具和流程。 


去年,在 Cloudflare 成立 12 周年之际,我们宣布推出 Workers Launchpad 资助计划。您可以将其视为向 Cloudflare 开发者平台上构建的公司提供的创业加速计划,没有规模、阶段或地理位置的限制。

回顾一下 Launchpad 的运作方式: 每个季度,我们接纳一批初创企业,他们将获得广泛的技术建议、指导和募资机会。其中包括我们的创始人训练营、与我们的解决方案架构师一起的开放办公时间以及演示日。做好募资准备的企业还将与我们拥有 40 多家全球领先风险投资公司的社区建立联系。


在过去的一年里,我们收到来自近 60 个不同国家的申请。我们有机会与前两批 50 家优秀的早期和成长期初创企业密切合作,而且我们的风险投资合作伙伴社区已经发展到 40 多家公司,对在 Cloudflare 上构建的初创企业进行的潜在投资规模超过 20 亿美元。

下一步:第三批! 鉴于第二批最近才结束 (查看他们的演示日), 庆祝 Launchpad 计划一周年,而且我们上周发布了一系列公告, 我们认为大家需要多一点时间来了解所有的新闻,因此我们将第三批的截止期限延长几周到 2023 年 10 月 13 日。我们还将本批的 5 个名额预留给已经使用上周三宣布的任何 AI 产品的公司。记得在申请中说明你正在使用的产品。

如果您有空查看以上公告,不妨了解一下 Workers Launchpad。申请非常简单快捷,只要一杯茶的时间。


以上就是 2023 年生日周的全部内容。希望您喜欢以上精彩内容,并期待在下一个创新周再见!

Resumen de la Semana aniversario – consulta todos nuestros anuncios y descubre una oportunidad para empresas emergentes de IA

Post Syndicated from Dina Kozlov original

Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups

Este año, Cloudflare ha alcanzado oficialmente la adolescencia ¡cumplimos 13 años! Celebramos este hito con una serie de anuncios que benefician tanto a nuestros clientes como a la comunidad de Internet.

Desde el desarrollo de aplicaciones en la era de la IA hasta la protección contra los ataques más avanzados que están por llegar, Cloudflare se enorgullece de facilitar herramientas que ayudan a nuestros clientes a mantener una posición de ventaja.

Esperamos que te lo hayas pasado muy bien en este viaje. Si te interesa conocer un resumen de todos nuestros anuncios en esta semana, sigue leyendo:



En pocas palabras…

La adopción de Cloudflare puede reducir hasta un 96 % las emisiones

La migración de servicios de red locales a Cloudflare puede reducir hasta en un 96 % las emisiones de carbono. 

Cloudflare Trace

Observa qué reglas y configuraciones se invocan cuando una solicitud HTTP de tu sitio pasa por nuestra red. 

Cloudflare Fonts

Novedad: Cloudflare Fonts. Mejora la privacidad y el rendimiento de los sitios web que utilizan Google Fonts cargando las fuentes directamente desde la red de Cloudflare. 

Cómo enrutamos el tráfico de forma inteligente

Análisis técnico que explica cómo Cloudflare utiliza el aprendizaje automático para enrutar el tráfico de forma inteligente a través de nuestra vasta red. 

Streaming en vivo de baja latencia

Ya está disponible la compatibilidad LL-HLS de Cloudflare Stream en versión beta abierta. Acelera la entrega de vídeos y reduce hasta 3 segundos la latencia que un espectador puede experimentar en su reproductor. 

Permisos de cuenta para todos

Los permisos de cuenta de Cloudflare ya están disponibles para todos nuestros clientes, no solo para planes Enterprise. Además, te mostraremos cómo puedes utilizarlos y las prácticas recomendadas. 

Alertas de incidentes

Ahora los clientes pueden suscribirse a las Alertas de incidentes de Cloudflare y elegir cuándo recibir las notificaciones en función de los productos afectados y el nivel de impacto. 



En pocas palabras…

Te damos la bienvenida a la conectividad cloud

Cloudflare es la primera conectividad cloud del mundo, la forma moderna de conectar y proteger tu nube, redes, aplicaciones y usuarios. 

El coste de 2000 millones de dólares que Amazon cobrará por las direcciones IPv4, y cómo puedes evitarlo 

Amazon empezará a cobrar a sus clientes 43 dólares por las direcciones IPv4, pero Cloudflare te lo devuelve en forma de créditos para evitar el pago. 


Minimiza las tasas de salida con Sippy para migrar gradualmente tus datos de AWS a R2. 

Cloudflare Images

Todas las funciones de redimensionamiento de imágenes estarán disponibles en Cloudflare Images. Además, simplificamos los precios para que sean más predecibles y fiables.  

Anomalías de tráfico y notificaciones con Cloudflare Radar

Cloudflare Radar publicará eventos de tráfico anómalo en países y sistemas autónomos.

Cómo detectar interrupciones de Internet

Descubre cómo Cloudflare detecta las interrupciones de Internet, los desafíos que conllevan y nuestro enfoque para superar estos problemas. 



En pocas palabras…

El mejor lugar en Region: planeta Tierra para inferencia

Accede desde ya a Workers AI, una nube de GPU sin servidor para IA; Vectorize, para que puedas crear tus propias bases de datos vectoriales; y AI Gateway, que te permite gestionar los costes y la observabilidad de tus aplicaciones de IA. 

Cloudflare ofrece la mejor infraestructura para aplicaciones de IA de última generación, con el apoyo de nuestros socios NVIDIA, Microsoft, Hugging Face, Databricks y Meta.

Workers AI 

Llega Workers AI, una plataforma de inferencia de IA como servicio, que permite a los desarrolladores ejecutar modelos de IA con solo unas líneas de código, todo ello con la tecnología de nuestra red global de GPU. 

Asociación con Hugging Face 

Cloudflare se ha asociado con Hugging Face para garantizar modelos de IA más accesibles y asequibles para los usuarios. 


Base de datos vectorial de Cloudflare, que permite a los ingenieros crear aplicaciones integrales de IA en la red global de Cloudflare. Ya disponible en versión beta. 

AI Gateway

AI Gateway ayuda a los desarrolladores a mejorar el control y visibilidad de sus aplicaciones de IA, para que te centres en el desarrollo, sin preocuparte por la observabilidad, fiabilidad y escalabilidad. Gestiona todo lo que necesitan la mayoría de ellas, y tienes más tiempo para el desarrollo.


Ya puedes utilizar WebGPU en Cloudflare Workers

Los desarrolladores ya pueden utilizar WebGPU en Cloudflare Workers. Descubre por qué las WebGPU son importantes, por qué las ofrecemos a los clientes y los próximos pasos. 

Qué están desarrollando las empresas de IA con Cloudflare

Muchas empresas de IA están utilizando Cloudflare para crear aplicaciones de nueva generación. Descubre lo que están desarrollando y cómo Cloudflare les está ayudando en este camino. 

Escribe poemas con la IA de LLama 2 en Workers AI

¿Quieres escribir un poema utilizando IA? Aprende a ejecutar tu propio chatbot de IA en 14 líneas de código en la red global de Cloudflare. 



En pocas palabras…


Cloudflare lanza un nuevo producto, Hyperdrive, que agiliza las bases de datos regionales existentes, ya que acelera de forma asombrosa las consultas que se realizan desde Cloudflare Workers.

D1, ya disponible en versión beta abierta

D1 ya está disponible en versión beta abierta, y el tema es la “escala”. Ofrecemos límites de almacenamiento más elevados por base de datos y la posibilidad de crear más bases de datos, lo que nos permitirá promover el potencial de los desarrolladores para crear aplicaciones a escala de producción en D1.

Building Caching en Pages

Building Caching es una función diseñada para reducir tus tiempos de compilación, gracias al almacenamiento en caché y la reutilización de componentes de proyectos previamente calculados. Ya disponible en versión beta. 

Ejecuta Puppeteer sin servidor con Workers y Durable Objects

Llega Browser Rendering API, que permite a los desarrolladores utilizar la biblioteca de automatización del navegador Puppeteer dentro de Workers, sin necesidad de configurar y mantener el sistema de automatización del navegador sin servidor.

Microsoft utiliza la tecnología de Cloudflare para activar Edge Secure Network

Nos hemos asociado con Microsoft Edge para ofrecer una VPN rápida y segura, directamente en el navegador. Los usuarios no tienen que instalar nada nuevo ni entender conceptos complejos para beneficiarse de lo último en privacidad a nivel de red. La VPN Edge Secure Network está disponible en la última versión para consumidores de Microsoft Edge en la mayoría de los mercados, e incluye 5 GB de datos. 

Actualizamos Cloudflare Workers Playground

Actualizamos la página de pruebas de configuración que demuestra la eficacia de Workers, junto con nuevas herramientas de desarrollo y la posibilidad de compartir tu código e implementarlo instantáneamente en la red global de Cloudflare.

Ampliación del mercado de integraciones de Cloudflare

Anunciamos las últimas incorporaciones a Cloudflare Integrations Marketplace: Sentry, Momento y Turso. 

Una API de socket que se ejecuta en todos los entornos de ejecución de Javascript. Llega la especificación WinterCG y polyfill para connect()

Ingenieros de Cloudflare y Vercel han publicado un borrador de la especificación de la API de sockets connect() para que la revise la comunidad, junto con un polyfill compatible con Node.js para la API connect() que los desarrolladores pueden empezar a utilizar.

Nuevos precios de Workers

Presentamos nuevos precios de Cloudflare Workers, cuya facturación se basará en el tiempo de CPU, nunca en el tiempo inactivo que tu instancia de Worker pase esperando solicitudes de red y otra E/S.



En pocas palabras…

Disponibilidad general de la criptografía poscuántica 

Cloudflare implementa la compatibilidad con la criptografía poscuántica para clientes, servicios y sistemas internos con el fin de proteger de forma proactiva contra ataques avanzados. 

Encrypted Client Hello

Anunciamos nuestra contribución para ayudar a mejorar la privacidad de todos en Internet. Encrypted Client Hello, un nuevo estándar que impide que las redes espíen qué sitios web visita un usuario. Ya disponible en todos los planes de Cloudflare. 

Email Retro Scan 

Ahora los clientes de Cloudflare pueden analizar los mensajes de sus bandejas de entrada de Office 365 en busca de amenazas. Retro Scan te permitirá observar qué amenazas no han sido detectadas por tu herramienta de seguridad del correo electrónico en los siete últimos días. 

Turnstile, ya disponible de forma general

Turnstile, el sustituto de CAPTCHA de Cloudflare, ya está disponible de forma general y gratuita para todo el mundo e incluye uso ilimitado. 

Bots rastreadores con IA

Cualquier usuario suscrito a un plan de Cloudflare, puede elegir las categorías específicas de bots que desea permitir o bloquear, incluidos los rastreadores de IA. También estamos recomendando una nueva norma para robots.txt que facilitará que los sitios web indiquen claramente cómo pueden y no pueden rastrear los bots de IA.

Cómo detectar las amenazas de día cero antes de que ocurran

Descubre el enfoque de Cloudflare y la investigación en curso para detectar nuevos vectores de ataque web en nuestro WAF antes de que los identifique un investigador de seguridad. 

Métricas de preservación de la privacidad

Conoce los conceptos fundamentales del Protocolo de Agregación Distribuida (DAP) con ejemplos de cómo lo hemos implementado en Daphne, nuestro servidor agregador de código abierto. 

Criptografía poscuántica para servidores de origen

Implementamos la compatibilidad con la criptografía poscuántica para conexiones salientes a servidores de origen y las llamadas fetch() de Cloudflare Workers. Descubre más información sobre lo que hemos habilitado, cómo lo hemos implementado de forma segura, y cómo puedes añadir la compatibilidad a tu servidor de origen hoy mismo. 

Actualización del rendimiento de red

Resultados actualizados del rendimiento de Cloudflare en relación con el rendimiento de la red, además de un análisis de las herramientas y procesos que utilizamos para supervisar y mejorar el rendimiento de nuestra red. 

Una cosa más

En nuestro 12.º aniversario el año pasado, anunciamos el programa de financiamiento Workers Launchpad. Puedes considerarlo como un programa cuyo objetivo es impulsar a empresas emergentes que crean sus proyectos en la plataforma para desarrolladores de Cloudlare, sin restricciones de tamaño, fase o geografía.

Repasemos el funcionamiento de Launchpad. Cada trimestre, admitimos a un grupo de empresas emergentes que luego tienen acceso a una amplia gama de oportunidades de asesoramiento técnico, tutorías y recaudación de fondos. Entre las ventajas se incluyen nuestro Founders Bootcamp, las Open Office Hours con nuestros arquitectos de soluciones y el Demo Day. Los que estén preparados para recaudar fondos también se pondrán en contacto con nuestra comunidad de más de 40 empresas líderes mundiales de capital riesgo.

A cambio, solo pedimos tu opinión sincera. Queremos saber qué funciona, qué no y qué necesitas que hagamos por ti. No te pedimos participaciones en tu empresa, ni que pagues por formar parte del programa.

En el último año, hemos recibido solicitudes de casi 60 países diferentes. Hemos tenido la oportunidad de trabajar estrechamente con 50 empresas emergentes increíbles, en etapa de crecimiento, que han sido admitidas en los dos primeros grupos, y hemos ampliado nuestra comunidad de socios de capital riesgo a más de 40 empresas y más de 2000 millones de dólares en inversiones potenciales en empresas emergentes basadas en Cloudflare.

Próximamente: ¡Grupo n.º 3! Con la reciente finalización del grupo n.º 2 (¡echa un vistazo a su ¡Demo Day!), la celebración del 1.º aniversario del Launchpad y todo lo que anunciamos la semana pasada, hemos pensado que necesitaréis más tiempo para poneros al día con todas las noticias, por lo que hemos ampliado unas semanas el plazo para el grupo n.º 3, hasta el 13 de octubre de 2023. Y vamos a reservar 5 plazas en la clase para quienes ya estén utilizando alguno de los anuncios de IA del miércoles pasado. Solo asegúrate de mencionar en tu solicitud lo que estás utilizando.

Así que, una vez que hayas tenido la oportunidad de echar un vistazo a los anuncios y te hayas servido un café, echa un vistazo a Workers Launchpad. Solicitarlo es muy fácil, de hecho habrás completado el proceso mucho antes de que se te enfríe el café.

¡Hasta la próxima!

Así despedimos la Semana aniversario 2023. Esperamos que la hayas disfrutado, y nos vemos en nuestra próxima ¡semana de la innovación!

Introducing per hostname TLS settings — security fit to your needs

Post Syndicated from Dina Kozlov original

Introducing per hostname TLS settings — security fit to your needs

Introducing per hostname TLS settings — security fit to your needs

One of the goals of Cloudflare is to give our customers the necessary knobs to enable security in a way that fits their needs. In the realm of SSL/TLS, we offer two key controls: setting the minimum TLS version, and restricting the list of supported cipher suites. Previously, these settings applied to the entire domain, resulting in an “all or nothing” effect. While having uniform settings across the entire domain is ideal for some users, it sometimes lacks the necessary granularity for those with diverse requirements across their subdomains.

It is for that reason that we’re excited to announce that as of today, customers will be able to set their TLS settings on a per-hostname basis.

The trade-off with using modern protocols

In an ideal world, every domain could be updated to use the most secure and modern protocols without any setbacks. Unfortunately, that's not the case. New standards and protocols require adoption in order to be effective. TLS 1.3 was standardized by the IETF in April 2018. It removed the vulnerable cryptographic algorithms that TLS 1.2 supported and provided a performance boost by requiring only one roundtrip, as opposed to two. For a user to benefit from TLS 1.3, they need their browser or device to support the new TLS version. For modern browsers and devices, this isn’t a problem – these operating systems are built to dynamically update to support new protocols. But legacy clients and devices were, obviously, not built with the same mindset. Before 2015, new protocols and standards were developed over decades, not months or years, so the clients were shipped out with support for one standard — the one that was used at the time.

If we look at Cloudflare Radar, we can see that about 62.9% of traffic uses TLS 1.3. That’s quite significant for a protocol that was only standardized 5 years ago. But that also means that a significant portion of the Internet continues to use TLS 1.2 or lower.

The same trade-off applies for encryption algorithms. ECDSA was standardized in 2005, about 20 years after RSA. It offers a higher level of security than RSA and uses shorter key lengths, which adds a performance boost for every request. To use ECDSA, a domain owner needs to obtain and serve an ECDSA certificate and the connecting client needs to support cipher suites that use elliptical curve cryptography (ECC). While most publicly trusted certificate authorities now support ECDSA-based certificates, the slow rate of adoption has led many legacy systems to only support RSA, which means that restricting applications to only support ECC-based algorithms could prevent access from those that use older clients and devices.

Balancing the trade-offs

When it comes to security and accessibility, it’s important to find the right middle ground for your business.

To maintain brand, most companies deploy all of their assets under one domain. It’s common for the root domain (e.g. to be used as a marketing website to provide information about the company, its mission, and the products and services it offers. Then, under the same domain, you might have your company blog (e.g., your management portal (e.g., and your API gateway (e.g.

The marketing website and the blog are similar in that they’re static sites that don’t collect information from the accessing users. On the other hand, the management portal and API gateway collect and present sensitive data that needs to be protected.

When you’re thinking about which settings to deploy, you want to consider the data that’s exchanged and the user base. The marketing website and blog should be accessible to all users. You can set them up to support modern protocols for the clients that support them, but you don’t necessarily want to restrict access for users that are accessing these pages from old devices.

The management portal and API gateway should be set up in a manner that provides the best protection for the data exchanged. That means dropping support for less secure standards with known vulnerabilities and requiring new, secure protocols to be used.

To be able to achieve this setup, you need to be able to configure settings for every subdomain within your domain individually.

Per hostname TLS settings – now available!

Customers that use Cloudflare’s Advanced Certificate Manager can configure TLS settings on individual hostnames within a domain. Customers can use this to enable HTTP/2, or to configure the minimum TLS version and the supported ciphers suites on a particular hostname. Any settings that are applied on a specific hostname will supersede the zone level setting. The new capability also allows you to have different settings on a hostname and its wildcard record; which means you can configure to use one setting, and * to use another.

Let’s say that you want the default min TLS version for your domain to be TLS 1.2, but for your dashboard and API subdomains, you want to set the minimum TLS version to be TLS 1.3. In the Cloudflare dashboard, you can set the zone level minimum TLS version to 1.2 as shown below. Then, to make the minimum TLS version for the dashboard and API subdomains TLS 1.3, make a call to the per-hostname TLS settings API endpoint with the specific hostname and setting.

Introducing per hostname TLS settings — security fit to your needs

This is all available, starting today, through the API endpoint! And if you’d like to learn more about how to use our per-hostname TLS settings, please jump on over to our developer documentation.

Bring your own CA for client certificate validation with API Shield

Post Syndicated from Dina Kozlov original

Bring your own CA for client certificate validation with API Shield

Bring your own CA for client certificate validation with API Shield

APIs account for more than half of the total traffic of the Internet. They are the building blocks of many modern web applications. As API usage grows, so does the number of API attacks. And so now, more than ever, it’s important to keep these API endpoints secure. Cloudflare’s API Shield solution offers a comprehensive suite of products to safeguard your API endpoints and now we’re excited to give our customers one more tool to keep their endpoints safe. We’re excited to announce that customers can now bring their own Certificate Authority (CA) to use for mutual TLS client authentication. This gives customers more security, while allowing them to maintain control around their Mutual TLS configuration.

The power of Mutual TLS (mTLS)

Traditionally, when we refer to TLS certificates, we talk about the publicly trusted certificates that are presented by servers to prove their identity to the connecting client. With Mutual TLS, both the client and the server present a certificate to establish a two-way channel of trust. Doing this allows the server to check who the connecting client is and whether or not they’re allowed to make a request. The certificate presented by the client – the client certificate – doesn’t need to come from a publicly trusted CA. In fact, it usually comes from a private or self-signed CA. That’s because the only party that needs to be able to trust it is the connecting server. As long as the connecting server has the client certificate and can check its validity, it doesn’t need to be public.

Securing API endpoints with Mutual TLS

Mutual TLS plays a crucial role in protecting API endpoints. When it comes to safeguarding these endpoints, it's important to have a security model in place that only allows authorized clients to make requests and keeps everyone else out.

That’s why when we launched API Shield in 2020 – a product that’s centered around securing API endpoints – we included mutual TLS client certificate validation as a part of the offering. We knew that mTLS was the best way for our customers to identify and authorize their connecting clients.

When we launched mutual TLS for API Shield, we gave each of our customers a dedicated self-signed CA that they could use to issue client certificates. Once the certificates are installed on devices and mTLS is set up, administrators can enforce that connections can only be made if they present a client certificate issued from that self-signed CA.

This feature has been paramount in securing thousands of endpoints, but it does require our customer to install new client certificates on their devices, which isn’t always possible. Some customers have been using mutual TLS for years with their own CA, which means that the client certificates are already in the wild. Unless the application owner has direct control over the clients, it’s usually arduous, if not impossible, to replace the client certificates with ones issued from Cloudflare’s CA. Other customers may be required to use a CA issued from an approved third party in order to meet regulatory requirements.

To help all of our customers keep their endpoints secure, we’re extending API Shield’s mTLS capability to allow customers to bring their own CA.

Bring your own CA for client certificate validation with API Shield

Get started today

To simplify the management of private PKI at Cloudflare, we created one account level endpoint that enables customers to upload self-signed CAs to use across different Cloudflare products. Today, this endpoint can be used for API shield CAs and for Gateway CAs that are used for traffic inspection.

If you’re an Enterprise customer, you can upload up to five CAs to your account. Once you’ve uploaded the CA, you can use the API Shield hostname association API to associate the CA with the mTLS enabled hostnames. That will tell Cloudflare to start validating the client certificate against the uploaded CA for requests that come in on that hostname. Before you enforce the client certificate validation, you can create a Firewall rule that logs an event when a valid or invalid certificate is served. That will help you determine if you’ve set things up correctly before you enforce the client certificate validation and drop unauthorized requests.

To learn more about how you can use this, refer to our developer documentation.

If you’re interested in using mutual TLS to secure your corporate network, talk to an account representative about using our Access product to do so.

Announcing Cloudflare Secrets Store

Post Syndicated from Dina Kozlov original

Announcing Cloudflare Secrets Store

Announcing Cloudflare Secrets Store

We’re excited to announce Secrets Store – Cloudflare’s new secrets management offering!

A secrets store does exactly what the name implies – it stores secrets. Secrets are variables that are used by developers that contain sensitive information – information that only authorized users and systems should have access to.

If you’re building an application, there are various types of secrets that you need to manage. Every system should be designed to have identity & authentication data that verifies some form of identity in order to grant access to a system or application. One example of this is API tokens for making read and write requests to a database. Failure to store these tokens securely could lead to unauthorized access of information – intentional or accidental.

The stakes with secret’s management are high. Every gap in the storage of these values has potential to lead to a data leak or compromise. A security administrator’s worst nightmare.

Developers are primarily focused on creating applications, they want to build quickly, they want their system to be performant, and they want it to scale. For them, secrets management is about ease of use, performance, and reliability. On the other hand, security administrators are tasked with ensuring that these secrets remain secure. It’s their responsibility to safeguard sensitive information, ensure that security best practices are met, and to manage any fallout of an incident such as a data leak or breach. It’s their job to verify that developers at their company are building in a secure and foolproof manner.

In order for developers to build at high velocity and for security administrators to feel at ease, companies need to adopt a highly reliable and secure secrets manager. This should be a system that ensures that sensitive information is stored with the highest security measures, while maintaining ease of use that will allow engineering teams to efficiently build.

Why Cloudflare is building a secrets store

Cloudflare’s mission is to help build a better Internet – that means a more secure Internet. We recognize our customers’ need for a secure, centralized repository for storing sensitive data. Within the Cloudflare ecosystem, are various places where customers need to store and access API and authorization tokens, shared secrets, and sensitive information. It’s our job to make it easy for customers to manage these values securely.

The need for secrets management goes beyond Cloudflare. Customers have sensitive data that they manage everywhere – at their cloud provider, on their own infrastructure, across machines. Our plan is to make our Secrets Store a one-stop shop for all of our customer’s secrets.

The evolution of secrets at Cloudflare

In 2020, we launched environment variables and secrets for Cloudflare Workers, allowing customers to create and encrypt variables across their Worker scripts. By doing this, developers can obfuscate the value of a variable so that it’s no longer available in plaintext and can only be accessed by the Worker.

Announcing Cloudflare Secrets Store

Adoption and use of these secrets is quickly growing. We now have more than three million Workers scripts that reference variables and secrets managed through Cloudflare. One piece of feedback that we continue to hear from customers is that these secrets are scoped too narrowly.

Today, customers can only use a variable or secret within the Worker that it’s associated with. Instead, customers have secrets that they share across Workers. They don’t want to re-create those secrets and focus their time on keeping them in sync. They want account level secrets that are managed in one place but are referenced across multiple Workers scripts and functions.

Outside of Workers, there are many use cases for secrets across Cloudflare services.

Inside our Web Application Firewall (WAF), customers can make rules that look for authorization headers in order to grant or deny access to requests. Today, when customers create these rules, they put the authorization header value in plaintext, so that anyone with WAF access in the Cloudflare account can see its value. What we’ve heard from our customers is that even internally, engineers should not have access to this type of information. Instead, what our customers want is one place to manage the value of this header or token, so that only authorized users can see, create, and rotate this value. Then when creating a WAF rule, engineers can just reference the associated secret e.g.“account.mysecretauth”. By doing this, we help our customers secure their system by reducing the access scope and enhance management of this value by keeping it updated in one place.

Announcing Cloudflare Secrets Store

With new Cloudflare products and features quickly developing, we’re hearing more and more use cases for a centralized secrets manager. One that can be used to store Access Service tokens or shared secrets for Webhooks.

With the new account level Secrets Store, we’re excited to give customers the tools they need to manage secrets across Cloudflare services.

Securing the Secret Store

To have a secrets store, there are a number of measures that need to be in place, and we’re committing to providing these for our customers.

First, we’re going to give the tools that our customers need to restrict access to secrets. We will have scope permissions that will allow admins to choose which users can view, create, edit, or remove secrets. We also plan to add the same level of granularity to our services – giving customers the ability to say “only allow this Worker to access this secret and only allow this set of Firewall rules to access that secret”.

Announcing Cloudflare Secrets Store

Next, we’re going to give our customers extensive audits that will allow them to track the access and use of their secrets. Audit logs are crucial for security administrators. They can be used to alert team members that a secret was used by an unauthorized service or that a compromised secret is being accessed when it shouldn’t be. We will give customers audit logs for every secret-related event, so that customers can see exactly who is making changes to secrets and which services are accessing and when.

In addition to the built-in security of the Secrets Store, we’re going to give customers the tools to rotate their encryption keys on-demand or at a cadence that fits the right security posture for them.

Sign up for the beta

We’re excited to get the Secrets Store in our customer’s hands. If you’re interested in using this, please fill out this form, and we’ll reach out to you when it’s ready to use.

Out now! Auto-renew TLS certifications with DCV Delegation

Post Syndicated from Dina Kozlov original

Out now! Auto-renew TLS certifications with DCV Delegation

Out now! Auto-renew TLS certifications with DCV Delegation

To get a TLS certificate issued, the requesting party must prove that they own the domain through a process called Domain Control Validation (DCV). As industry wide standards have evolved to enhance security measures, this process has become manual for Cloudflare customers that manage their DNS externally. Today, we’re excited to announce DCV Delegation — a feature that gives all customers the ability offload the DCV process to Cloudflare, so that all certificates can be auto-renewed without the management overhead.

Security is of utmost importance when it comes to managing web traffic, and one of the most critical aspects of security is ensuring that your application always has a TLS certificate that’s valid and up-to-date. Renewing TLS certificates can be an arduous and time-consuming task, especially as the recommended certificate lifecycle continues to gradually decrease, causing certificates to be renewed more frequently. Failure to get a certificate renewed can result in downtime or insecure connection which can lead to revenue decrease, mis-trust with your customers, and a management nightmare for your Ops team.

Every time a certificate is renewed with a Certificate Authority (CA), the certificate needs to pass a check called Domain Control Validation (DCV). This is a process that a CA goes through to verify that the party requesting the certificate does in fact own or control ownership over the domain for which the certificate is being requested. One of the benefits of using Cloudflare as your Authoritative DNS provider is that we can always prove ownership of your domain and therefore auto-renew your certificates. However, a big chunk of our customers manage their DNS externally. Before today, certificate renewals required these customers to make manual changes every time the certificate came up for renewal. Now, with DCV Delegation – you can let Cloudflare do all the heavy lifting.

DCV primer

Before we dive into how DCV Delegation works, let’s talk about it. DCV is the process of verifying that the party requesting a certificate owns or controls the domain for which they are requesting a certificate.

Out now! Auto-renew TLS certifications with DCV Delegation

When a subscriber requests a certificate from a CA, the CA returns validation tokens that the domain owner needs to place. The token can be an HTTP file that the domain owner needs to serve from a specific endpoint or it can be a DNS TXT record that they can place at their Authoritative DNS provider. Once the tokens are placed, ownership has been proved, and the CA can proceed with the certificate issuance.

Better security practices for certificate issuance

Certificate issuance is a serious process. Any shortcomings can lead to a malicious actor issuing a certificate for a domain they do not own. What this means is that the actor could serve the certificate from a spoofed domain that looks exactly like yours and hijack and decrypt the incoming traffic. Because of this, over the last few years, changes have been put in place to ensure higher security standards for certificate issuances.

Shorter certificate lifetimes

The first change is the move to shorter lived certificates. Before 2011, a certificate could be valid for up to 96 months (about eight years). Over the last few years, the accepted validity period has been significantly shortened. In 2012, certificate validity went down to 60 months (5 years), in 2015 the lifespan was shortened to 39 months (about 3 years), in 2018 to 24 months (2 years), and in 2020, the lifetime was dropped to 13 months. Following the trend, we’re going to continue to see certificate lifetimes decrease even further to 3 month certificates as the standard. We’re already seeing this in action with Certificate Authorities like Let’s Encrypt and Google Trust Services offering a maximum validity period of 90 days (3 months). Shorter-lived certificates are aimed to reduce the compromise window in a situation where a malicious party has gained control over a TLS certificate or private key. The shorter the lifetime, the less time the bad actor can make use of the compromised material. At Cloudflare, we even give customers the ability to issue 2 week certificates to reduce the impact window even further.

While this provides a better security posture, it does require more overhead management for the domain owner, as they’ll now be responsible for completing the DCV process every time the certificate is up for renewal, which can be every 90 days. In the past, CAs would allow the re-use of validation tokens, meaning even if the certificate was renewed more frequently, the validation tokens could be re-used so that the domain owner wouldn’t need to complete DCV again. Now, more and more CAs are requiring unique tokens to be placed for every renewal, meaning shorter certificate lifetimes now result in additional management overhead.

Wildcard certificates now require DNS-based DCV

Aside from certificate lifetimes, the process required to get a certificate issued has developed stricter requirements over the last few years. The Certificate Authority/Browser Forum (CA/B Forum), the governing body that sets the rules and standards for certificates, has enforced or stricter requirements around certificate issuance to ensure that certificates are issued in a secure manner that prevents a malicious actor from obtaining certificates for domains they do not own.

In May 2021, the CA/B Forum voted to require DNS based validation for any certificate with a wildcard certificate on it. Meaning, that if you would like to get a TLS certificate that covers and *, you can no longer use HTTP based validation, but instead, you will need to add TXT validation tokens to your DNS provider to get that certificate issued. This is because a wildcard certificate covers a large portion of the domain’s namespace. If a malicious actor receives a certificate for a wildcard hostname, they now have control over all of the subdomains under the domain. Since HTTP validation only proves ownership of a hostname and not the whole domain, it’s better to use DNS based validation for a certificate with broader coverage.

All of these changes are great from a security standpoint – we should be adopting these processes! However, this also requires domain owners to adapt to the changes. Failure to do so can lead to a certificate renewal failure and downtime for your application. If you’re managing more than 10 domains, these new processes become a management nightmare fairly quickly.

At Cloudflare, we’re here to help. We don’t think that security should come at the cost of reliability or the time that your team spends managing new standards and requirements. Instead, we want to make it as easy as possible for you to have the best security posture for your certificates, without the management overhead.

How Cloudflare helps customers auto-renew certificates

Out now! Auto-renew TLS certifications with DCV Delegation

For years, Cloudflare has been managing TLS certificates for 10s of millions of domains. One of the reasons customers choose to manage their TLS certificates with Cloudflare is that we keep up with all the changes in standards, so you don’t have to.

One of the superpowers of having Cloudflare as your Authoritative DNS provider is that Cloudflare can add necessary DNS records on your behalf to ensure successful certificate issuances. If you’re using Cloudflare for your DNS, you probably haven’t thought about certificate renewals, because you never had to. We do all the work for you.

When the CA/B Forum announced that wildcard certificates would now require TXT based validation to be used, customers that use our Authoritative DNS didn’t even notice any difference – we continued to do the auto-renewals for them, without any additional work on their part.

While this provides a reliability and management boost to some customers, it still leaves out a large portion of our customer base — customers who use Cloudflare for certificate issuance with an external DNS provider.

There are two groups of customers that were impacted by the wildcard DCV change: customers with domains that host DNS externally – we call these “partial” zones – and SaaS providers that use Cloudflare’s SSL for SaaS product to provide wildcard certificates for their customers’ domains.

Customers with “partial” domains that use wildcard certificates on Cloudflare are now required to fetch the TXT DCV tokens every time the certificate is up for renewal and manually place those tokens at their DNS provider. With Cloudflare deprecating DigiCert as a Certificate Authority, certificates will now have a lifetime of 90 days, meaning this manual process will need to occur every 90 days for any certificate with a wildcard hostname.

Customers that use our SSL for SaaS product can request that Cloudflare issues a certificate for their customer’s domain – called a custom hostname. SaaS providers on the Enterprise plan have the ability to extend this support to wildcard custom hostnames, meaning we’ll issue a certificate for the domain ( and for a wildcard (* The issue with that is that SaaS providers will now be required to fetch the TXT DCV tokens, return them to their customers so that they can place them at their DNS provider, and do this process every 90 days. Supporting this requires a big change to our SaaS provider’s management system.

At Cloudflare, we want to help every customer choose security, reliability, and ease of use — all three! And that’s where DCV Delegation comes in.

Enter DCV Delegation: certificate auto-renewal for every Cloudflare customer

DCV Delegation is a new feature that allows customers who manage their DNS externally to delegate the DCV process to Cloudflare. DCV Delegation requires customers to place a one-time record that allows Cloudflare to auto-renew all future certificate orders, so that there’s no manual intervention from the customer at the time of the renewal.

How does it work?

Customers will now be able to place a CNAME record at their Authoritative DNS provider at their acme-challenge endpoint – where the DCV records are currently placed – to point to a domain on Cloudflare.

This record will have the the following syntax:

_acme-challenge.<domain.TLD> CNAME <domain.TLD>.<UUID>

Let’s say I own and need to get a certificate issued for it that covers the apex and wildcard record. I would place the following record at my DNS provider: CNAME<UUID> Then, Cloudflare would place the two TXT DNS records required to issue the certificate at<UUID>

As long as the partial zone or custom hostname remains Active on Cloudflare, Cloudflare will add the DCV tokens on every renewal. All you have to do is keep the CNAME record in place.

If you’re a “partial” zone customer or an SSL for SaaS customer, you will now see this card in the dashboard with more information on how to use DCV Delegation, or you can read our documentation to learn more.

DCV Delegation for Partial Zones:

Out now! Auto-renew TLS certifications with DCV Delegation

DCV Delegation for Custom Hostnames:

Out now! Auto-renew TLS certifications with DCV Delegation

The UUID in the CNAME target is a unique identifier. Each partial domain will have its own UUID that corresponds to all of the DCV delegation records created under that domain. Similarly, each SaaS zone will have one UUID that all custom hostnames under that domain will use. Keep in mind that if the same domain is moved to another account, the UUID value will change and the corresponding DCV delegation records will need to be updated.

If you’re using Cloudflare as your Authoritative DNS provider, you don’t need to worry about this! We already add the DCV tokens on your behalf to ensure successful certificate renewals.

What’s next?

Right now, DCV Delegation only allows delegation to one provider. That means that if you’re using multiple CDN providers or you’re using Cloudflare to manage your certificates but you’re also issuing certificates for the same hostname for your origin server then DCV Delegation won’t work for you. This is because once that CNAME record is pointed to Cloudflare, only Cloudflare will be able to add DCV tokens at that endpoint, blocking you or an external CDN provider from doing the same.

However, an RFC draft is in progress that will allow each provider to have a separate “acme-challenge” endpoint, based on the ACME account used to issue the certs. Once this becomes standardized and CAs and CDNs support it, customers will be able to use multiple providers for DCV delegation.

In conclusion, DCV delegation is a powerful feature that simplifies the process of managing certificate renewals for all Cloudflare customers. It eliminates the headache of managing certificate renewals, ensures that certificates are always up-to-date, and most importantly, ensures that your web traffic is always secure. Try DCV delegation today and see the difference it can make for your web traffic!

Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Post Syndicated from Dina Kozlov original

Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Today, we’re excited to announce a big security enhancement to our Keyless SSL offering. Keyless SSL allows customers to store their private keys on their own hardware, while continuing to use Cloudflare’s proxy services. In the past, the configuration required customers to expose the location of their key server through a DNS record – something that is publicly queryable. Now, customers will be able to use our Cloudflare Tunnels product to send traffic to the key server through a secure channel, without publicly exposing it to the rest of the Internet.

A primer on Keyless SSL

Security has always been a critical aspect of online communication, especially when it comes to protecting sensitive information. Today, Cloudflare manages private keys for millions of domains which allows the data communicated by a client to stay secure and encrypted. While Cloudflare adopts the strictest controls to secure these keys, certain industries such as financial or medical services may have compliance requirements that prohibit the sharing of private keys.In the past, Cloudflare required customers to upload their private key in order for us to provide our L7 services. That was, until we built out Keyless SSL in 2014, a feature that allows customers to keep their private keys stored on their own infrastructure while continuing to make use of Cloudflare’s services.

While Keyless SSL is compatible with any hardware that support PKCS#11 standard, Keyless SSL users frequently opt to secure their private keys within HSMs (Hardware Security Modules), which are specialized machines designed to be tamper proof and resistant to to unauthorized access or manipulation, secure against attacks, and optimized to efficiently execute cryptographic operations such as signing and decryption. To make it easy for customers to set this up, during Security Week in 2021, we launched integrations between Keyless SSL and HSM offerings from all major cloud providers.

Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Strengthening the security of key servers even further

In order for Cloudflare to communicate with a customer’s key server, we have to know the IP address associated with it. To configure Keyless SSL, we ask customers to create a DNS record that indicates the IP address of their keyserver. As a security measure, we ask customers to keep this record under a long, random hostname such as “”. While it adds a layer of obfuscation to the location of the key server, it does expose the IP address of the keyserver to the public Internet, allowing anyone to send requests to that server. We lock the connection between Cloudflare and the Keyless server down through Mutual TLS, so that the Keyless server should only accept the request if a Cloudflare client certificate associated with the Keyless client is served. While this allows the key server to drop any requests with an invalid or missing client certificate, the key server is still publicly exposed, making it susceptible to attacks.

Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Instead, Cloudflare should be the only party that knows about this key server’s location, as it should be the only party making requests to it.

Enter: Cloudflare Tunnel

Instead of re-inventing the wheel, we decided to make use of an existing Cloudflare product that our customers use to protect the connections between Cloudflare and their origin servers — Cloudflare Tunnels!

Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Cloudflare Tunnel gives customers the tools to connect incoming traffic to their private networks without exposing those networks to the Internet through a public hostname. It works by having customers install a Cloudflare daemon, called “cloudflared” which Cloudflare’s client will then connect to.

Now, customers will be able to use the same functionality but for connections made to their key server.

Getting started

Protect your key server with Keyless SSL and Cloudflare Tunnel integration

To set this up, customers will need to configure a virtual network on Cloudflare – this is where customers will tell us the IP address or hostname of their key server. Then, when uploading a Keyless certificate, instead of telling us the public hostname associated with the key server, customers will be able to tell us the virtual network that resolves to it. When making requests to the key server, Cloudflare’s gokeyless client will automatically connect to the “cloudflared” server and will continue to use Mutual TLS as an additional security layer on top of that connection. For more instructions on how to set this up , check out our Developer Docs.

If you’re an Enterprise customer and are interested in using Keyless SSL in conjunction with Cloudflare Tunnels, reach out to your account team today to get set up.

A new, configurable and scalable version of Geo Key Manager, now available in Closed Beta

Post Syndicated from Dina Kozlov original

A new, configurable and scalable version of Geo Key Manager, now available in Closed Beta

A new, configurable and scalable version of Geo Key Manager, now available in Closed Beta

Today, traffic on the Internet stays encrypted through the use of public and private keys that encrypt the data as it’s being transmitted. Cloudflare helps secure millions of websites by managing the encryption keys that keep this data protected. To provide lightning fast services, Cloudflare stores these keys on our fleet of data centers that spans more than 150 countries. However, some compliance regulations require that private keys are only stored in specific geographic locations.

In 2017, we introduced Geo Key Manager, a product that allows customers to store and manage the encryption keys for their domains in different geographic locations so that compliance regulations are met and that data remains secure. We launched the product a few months before General Data Protection Regulation (GDPR) went into effect and built it to support three regions: the US, the European Union (EU), and a set of our top tier data centers that employ the highest security measures. Since then, GDPR-like laws have quickly expanded and now, more than 15 countries have comparable data protection laws or regulations that include restrictions on data transfer across and/or data localization within a certain boundary.

At Cloudflare, we like to be prepared for the future. We want to give our customers tools that allow them to maintain compliance in this ever-changing environment. That’s why we’re excited to announce a new version of Geo Key Manager — one that allows customers to define boundaries by country, ”only store my private keys in India”, by a region ”only store my private keys in the European Union”, or by a standard, such as “only store my private keys in FIPS compliant data centers” — now available in Closed Beta, sign up here!

Learnings from Geo Key Manager v1

Geo Key Manager has been around for a few years now, and we’ve used this time to gather feedback from our customers. As the demand for a more flexible system grew, we decided to go back to the drawing board and create a new version of Geo Key Manager that would better meet our customers’ needs.

We initially launched Geo Key Manager with support for US, EU, and Highest Security Data centers. Those regions were sufficient at the time, but customers wrestling with data localization obligations in other jurisdictions need more flexibility when it comes to selecting countries and regions. Some customers want to be able to set restrictions to maintain their private keys in one country, some want the keys stored everywhere except in certain countries, and some may want to mix and match rules and say “store them in X and Y, but not in Z”. What we learned from our customers is that they need flexibility, something that will allow them to keep up with the ever-changing rules and policies — and that’s what we set out to build out.

The next issue we faced was scalability.  When we built the initial regions, we included a hard-coded list of data centers that met our criteria for the US, EU, “high security” data center regions.  However, this list was static because the underlying cryptography did not support dynamic changes to our list of data centers. In order to distribute private keys to new data centers that met our criteria, we would have had to completely overhaul the system. In addition to that, our network significantly expands every year, with more than 100 new data centers since the initial launch. That means that any new potential locations that could be used to store private keys are currently not in use, degrading the performance and reliability of customers using this feature.

With our current scale, automation and expansion is a must-have. Our new system needs to dynamically scale every time we onboard or remove a data center from our Network, without any human intervention or large overhaul.

Finally, one of our biggest learnings was that customers make mistakes, such as defining a region that’s so small that availability becomes a concern. Our job is to prevent our customers from making changes that we know will negatively impact them.

Define your own geo-restrictions with the new version of Geo Key Manager

A new, configurable and scalable version of Geo Key Manager, now available in Closed Beta

Cloudflare has significantly grown in the last few years and so has our international customer base. Customers need to keep their traffic regionalized. This region can be as broad as a continent — Asia, for example. Or, it can be a specific country, like Japan.

From our conversations with our customers, we’ve heard that they want to be able to define these regions themselves. This is why today we’re excited to announce that customers will be able to use Geo Key Manager to create what we call “policies”.

A policy can be a single country, defined by two-letter (ISO 3166) country code. It can be a region, such as “EU” for the European Union or Oceania. It can be a mix and match of the two, “country:US or region: EU”.

Our new policy based Geo Key Manager allows you to create allowlist or blocklists of countries and supported regions, giving you control over the boundary in which your private key will be stored. If you’d like to store your private keys globally and omit a few countries, you can do that.

If you would like to store your private keys in the EU and US, you would make the following API call:

curl -X POST "" \
     -H "X-Auth-Email: [email protected]" \
     -H "X-Auth-Key: auth-key" \
     -H "Content-Type: application/json" \
     --data '{"certificate":"certificate","private_key":"private_key","policy":"(country: US) or (region: EU)", "type": "sni_custom"}'

If you would like to store your private keys in the EU, but not in France, here is how you can define that:

curl -X POST "" \
     -H "X-Auth-Email: [email protected]" \
     -H "X-Auth-Key: auth-key" \
     -H "Content-Type: application/json" \
     --data '{"certificate":"certificate","private_key":"private_key","policy": "region: EU and (not country: FR)", "type": "sni_custom"}'

Geo Key Manager can now support more than 30 countries and regions. But that’s not all! The superpower of our Geo Key Manager technology is that it doesn’t actually have to be “geo” based, but instead, it’s attribute based. In the future, we’ll have a policy that will allow our customers to define where their private keys are stored based on a compliance standard like FedRAMP or ISO 27001.

Reliability, resiliency, and redundancy

By giving our customers the remote control for Geo Key Manager, we want to make sure that customers understand the impact of their changes on both redundancy and latency.

On the redundancy side, one of our biggest concerns is allowing customers to choose a region small enough that if a data center is removed for maintenance, for example, then availability is drastically impacted. To protect our customers, we’ve added redundancy restrictions. These prevent our customers from setting regions with too few data centers, ensuring that all the data centers within a policy can offer high availability and redundancy.

Not just that, but in the last few years, we’ve significantly improved the underlying networking that powers Geo Key Manager. For more information on how we did that, keep an eye out for a technical deep dive inside Geo Key Manager.

Performance matters

A new, configurable and scalable version of Geo Key Manager, now available in Closed Beta

With the original regions (US, EU, and Highest Security Data Centers), we learned customers may overlook possible latency impacts that occur when defining the key manager to a certain region. Imagine your keys are stored in the US. For your Asia-based customers, there’s going to be some latency impact for the requests that go around the world. Now, with customers being able to define more granular regions, we want to make sure that before customers make that change, they see the impact of it.

If you’re an E-Commerce platform then performance is always top-of-mind. One thing that we’re working on right now is performance metrics for Geo Key Manager policies both from a regional point of view — “what’s the latency impact for Asia based customers?” and from a global point of view — “for anyone in the world, what is the average impact of this policy?”.

By seeing the latency impact, if you see that the impact is unacceptable, you may want to create a separate domain for your service that’s specific to the region that it’s serving.

Closed Beta, now available!

Interested in trying out the latest version of Geo Key Manager? Fill out this form.

Coming soon!

Geo Key Manager is only available via API at the moment. But, we are working on creating an easy-to-use UI for it, so that customers can easily manage their policies and regions. In addition, we’ll surface performance measurements and warnings when we see any degraded impact in terms of performance or redundancy to ensure that customers are mindful when setting policies.

We’re also excited to extend our Geo Key Manager product beyond custom uploaded certificates. In the future, certificates issued through Advanced Certificate Manager or SSL for SaaS will be allowed to add policy based restrictions for the key storage.

Finally, we’re looking to add more default regions to make the selection process simple for our customers. If you have any regions that you’d like us to support, or just general feedback or feature requests related to Geo Key Manager, make a note of it on the form. We love hearing from our customers!

Bringing authentication and identification to Workers through Mutual TLS

Post Syndicated from Dina Kozlov original

Bringing authentication and identification to Workers through Mutual TLS

Bringing authentication and identification to Workers through Mutual TLS

We’re excited to announce that Workers will soon be able to send outbound requests through a mutually authenticated channel via mutual TLS authentication!

When making outbound requests from a Worker, TLS is always used on the server side, so that the client can validate that the information is being sent to the right destination. But in the same way, the server may want to authenticate the client to ensure that the request is coming from an authorized client. This two-way street of authentication is called Mutual TLS. In this blog, we’re going to talk through the importance of mutual TLS authentication, what it means to use mutual TLS within Workers, and how in a few months you’ll be able to use it to send information through an authenticated channel — adding a layer of security to your application!

mTLS between Cloudflare and an Origin

Mutual TLS authentication works by having a server validate the client certificate against a CA. If the validation passes then the server knows that it’s the right client and will let the request go through. If the validation fails or if a client certificate is not presented then the server can choose to drop the request.

Today, customers use mTLS to secure connections between Cloudflare and an origin — this is done through a product called Authenticated Origin Pull. Once a customer enables it, Cloudflare starts serving a client certificate on all outgoing requests. This is either a Cloudflare managed client certificate or it can be one uploaded by the customer. When enabled, Cloudflare will present this certificate when connecting to an origin. The origin should then check the client certificate to see if it’s the one that it expects to see. If it is then the request will go through. If it’s the wrong client certificate or is not included then the origin can choose to drop the request.

Doing this brings a big security boost because it allows the origin to only accept traffic from Cloudflare and drop any unexpected external traffic.

Digging up problems with dogfooding

Today, many Cloudflare services are built on Cloudflare Workers — it’s the secret sauce we use to continuously ship fast, reliable products to our customers. Internally, we might have one Cloudflare account that runs multiple services, with each service deployed on an individual Worker.

Whenever one service needs to talk to another, the fetch() function is used to request or send information. This can be object data that we send to upstream providers, it can be a read or write to a database, or service to service communication. In most regards, the information that’s going to the origin is sensitive and requires a layer of authentication. Without proper authentication, any client would be able to access the data, removing a layer of security.

Implementing service to service authentication

Today, there are a few ways that you can set up service to service authentication, if you’re building on Workers.

One way to set up service authentication is to use Authenticated Origin Pull. Authenticated Origin Pull allows customers to implement mutual TLS between Cloudflare and an origin by attaching a client certificate and private key to a domain or hostname, so that all outbound requests include a client certificate. The origin can then check this certificate to see whether the request came from Cloudflare. If there’s a valid certificate, then the origin can let the request through and if there’s an invalid certificate or no certificate then the origin can choose to drop the request. However, Authenticated Origin Pull has its limitations and isn’t ideal for some use-cases.

The first limitation is that an Authenticated Origin Pull certificate is tied to a publicly hosted hostname or domain. Some services that are built on Workers don’t necessarily need to be exposed to the public Internet. Therefore, tying it to a domain doesn’t really make sense.

The next limitation is that if you have multiple Workers services that are each writing to the same database, you may want to be able to distinguish them. What if at some point, you need to take the “write” power away from the Worker? Or, what if only Workers A and B are allowed to make writes but Worker C should only make “read” requests?

Today, if you use Authenticated Origin Pulls with Cloudflare’s client certificate then all requests will be accepted as valid. This is because for all outbound requests, we attach the same client certificate. So even though you’re restricting your traffic to “Cloudflare-Only”, there’s no Worker-level granularity.

Now, there’s another solution that you can use. You can make use of Access and set up Token Authentication by using a pre-shared key and configuring your Worker to allow or deny access based on the pre-shared key, presented in the header. While this does allow you to lock down authentication on a per-Worker or per-service basis, the feedback that we’ve gotten from our internal teams who have implemented this is that it’s 1) cumbersome to manage and 2) requires the two service to speak over HTTP, and 3) doesn’t expose the client’s identity. And so, with these limitations in mind, we’re excited to bring mutual TLS authentication to Workers — an easy, scalable way to manage authentication and identity for anyone building on Workers.

Coming soon: Mutual TLS for Workers

We’re excited to announce that in the next few months, we’re going to be bringing mutual TLS support to Workers. Customers will be able to upload client certificates to Cloudflare and attach them in the fetch() requests within a Worker. That way, you can have per-Worker or even per-request level of granularity when it comes to authentication and identification.

When sending out the subrequest, Cloudflare will present the client certificate and the receiving server will be able to check:

1) Is this client presenting a valid certificate?
2) Within Cloudflare, what service or Worker is this request coming from?

This is one of our most highly requested features, both from customers and from internal teams, and we’re excited to launch it and make it a no-brainer for any developer to use Cloudflare as their platform for anything they want to build!

Total TLS: one-click TLS for every hostname you have

Post Syndicated from Dina Kozlov original

Total TLS: one-click TLS for every hostname you have

Total TLS: one-click TLS for every hostname you have

Today, we’re excited to announce Total TLS — a one-click feature that will issue individual TLS certificates for every subdomain in our customer’s domains.

By default, all Cloudflare customers get a free, TLS certificate that covers the apex and wildcard (, * of their domain. Now, with Total TLS, customers can get additional coverage for all of their subdomains with just one-click! Once enabled, customers will no longer have to worry about insecure connection errors to subdomains not covered by their default TLS certificate because Total TLS will keep all the traffic bound to the subdomains encrypted.

A primer on Cloudflare’s TLS certificate offerings

Universal SSL — the “easy” option

In 2014, we announced Universal SSL — a free TLS certificate for every Cloudflare customer. Universal SSL was built to be a simple “one-size-fits-all” solution. For customers that use Cloudflare as their authoritative DNS provider, this certificate covers the apex and a wildcard e.g. and * While a Universal SSL certificate provides sufficient coverage for most, some customers have deeper subdomains like for which they’d like TLS coverage. For those customers, we built Advanced Certificate Manager — a customizable platform for certificate issuance that allows customers to issue certificates with the hostnames of their choice.

Advanced certificates — the “customizable” option

For customers that want flexibility and choice, we build Advanced certificates which are available as a part of Advanced Certificate Manager. With Advanced certificates, customers can specify the exact hostnames that will be included on the certificate.

That means that if my Universal SSL certificate is insufficient, I can use the Advanced certificates UI or API to request a certificate that covers “” and “”. Today, we allow customers to place up to 50 hostnames on an Advanced certificate. The only caveat — customers have to tell us which hostnames to protect.

This may seem trivial, but some of our customers have thousands of subdomains that they want to keep protected. We have customers with subdomains that range from to and for those to be covered, customers have to use the Advanced certificates API to tell us the hostname that they’d like us to protect. A process like this is error-prone, not easy to scale, and has been rejected as a solution by some of our largest customers.

Instead, customers want Cloudflare to issue the certificates for them. If Cloudflare is the DNS provider then Cloudflare should know what subdomains need protection. Ideally, Cloudflare would issue a TLS certificate for every subdomain that’s proxying its traffic through the Cloudflare Network… and that’s where Total TLS comes in.

Enter Total TLS: easy, customizable, and scalable

Total TLS is a one-click button that signals Cloudflare to automatically issue TLS certificates for every proxied DNS record in your domain. Once enabled, Cloudflare will issue individual certificates for every proxied hostname. This way, you can add as many DNS records and subdomains as you need to, without worrying about whether they’ll be covered by a TLS certificate.

If you have a DNS record for, we’ll issue a TLS certificate with the hostname If you have a wildcard record for * then we’ll issue a TLS certificate for “*”. Here’s an example of what this will look like in the Edge Certificates table of the dashboard:

Total TLS: one-click TLS for every hostname you have

Available now

Total TLS is now available to use as a part of Advanced Certificate Manager for domains that use Cloudflare as an Authoritative DNS provider. One of the superpowers of having Cloudflare as your DNS provider is that we’ll always add the proper Domain Control Validation (DCV) records on your behalf to ensure successful certificate issuance and renewal.

Enabling Total TLS is easy — you can do it through the Cloudflare dashboard or via API. In the SSL/TLS tab of the Cloudflare dashboard, navigate to Total TLS. There, choose the issuing CA — Let’s Encrypt, Google Trust Services, or No Preference, if you’d like Cloudflare to select the CA on your behalf then click on the toggle to enable the feature.

Total TLS: one-click TLS for every hostname you have

But that’s not all…

One pain point that we wanted to address for all customers was visibility. From looking at support tickets and talking to customers, one of the things that we realized was that customers don’t always know whether their domain is covered by a TLS certificate —  a simple oversight that can result in downtime or errors.

To prevent this from happening, we are now going to warn every customer if we see that the proxied DNS record that they’re creating, viewing, or editing doesn’t have a TLS certificate covering it. This way, our customers can get a TLS certificate issued before the hostname becomes publicly available, preventing visitors from encountering this error:

Total TLS: one-click TLS for every hostname you have

Join the mission

At Cloudflare, we love building products that help secure all Internet properties. Interested in achieving this mission with us? Join the team!

Zero Trust for SaaS: Deploying mTLS on custom hostnames

Post Syndicated from Dina Kozlov original

Zero Trust for SaaS: Deploying mTLS on custom hostnames

Cloudflare has a large base of Software-as-a-Service (SaaS) customers who manage thousands or millions of their customers’ domains that use their SaaS service. We have helped those SaaS providers grow by extending our infrastructure and services to their customer’s domains through a product called Cloudflare for SaaS. Today, we’re excited to give our SaaS providers a new tool that will help their customers add an extra layer of security: they can now enable mutual TLS authentication on their customer’s domains through our Access product.

Primer on Mutual TLS

When you connect to a website, you should see a lock icon in the address bar — that’s your browser telling you that you’re connecting to a website over a secure connection and that the website has a valid public TLS certificate. TLS certificates keep Internet traffic encrypted using a public/private key pair to encrypt and decrypt traffic. They also provide authentication, proving to clients that they are connecting to the correct server.

To make a secure connection, a TLS handshake needs to take place. During the handshake, the client and the server exchange cryptographic keys, the client authenticates the identity of the server, and both the client and the server generate session keys that are later used to encrypt traffic.

A TLS handshake looks like this:

Zero Trust for SaaS: Deploying mTLS on custom hostnames

In a TLS handshake, the client always validates the certificate that is served by the server to make sure that it’s sending requests to the right destination. In the same way that the client needs to authenticate the identity of the server, sometimes the server needs to authenticate the client — to ensure that only authorized clients are sending requests to the server.

Let’s say that you’re managing a few services: service A writes information to a database. This database is absolutely crucial and should only have entries submitted by service A. Now, what if you have a bug in your system and service B accidentally makes a write call to the database?

You need something that checks whether a service is authorized to make calls to your database — like a bouncer. A bouncer has a VIP list — they can check people’s IDs against the list to see whether they’re allowed to enter a venue. Servers can use a similar model, one that uses TLS certificates as a form of ID.

In the same way that a bouncer has a VIP list, a server can have a Certificate Authority (CA) Root from which they issue certificates. Certificates issued from the CA Root are then provisioned onto clients. These client certificates can then be used to identify and authorize the client. As long as a client presents a valid certificate — one that the server can validate against the Root CA, it’s allowed to make requests. If a client doesn’t present a client certificate (isn’t on the VIP list) or presents an unauthorized client certificate, then the server can choose to reject the request. This process of validating client and server certificates is called mutual TLS authentication (mTLS) and is done during the TLS handshake.

When mTLS isn’t used, only the server is responsible for presenting a certificate, which the client verifies. With mTLS, both the client and the server present and validate one another’s certificates, pictured below.

Zero Trust for SaaS: Deploying mTLS on custom hostnames

mTLS + Access = Zero Trust

A few years ago, we added mTLS support to our Access product, allowing customers to enable a Zero Trust policy on their applications. Access customers can deploy a policy that dictates that all clients must present a valid certificate when making a request. That means that requests made without a valid certificate — usually from unauthorized clients — will be blocked, adding an extra layer of protection. Cloudflare has allowed customers to configure mTLS on their Cloudflare domains by setting up Access policies. The only caveat was that to use this feature, you had to be the owner of the domain. Now, what if you’re not the owner of a domain, but you do manage that domain’s origin? This is the case for a large base of our customers, the SaaS providers that extend their services to their customers’ domains that they do not own.

Extending Cloudflare benefits through SaaS providers

Cloudflare for SaaS enables SaaS providers to extend the benefits of the Cloudflare network to their customers’ domains. These domains are not owned by the SaaS provider, but they do use the SaaS provider’s service, routing traffic back to the SaaS provider’s origin.

By doing this, SaaS providers take on the responsibility of providing their customers with the highest uptime, lightning fast performance, and unparalleled security — something they can easily extend to their customers through Cloudflare.

Cloudflare for SaaS actually started out as SSL for SaaS. We built SSL for SaaS to give SaaS providers the ability to issue TLS certificates for their customers, keeping the SaaS provider’s customers safe and secure.

Since then, our SaaS customers have come to us with a new request: extend the mTLS support that we built out for our direct customers, but to their customers.

Why would SaaS providers want to use mTLS?

As a SaaS provider, there’s a wide range of services that you can provide. Some of these services require higher security controls than others.

Let’s say that the SaaS solution that you’re building is a payment processor. Each customer gets its own API endpoint that their users send requests to, for example, pay.<business_name>.com. As a payment processor, you don’t want any client or device to make requests to your service, instead you only want authorized devices to do so — mTLS does exactly that.

As the SaaS provider, you can configure a Root CA for each of your customers’ API endpoints. Then, have each Root CA issue client certificates that will be installed on authorized devices. Once the client certificates have been installed, all that is left is enforcing a check for valid certificates.

To recap, by doing this, as a SaaS provider, your customers can now ensure that requests bound for their payment processing API endpoint only come from valid devices. In addition, by deploying individual Root CAs for each customer, you also prevent clients that are authorized to make requests to one customers’ API endpoint from making requests to another customers’ API endpoint when they are not authorized to do so.

How can you set this up with Cloudflare?

As a SaaS provider, configure Cloudflare for SaaS and add your customer’s domains as Custom Hostnames. Then, in the Cloudflare for Teams dashboard, add mTLS authentication with a few clicks.

This feature is currently in Beta and is available for Enterprise customers to use. If you have any feedback, please let your Account Team know.

Security for SaaS providers

Post Syndicated from Dina Kozlov original

Security for SaaS providers

Security for SaaS providers

Some of the largest Software-as-a-Service (SaaS) providers use Cloudflare as the underlying infrastructure to provide their customers with fast loading times, unparalleled redundancy, and the strongest security — all through our Cloudflare for SaaS product. Today, we’re excited to give our SaaS providers new tools that will help them enhance the security of their customers’ applications.

For our Enterprise customers, we’re bringing WAF for SaaS — the ability for SaaS providers to easily create and deploy different sets of WAF rules for their customers. This gives SaaS providers the ability to segment customers into different groups based on their security requirements.

For developers who are getting their application off the ground, we’re thrilled to announce a Free tier of Cloudflare for SaaS for the Free, Pro, and Biz plans, giving our customers 100 custom hostnames free of charge to provision and test across their account. In addition to that, we want to make it easier for developers to scale their applications, so we’re happy to announce that we are lowering our custom hostname price from \$2 to \$0.10 a month.

But that’s not all! At Cloudflare, we believe security should be available for all. That’s why we’re extending a new selection of WAF rules to Free customers — giving all customers the ability to secure both their applications and their customers’.

Making SaaS infrastructure available to all

At Cloudflare, we take pride in our Free tier which gives any customer the ability to make use of our Network to stay secure and online. We are eager to extend the same support to customers looking to build a new SaaS offering, giving them a Free tier of Cloudflare for SaaS and allowing them to onboard 100 custom hostnames at no charge. The 100 custom hostnames will be automatically allocated to new and existing Cloudflare for SaaS customers. Beyond that, we are also dropping the custom hostname price from \$2 to \$0.10 a month, giving SaaS providers the power to onboard and scale their application. Existing Cloudflare for SaaS customers will see the updated custom hostname pricing reflected in their next billing cycle.

Cloudflare for SaaS started as a TLS certificate issuance product for SaaS providers. Now, we’re helping our customers go a step further in keeping their customers safe and secure.

Introducing WAF for SaaS

SaaS providers may have varying customer bases — from mom-and-pop shops to well established banks. No matter the customer, it’s important that as a SaaS provider you’re able to extend the best protection for your customers, regardless of their size.

At Cloudflare, we have spent years building out the best Web Application Firewall for our customers. From managed rules that offer advanced zero-day vulnerability protections to OWASP rules that block popular attack techniques, we have given our customers the best tools to keep themselves protected. Now, we want to hand off the tools to our SaaS providers who are responsible for keeping their customer base safe and secure.

One of the benefits of Cloudflare for SaaS is that SaaS providers can configure security rules and settings on their SaaS zone which their customers automatically inherit. But one size does not fit all, which is why we are excited to give Enterprise customers the power to create various sets of WAF rules that they can then extend as different security packages to their customers — giving end users differing levels of protection depending on their needs.

Getting Started

WAF for SaaS can be easily set up. We have an example below that shows how you can configure different buckets of WAF rules to your various customers.

There’s no limit to the number of rulesets that you can create, so feel free to create a handful of configurations for your customers, or deploy one ruleset per customer — whatever works for you!

End-to-end example

Step 1 – Define custom hostname

Cloudflare for SaaS customers define their customer’s domains by creating custom hostnames. Custom hostnames indicate which domains need to be routed to the SaaS provider’s origin. Custom hostnames can define specific domains, like, or they can extend to wildcards like * which allows subdomains under to get routed to the SaaS service. WAF for SaaS supports both types of custom hostnames, so that SaaS providers have flexibility in choosing the scope of their protection.

The first step is to create a custom hostname to define your customer’s domain. This can be done through the dashboard or the API.

curl -X POST "{zone:id}/custom_hostnames" \
     -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
     -H "Content-Type: application/json" \
     --data '{

"Ssl":{wildcard: true}

Step 2 – Associate custom metadata to a custom hostname

Next, create an association between the custom hostnames — your customer’s domain — and the firewall ruleset that you’d like to attach to it.

This is done by associating a JSON blob to a custom hostname. Our product, Custom Metadata allows customers to easily do this via API.

In the example below, a JSON blob with two fields (“customer_id” and “security_level”) will be associated to each request for * and

There is no predetermined schema for custom metadata. Field names and structure are fully customisable based on our customer’s needs. In this example, we have chosen the tag “security_level” to which we expect to assign three values (low, medium or high). These will, in turn, trigger three different sets of rules.

curl -sXPATCH "{zone:id}/custom_hostnames/{custom_hostname:id}"\
    -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
    -H "Content-Type: application/json"\
    -d '{
“security_level”: “low”

Step 3 – Trigger security products based on tags

Finally, you can trigger a rule based on the custom hostname. The custom metadata field e.g. “security_level” is available in the Ruleset Engine where the WAF runs. In this example, “security_level” can be used to trigger different configurations of products such as WAF, Firewall Rules, Advanced Rate Limiting and Transform Rules.

Rules can be built through the dashboard or via the API, as shown below. Here, a rate limiting rule is triggered on traffic with “security_level” set to low.

curl -X PUT "{zone:id}/rulesets/phases/http_ratelimit/entrypoint" \
    -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
    -H "Content-Type: application/json"\
    -d '{

"rules": [
                "action": "block",
                "ratelimit": {
                  "characteristics": [
                  "period": 10,
                  "requests_per_period": 2,
                  "mitigation_timeout": 60
                "expression": "lookup_json_string(cf.hostname.metadata, \"security_level\") eq \"low\" and http.request.uri contains \"login\""

If you’d like to learn more about our Advanced Rate Limiting rules, check out our documentation.

Security for SaaS providers


We’re excited to be the provider for our SaaS customers’ infrastructure needs. From custom domains to TLS certificates to Web Application Firewall, we’re here to help. Sign up for Cloudflare for SaaS today, or if you’re an Enterprise customer, reach out to your account team to get started with WAF for SaaS.

Introducing: Backup Certificates

Post Syndicated from Dina Kozlov original

Introducing: Backup Certificates

At Cloudflare, we pride ourselves in giving every customer the ability to provision a TLS certificate for their Internet application — for free. Today, we are responsible for managing the certificate lifecycle for almost 45 million certificates from issuance to deployment to renewal. As we build out the most resilient, robust platform, we want it to be “future-proof” and resilient against events we can’t predict.

Events that cause us to re-issue certificates for our customers, like key compromises, vulnerabilities, and mass revocations require immediate action. Otherwise, customers can be left insecure or offline. When one of these events happens, we want to be ready to mitigate impact immediately. But how?

By having a backup certificate ready to deploy — wrapped with a different private key and issued from a different Certificate Authority than the primary certificate that we serve.

Introducing: Backup Certificates

Events that lead to certificate re-issuance

Cloudflare re-issues certificates every day — we call this a certificate renewal. Because certificates come with an expiration date, when Cloudflare sees that a certificate is expiring soon, we initiate a new certificate renewal order. This way, by the time the certificate expires, we already have an updated certificate deployed and ready to use for TLS termination.

Unfortunately, not all certificate renewals are initiated by the expiration date. Sometimes, unforeseeable events like key compromises can lead to certificate renewals. This is because a new key needs to be issued, and therefore a corresponding certificate does as well.

Key Compromises

A key compromise is when an unauthorized person or system obtains the private key that is used to encrypt and decrypt secret information — security personnel’s worst nightmare. Key compromises can be the result of a vulnerability, such as Heartbleed, where a bug in a system can cause the private key to be leaked. They can also be the result of malicious actions, such as a rogue employee accessing unauthorized information. In the event of a key compromise, it’s crucial that (1) new private keys are immediately issued, (2) new certificates are deployed, and (3) the old certificates are revoked.

The Heartbleed Vulnerability

In 2014, the Heartbleed vulnerability was exposed. It allowed attackers to extract the TLS certificate private key for any server that was running the affected version of OpenSSL, a popular encryption library. We patched the bug and then as a precaution, quickly reissued private keys and TLS certificates belonging to all of our customers, even though none of our keys were leaked. Cloudflare’s ability to act quickly protected our customers’ data from being exposed.

Heartbleed was a wake-up call. At the time, Cloudflare’s scale was a magnitude smaller. A similar vulnerability at today’s scale would take us weeks, not hours to re-issue all of our customers certificates.

Now, with backup certificates, we don’t need to worry about initiating a mass re-issuance in a small time frame. Instead, customers will already have a certificate that we’ll be able to instantly deploy. Not just that, but the backup certificate will also be wrapped with a different key than the primary certificate, preventing it from being impacted by a key compromise.

Key compromises are one of the main reasons certificates need to be re-issued at scale. But other events can prompt re-issuance as well, including mass revocations by Certificate Authorities.

Mass Revocations from CAs

Today, the Certificate Authority/Browser Forum (CA/B Forum) is the governing body that sets the rules and standards for certificates. One of the Baseline Requirements set by the CA/B Forum states that Certificate Authorities are required to revoke certificates whose keys are at risk of being compromised within 24 hours. For less immediate issues, such as certificate misuse or violation of a CA’s Certificate Policy, certificates need to be revoked within five days. In both scenarios, certificates will be revoked by the CA in a short timeframe and immediate re-issuance of certificates is required.

While mass revocations aren’t commonly initiated by CAs, there have been a few occurrences throughout the last few years. Recently, Let’s Encrypt had to revoke roughly 2.7 million certificates when they found a non-compliance in their implementation of a DCV challenge. In this case, Cloudflare customers were unaffected.

Another time, one of the Certificate Authorities that we use found that they were renewing certificates based on validation tokens that did not comply with the CA/B Forum standards. This caused them to invoke a mass revocation, impacting about five thousand Cloudflare-managed domains. We worked with our customers and the CA to issue new certificates before the revocation, resulting in minimal impact.

We understand that mistakes happen, and we have been lucky enough that as these issues have come up, our engineering teams were able to mitigate quickly so that no customers were impacted. But that’s not enough: our systems need to be future-proof so that a revocation of 45 million certificates will have no impact on our customers. With backup certificates, we’ll be ready for a mass re-issuance, no matter the scale.

To be resilient against mass revocations initiated by our CAs, we are going to issue every backup certificate from a different CA than the primary certificate. This will add a layer of protection if one of our CAs will have to invoke a mass revocation — something that when initiated, is a ticking time bomb.

Challenges when Renewing Certificates

Scale: With great power, comes great responsibility

When the Heartbleed vulnerability was exposed, we had to re-issue about 100,000 certificates. At the time, this wasn’t a challenge for Cloudflare. Now, we are responsible for tens of millions of certificates. Even if our systems are able to handle this scale, we rely on our Certificate Authority partners to be able to handle it as well. In the case of an emergency, we don’t want to rely on systems that we do not control. That’s why it’s important for us to issue the certificates ahead of time, so that during a disaster, all we need to worry about is getting the backup certificates deployed.

Manual intervention for completing DCV

Another challenge that comes with re-issuing certificates is Domain Control Validation (DCV). DCV is a check used to validate the ownership of a domain before a Certificate Authority can issue a certificate for it. When customers onboard to Cloudflare, they can either delegate Cloudflare to be their DNS provider, or they can choose to use Cloudflare as a proxy while maintaining their current DNS provider.

When Cloudflare acts as the DNS provider for a domain, we can add Domain Control Validation (DCV) records on our customer’s behalf. This makes the certificate issuance and renewal process much simpler.

Domains that don’t use Cloudflare as their DNS provider — we call them partial zones — have to rely on other methods for completing DCV. When those domains proxy their traffic through us, we can complete HTTP DCV on their behalf, serving the HTTP DCV token from our Edge. However, customers that want their certificate issued before proxying their traffic need to manually complete DCV. In an event where Cloudflare has to re-issue thousands or millions of certificates, but cannot complete DCV on behalf of the customer, manual intervention will be required. While completing DCV is not an arduous task, it’s not something that we should rely on our customers to do in an emergency, when they have a small time frame, with high risk involved.

This is where backup certificates come into play. From now on, every certificate issuance will fire two orders: one for a certificate from the primary CA and one for the backup certificate. When we can complete the DCV on behalf of the customer, we will do so for both CAs.

Today, we’re only issuing backup certificates for domains that use Cloudflare as an Authoritative DNS provider. In the future, we’ll order backup certificates for partial zones. That means that for backup certificates for which we are unable to complete DCV, we will give customers the corresponding DCV records to get the certificate issued.

Backup Certificates Deployment Plan

We are happy to announce that Cloudflare has started deploying backup certificates on Universal Certificate orders for Free customers that use Cloudflare as an Authoritative DNS provider. We have been slowly ramping up the number of backup certificate orders and in the next few weeks, we expect every new Universal certificate pack order initiated on a Free, Pro, or Biz account to include a backup certificate, wrapped with a different key and issued from a different CA than the primary certificate.

At the end of April we will start issuing backup certificates for our Enterprise customers. If you’re an Enterprise customer and have any questions about backup certificates, please reach out to your Account Team.

Next Up: Backup Certificates for All

Today, Universal certificates make up 72% of the certificates in our pipeline. But we want full coverage! That’s why our team will continue building out our backup certificates pipeline to support Advanced Certificates and SSL for SaaS certificates. In the future, we will also issue backup certificates for certificates that our customers upload themselves, so they can have a backup they can rely on.

In addition, we will continue to improve our pipeline to make the deployment of backup certificates instantaneous — leaving our customers secure and online in an emergency.

At Cloudflare, our mission is to help build a better Internet. With backup certificates, we’re helping build a secure, reliable Internet that’s ready for any disaster. Interested in helping us out? We’re hiring.