A series of protests began in Iran on September 16, following the death in custody of Mahsa Amini — a 22-year-old who had been arrested for violating Iran’s mandatory hijab law. The protests and civil unrest have continued to this day. But the impact hasn’t just been on the ground in Iran — the impact of the civil unrest can be seen in Internet usage inside the country, as well.
With the proliferation of smartphones and the ubiquity of the Internet that has resulted, it’s no longer simply the offline world impacting the Internet; what happens on the Internet is impacting the offline world, too. For that reason, it’s not surprising that in order to limit the spread of the protests — both news of it happening and the further organization of civil unrest — the Iranian government introduced limits on the Internet. This included banning certain social media and communications tools: most notably including Instagram and WhatsApp, which are estimated to be used by over 50% of the Iranian population.
But despite the threat that the protests pose, and the Internet’s enabling role in them, it has not been cut off altogether. In fact, from the perspective of Cloudflare, Internet use in Iran has surged since the beginning of the protests.
This is a story of how critical the Internet has become to life, even in authoritarian regimes — and how even, after 12 years of planning, Iran has been unable to consistently cut off access to the Internet outside the country.
A history of control
Kafinet — Internet cafés — emerged in Iran in the late 90s and early 2000s. Internet use became prolific. But in 2005, it began to change under the election of the conservative President Ahmadinejad. The idea of an “Iranian Internet” was proposed — one that was consistent with the policies and principles of the Iranian government, and able to be controlled and regulated domestically — as opposed to how the Internet operated overseas. From a technical perspective, the hope was an Iranian Internet would still be able to work inside the country, even if it was fully disconnected from the outside world. While the idea was discussed, no real work on it truly began until 2009, when the Green protests — a series of mass protests following the disputed reelection of President Ahmadinejad — caused the government to appreciate the potential risk that the Internet posed. It was around this time that ISPs needed approval from the government to operate, and were required to filter content in order to continue to gain that approval.
In 2013, Iran took things a step further, and began work on a National Infrastructure Network (NIN), with the aim of recreating within Iran all the essential Internet services like search and messaging that had traditionally been provided by organizations outside of Iran. It was coupled with policies that subsidized and encouraged the use of these local services; which, as they were hosted domestically, made monitoring and filtering much more feasible.
It was not quite as extreme as the Chinese approach to the Internet, where similar overseas services were banned altogether, but it was certainly a shift in that direction. And given the limited number of physical network connections from Iran to the outside world, it was much more feasible for the government to take the step of cutting off Internet outside the country — while allowing select infrastructure within it (such as banking and government services) to remain online.
Iran has deployed such tactics previously: most notably during protests in November 2019, triggered by an increase in fuel prices.
The initial response
Our earlier blog covered the initial response to the protests extensively.
To provide context (measured over the last week) four providers in Iran account for 85% of traffic in Iran: three mobile and one fixed/wireline.
As a baseline, the following traffic mix is what Cloudflare saw from these four major network providers in Iran the week before the protests started:
The protests began on September 16. You can see the government’s response in the Internet traffic, with a shutdown implemented that lasts the better part of a day:
However, the following days, it appears to return to a somewhat normal pattern.
What happened subsequently
Looking after that week, however, shows Internet usage picks up massively from the baseline as the protests spread across the country. Also of note: the “curfews” on the mobile networks that were implemented in that first week continued. You can see the troughs for all but the fixed Internet provider as traffic drops to near zero.
What traffic looks like now
Looking at a more recent week, two things stand out: the level of network activity across the major providers in Iran remains much higher than it was previously. Also, the curfews appear to have been lifted, with Internet traffic declining overnight, but not “flatlining” as it was in the graphs above.
The web persists, even in Iran
While the initial response of the Iranian government to the protests was to dramatically scale back access to the Internet, the government did not persist with the policy. Our hypothesis is that the Internet has become too important to economic activity and also everyday life for the country to be able to continue to operate without it. Despite having spent almost 10 years developing a NIN — an Iranian Internet — it appears that, in part because of the protests, traffic from the major Iranian networks to Cloudflare has picked up substantially, and the curfews have ceased.
While certain Internet properties continue to be blocked without access to a VPN — WhatsApp, for example — the idea that a country can simply disconnect itself from the Internet into a country-specific “splinternet” is being further and further tested. Even in a country like Iran, subject to sanctions and with a government-led policy of attempting to recreate core services within a country, access to the broader Internet is too important to simply shut off.
Since our founding, Cloudflare’s mission has been to “help build a better Internet,” and we take it to heart. It used to be that the services required to adequately secure an online presence were only available to the largest of enterprises — organizations big enough to afford both the technology itself and the teams to manage it.
We’ve worked hard over the years to level the playing field. This has meant making more and more of the essential tools for protecting an online presence available to as many people as possible. Cloudflare offers unmetered DDoS protection — for free. We were the first to introduce SSL at scale — for free. And it’s not just protection for your external-facing infrastructure: we have a free Zero Trust plan that enables teams to protect their internal-facing infrastructure, too.
These types of tools have always been important for the billions of people on the Internet. But perhaps never as important as they’ve become this week.
Not surprisingly, we’ve been fielding many questions from our customers about what they should be doing to increase their cyber resilience. But helping to build a better Internet is broader than just helping our customers. We want everyone to be safe and secure online.
So: what should you do?
Whether you’re a seasoned IT professional or a novice website operator, these free Cloudflare resources are available for you today. Beyond these free resources, there are a few simple steps that you can take to help stay protected online.
Free Cloudflare resources to help keep you and your organization safe
These Cloudflare services are available to everyone on the Internet. If you’re a qualified vulnerable public interest group, or an election entity, we have additional free services available to you.
Let’s start with the services that are freely available to everyone.
For your public-facing infrastructure, such as a website, app, or API:
This provides the basics you need to protect public-facing infrastructure: unmetered DDoS mitigation, free SSL, protection from vulnerabilities including Log4J. Furthermore, it includes built-in global CDN and DNS.
For your internal-facing infrastructure, such as cloud apps, self-hosted apps, and devices:
These essential security controls keep employees and apps protected online by ensuring secure access to the Internet, self-hosted applications and SaaS applications. Free for up to 50 users.
For your personal devices, such as phones, computers, and routers:
Otherwise known as Cloudflare for Families. This is the same as Cloudflare’s privacy-protecting, superfast 1.1.1.1 DNS resolver. However, 1.1.1.2 has one big added benefit over 1.1.1.1: if you click on a link that’s about to take you to malware, we step in on your behalf, preventing you from ending up on the malicious site. It’s super simple to set up: you can follow the instructions here, then click the “Protect your home against malware” button; or simply update your DNS settings to use the following:
And while we’ve called it Cloudflare for Families, we should note: it works equally well for businesses, too.
All the services listed above are available now. They can scale to the most demanding applications and withstand the most determined attacks. And they are made freely available to everyone on the Internet.
Cloudflare provides an additional level of free services to special types of organizations.
Project Galileo: for vulnerable public interest groups
Founded in 2014, Project Galileo is Cloudflare’s response to cyberattacks launched against important yet vulnerable targets like artistic groups, humanitarian organizations, and the voices of political dissent. Perhaps now more than ever, protecting these organizations is crucial to delivering the promise of the Internet. Importantly, it’s not us deciding who qualifies: we work with a range of partner organizations such as the Freedom of the Press Foundation, the Electronic Frontier Foundation, and the Center for Democracy and Technology to help identify qualified organizations.
Over the past week we’ve seen an influx of applications to Project Galileo from civil society and community organizations in Ukraine and the region who are increasingly organizing to provide support and essential information to the people of Ukraine. To the vulnerable organizations that qualify, we offer a range of further Cloudflare services that we usually reserve for our largest enterprise customers. You can visit here to find out more about Project Galileo, or if you think your organization might qualify, we encourage you to apply here.
The Athenian Project: for election entities
As with public interest groups, there are many malicious actors today who try to interfere with free and democratic elections. One very simple way that they can do this is through cyberattacks. Just like every other Internet property, election websites need to be fast, they need to be reliable, and they need to be secure. Yet, scarce budgets often prevent governments from getting the resources needed to prevent attacks and keep these sites online.
Just like with Project Galileo, for election entities that qualify, we offer a range of further Cloudflare services to help keep them safe, fast, and online. We have more information about the Athenian Project here, and if you’re working at an election entity, you can apply at the bottom of that same page.
We’re all dependent on the Internet more than ever. But as that dependency grows, so too does our vulnerability to attack. Cloudflare provides these no cost services in the spirit of helping to build a better Internet. Please take advantage of them, and spread the word to other people and organizations who could benefit from them too.
Basic online security hygiene
Beyond Cloudflare’s free services, there are a range of basic steps that you can take to help protect your online presence. We’re imagining that almost everyone will have heard of these steps before. For those of you who have heard it but have been putting it off, now is the time. Taking these simple steps today can save you a world of cyber heartache tomorrow.
Don’t re-use passwords across accounts. It’s unfortunate, but websites and applications are compromised every day. Sometimes, a compromise will result in a hacker gaining access to all the usernames and passwords on that website or app. One of the first things a hacker will then do is try all those username and password combinations on other popular websites. If you had an account on a compromised website, and your password there is the same as the one you use for (say) your online banking account, well… they’re now in your bank account. Compounding this, compromised credentials are frequently bought and sold in illegal online marketplaces. You can check if your credentials have been compromised on this site. It’s extremely important to ensure that you don’t use the same credentials on multiple sites or apps.
Use multi-factor authentication on your accounts. This adds a second layer of identification beyond just your password. It often takes the form of a confirmation code in a text message or email, or better yet, a randomly generated code from an authentication app, or, best of all, a hardware key that you insert into your computer or wave at your phone. This helps ensure that the person logging into your account is actually you. Internally at Cloudflare, we use hardware keys exclusively because of their high security.
Use a password manager. If you want to compress the two above steps down into one, find and begin using a password manager. A password manager helps you manage passwords across multiple accounts; it automatically creates a random and unique password for each login you have. It can also manage randomly generated multi-factor authentication for you. If you’re in the Apple ecosystem, Apple has one built into iOS and macOS that will sync across your devices. 1Password and LastPass are also very popular examples. We require the use of a password manager at Cloudflare, and recommend their use to everyone.
Keep your software up to date. This applies for all your software — both operating systems and applications, on computers and on your phone. Flaws and potential security holes are being discovered all the time. While vendors are increasingly quick to react, and software can be patched over the Internet in a matter of minutes — this only works if you click the “Install Update Now” button. Or better yet, you can set updates to be automatic, and this can help to guarantee that your systems stay current.
Be extra cautious before clicking on links in emails. According to the CISA, more than 90% of successful cyber-attacks start with a phishing email. This is when a link or webpage looks legitimate, but it’s actually designed to have you reveal your passwords or other sensitive information. You can double-check the URL of any links you click on. Or better yet, type the URL in yourself, or search for the site you’re looking for from your search engine. Finally, 1.1.1.2 (see above in this post) can help protect you in the event that you do click on one of these phishing links.
Be extra cautious giving credentials to people who have called you. Phishing doesn’t just happen via email. It can happen over the phone, too. It might be a call from someone claiming to work at your bank, telling you there’s strange activity on your account. Or someone claiming to be an IT administrator at your company, asking why you’ve been looking at strange websites. After putting you on the back foot, they’ll ask for something so they “can help you” — possibly a password or a text confirmation code. Don’t give it to them. If you’re at all unsure of anyone who just called you, there’s a simple solution: ask them for their name, their department, and their organization, and then hang up. You can then call them back through a phone number that their organization advertises on their homepage.
Have an offline, or at least a cloud-based, backup of critical or irreplaceable data. Even if you follow every last piece of advice above, there is still the risk that something bad happens. A backup of your critical data — ideally offline, but even one up in the cloud — is your last line of defense. Beyond security resilience, backups also improve your general resilience. Lost devices, natural disasters, and accidents happen. Backups mitigate the impact.
These are simple and immediate actions you can take to help keep your online presence secure.
From everyone at Cloudflare: we hope that you and your loved ones are safe during these unpredictable times.
Cloudflare’s network is one of the biggest, most connected, and fastest in the world. It extends to more than 250 cities. In those cities, we’re often present in multiple data centers in order to connect to as many networks and bring our services as close to as many users as possible. We’re always asking ourselves: how can we get closer to even more of the world’s Internet users?
Today, we’re taking a big step toward that goal.
Introducing Cloudflare for Offices. We are creating strategic partnerships that will enable us to extend Cloudflare’s network into over 1,000 of the world’s busiest office buildings and multi-dwelling units. These buildings span the globe, and are where millions of people work every day; now, they’re going to be microseconds away from our global network. Our first deployments will include 30 Hudson Yards, 4 Times Square, and 520 Madison in New York; Willis Tower in Chicago; John Hancock Tower in Boston; and the Embarcadero Center and Salesforce Tower in San Francisco.
And we’re not done. We’ve built custom secure hardware and partnered with fiber providers to scale this model globally. It will bring a valuable new resource to the literal doorstep of building tenants.
Cloudflare has built a mutually beneficial relationship with the world’s ISPs by reducing their operational costs and improving customer performance. Similarly, we expect a mutually beneficial relationship as we roll out Cloudflare for Offices. Real estate operators & service offices upgraded with this amenity increase the value and occupancy of their portfolio. IT teams can enforce a consistent security posture while enabling flexible work environments from any location their employees prefer. And employees in these smart spaces, experiencing faster Internet performance, can be more productive, seamlessly working as they choose, be it at the office, at home, or on the go.
Why offices?
There’s no disputing the fact that the nature of work has undergone a tremendous shift over the past 18 months. While we still don’t know what the future of work will look like exactly, here’s what we do know: it’s going to require more flexibility, all while maintaining security and performance standards that are a prerequisite for operating on today’s Internet. Enabling flexibility, and improving performance AND security (as opposed to trading one off for the other) has been a long held belief of Cloudflare. Alongside, of course, driving value for organizations.
Cloudflare for Offices — by connecting directly with enterprises — enables us to now do that for commercial office space.
No More Band-Aid Boxes in the Basement
There are a variety of advantages to Cloudflare for Offices. First and foremost, it eliminates the need to rely on the costly, rigid hardware solutions and multiple, regional, third parties that are often required to provide secure and performant branch office connectivity. Businesses have maintained expensive and hardware-intensive office networks since the dawn of the modern Internet.
Never have they gotten less return on that investment than through the pandemic.
The hybrid future of work will only exacerbate the high costs and complexity of maintaining and securing this outdated infrastructure. MPLS links. WANs. Hardware firewalls. VPNs. All these remain mainstays of the modern office. In the same way that we look back on maintaining server rooms for compute and storage as complete anachronisms, so too will we soon look back on maintaining all these boxes in an office. We’ve spoken to customers who now have over half of their workforce remote, and who are considering giving up their office space or increasing their presence in shared workspaces. Some are being hamstrung because of a need for MPLS to make their network operate securely. But it’s not just customers. This is a problem that we ourselves have been facing. Setting up new offices, or securing and optimizing shared workspaces, is a huge lift, physically as well as technologically.
Cloudflare for Offices simplifies this: a direct connection to Cloudflare’s network puts all office traffic behind Cloudflare’s services. Now, creating an office is as simple as plugging a cable into our box, and all the security and performance features that an office typically needs are microseconds away. It also enables the creation of custom topologies on Cloudflare’s network, dramatically increasing the flexibility of your physical footprint.
“Throughout the pandemic, we’ve supported our over 12,000 employees to work safely and seamlessly from home or from our offices. Cloudflare solutions have been critical, and we’re excited to continue to partner on efficient and strong solutions.” – Mark Papermaster, CTO and Executive Vice President, Technology and Engineering, AMD
Zero (Trust) to 100 performance
COVID-19 hasn’t just driven a paradigm shift in where people work, however. It’s also driven a paradigm shift in how organizations think about IT security.
The old model — castle and moat — was designed during the desktop era, when most computing happened on premises. Everyone within the walls of the enterprise was considered authenticated; if you were outside the office, you needed to “tunnel” in through the moat in the castle of the office. As more and more users entered the portable era — through laptops and smartphones — then more tunnels were created.
The pandemic made it so that everyone was outside the moat, tunneling into an empty castle. Nobody was in the office anymore. The paradigm has been stretched to a parody.
Google was one of the first organizations to start to think about how things could be done differently: it proposed a model called BeyondCorp, which treated internal employees to an organization similar to how it treated external customers or suppliers to an organization. To put it simply: nobody is trusted, no matter if they’re in the office or not. If you want access to something, be prepared to prove you are who you say you are.
Fast-forward to 2021, and this model — otherwise known as Zero Trust — has become the gold standard of enterprise security, to which more and more organizations are implementing. Cloudflare’s Zero Trust solution — Cloudflare for Teams — has become increasingly popular for not just its advanced functionality and its ease of use, but because, when coupled with our enterprise connectivity offerings, allows you to run more and more of your traffic across Cloudflare’s network. We call this holistic solution Cloudflare One, and it provides your organization a virtual private network in the cloud, with all the associated security and visibility benefits.
Cloudflare for Offices is the onramp for offices onto Cloudflare One. It’s a fast, private onramp for your office network traffic straight onto the Cloudflare network — with all the security and visibility benefits that running your traffic over our network provides.
We also realize that for many organizations, Zero Trust is a journey. Not every customer is ready to go from MPLS and built-out networks to trusting the public Internet overnight. Cloudflare for Offices is a great start in the journey — by building out your own networks on top of Cloudflare, you reduce your threat vectors while being able to keep your existing topologies. This gives you the privacy and security of Cloudflare One, but with the flexibility to build Zero Trust any way you choose.
But security and visibility are not the only benefits. One of the common complaints we hear from customers about competing solutions is that performance can be extremely variable. The proximity Cloudflare has to so many people around the world is important because when employees connect using a Zero Trust solution, at least a subset (but often all) the traffic going from an end-user device needs to connect to the Zero Trust provider. Having Cloudflare equipment close means that the performance of the user device will be vastly increased as opposed to having to connect to a far off data center. You’ve probably read about what happens when Cloudflare takes control of your Last Mile connectivity and your network to your data centers. And you know that connecting to a Cloudflare data center in the same city increases performance, but imagine what happens when you’re connecting to Cloudflare in your office basement. And when you think about all the employees that you have are running on a zero trust model, that performance difference sums up to a lot of additional employee productivity.
Up until now, something like this has been extremely expensive, complicated, and oftentimes, slow.
“We see a lot of potential in the way Cloudflare is bringing its network directly to our office locations. It’s critical that we empower our employees to work productively and securely, and this makes it that much easier for us to do so no matter where our teams are working from in the future–and reducing our network costs along the way.” – Aaron Dearinger, Edge Architect, Garmin International
Cloudflare for Offices allows for customers to choose their Network as a Service: let us manage your footprint and build your network out however you like.
Living on the Edge
But it’s not just zero trust that gets a boost. Workers, Cloudflare’s serverless platform, runs on the edge from the nearest data center to the user making the request. As you might have already read: it’s fast. With more and more business and application logic being moved to Workers, your end users stand to benefit.
But it does beg the question: just how fast are we talking?
One example building we’re planning to enable is Salesforce Tower, in San Francisco. It’s 1,070 feet tall. A light signal running from the top of the building to the basement along a single-mode fiber cable would take no more than 6 µs (6 microseconds) to complete its journey. This puts customers fractions of a millisecond away from Cloudflare’s network.
We’ve written many times before about how Cloudflare designs our hardware. But deploying Cloudflare hardware outside of data centers — and into office basements — presented a new set of challenges. Cooling, energy efficiency, and resiliency were even more important in the design. Similarly, these are going to be deployed to offices all over the world; they needed to be cost-effective. Finally, and perhaps most importantly, there is also a security aspect to this: we could not assume the same level of access control inside a building as we could inside a data center.
This is where the inherent advantages of designing and owning the hardware come to the fore. Because of it, we’re able to build exactly what we need for the environment: ranging from how resilient these devices need to be, to an appropriate level of security given where they’re going to be operating. In fact, we have been working on hardware security for the last five years in anticipation of the launch of Cloudflare for Offices. We’re starting with switching, and we plan to add compute and storage capabilities in short order. Stay tuned for more details.
Join the Revolution
If you’re an organization (tenant) in a large office building, an owner/operator of multi-tenant (or multi-dwelling) real estate, or a co-working space looking to bring Cloudflare to your doorstep — with all the flexibility, performance and security enhancements, and cost savings that would entail — then we’d love for you to get in touch with us.
We’ve always used birthdays as an opportunity to give back to the Internet. But this year — a year in which the Internet has been so central to giving us all some degree of connectedness and normalcy — it feels like giving back to the Internet has been more important than ever.
And while we couldn’t celebrate in person, we were humbled by some of the incredible minds that joined us online to talk about how the Internet has changed over the last ten years — and what we might see over the next ten.
With that, let’s recap the key announcements from Birthday Week 2020.
Day 1, Monday: Workers
During Birthday Week in 2017, Cloudflare announced Workers — a serverless platform that represented a completely new way to build applications: by writing your code directly onto our network edge. On Monday of this year’s Birthday Week, we announced Durable Objects and Cron Triggers — both of which continue to expand the use cases that Workers can address.
Many folks associate the serverless paradigm with functions as a service — which, at its core, is stateless. Workers KV started down the path of changing this, providing high availability storage on the edge. However, there are use cases where consistency (a client making a request to a database will get the same view of data) is more important than availability (a client making a request to a database requests always receives a response). Say you want to sell tickets to a concert — you don’t want to allow two people to be able to purchase the same ticket. With a traditional application, with a database running in one location, that’s relatively easy to ensure. But with Workers running in Cloudflare’s data centers all over the world, ensuring consistency is a little bit more challenging. Workers Durable Objects solves for this for developers: giving them access to high consistency storage when they’re building on the Workers platform.
Similarly, triggering Workers has historically needed a user to do something, A user visiting a URL, for example. But developers have use cases when they want a Worker to run, independent of a user doing something right now. Syncing for example. Batch jobs. Or perhaps doing something 24 hours after a user has done something. And this is where Cron Triggers come in — now, for developers on the Workers platform, there’s no more need to rely on an eyeball to get things rolling.
Day 2, Tuesday: Analytics
There are a lot of website analytics products out there on the market. Many of those products are, not surprisingly, very good.
But the way they’ve been implemented often leaves a lot to be desired. Most of them operate by tracking individual users, using client-side state like cookies or localStorage — or even fingerprints. This is increasingly a problem. There’s the principle of it: we don’t want to be tracked individually — why would we want visitors to our web properties to feel tracked either? Beyond that though, because so many people are feeling uncomfortable with how they’re being tracked around the web, they’re simply blocking a lot of these analytics products. As a result, all these analytics products are increasingly becoming less accurate.
On Tuesday, we announced a new Web Analytics product that allows you to get the best of both worlds — detailed and accurate analytics, without compromising on the privacy of your users. We don’t use any client-side state, like cookies or localStorage, for the purposes of tracking users. And we don’t “fingerprint” individuals via their IP address, User Agent string, or any other data for the purpose of displaying analytics (we consider fingerprinting even more intrusive than cookies, because users have no way to opt out). Because Cloudflare’s business has never been built around tracking users or selling advertising, we don’t do it. Just the metrics, ma’am.
That wasn’t all on Tuesday, though. Another crucial aspect of owning a web property is website performance. Not only does it impact user experience, Google uses a blended measure of performance to inform site ranking in their search results. Google’s Chrome team has been doing some great work on metricizing site performance, and that’s culminated in Web Vitals. We’ve worked with the Chrome team to integrate Web Vitals in our Browser Insights product. You’ve always gotten edge-side performance analytics from Cloudflare, but now, you’re not just seeing the server side view of your web performance: it’s blended with how your users perceive performance, too. We take all that data and present it in a pragmatic way to help you figure out what you need to do to optimize the performance of your site.
Day 3, Wednesday: Cloudflare Radar and Speeding up HTTPS/HTTP3
As of today, Cloudflare sits in front of 14.5% of the world’s top 10 million websites. The privilege of getting to serve so many different customers means we get visibility into a lot of things on the web. Wednesday of birthday week was about us taking advantage of that for everyone who is out on the web today.
If you think about the traffic flowing through a city at any given time, it’s like a living, breathing creature. It ebbs and flows; it has rhythms that follow the sun and moon. Unusual events can cause traffic jams; as can accidents. Many cities have traffic reporting services for exactly this reason; knowing what’s going on can help immensely those that need to navigate the city streets. The web is like a global version of this, and given the role that the Internet now plays for humanity, understanding what’s going on probably equals in importance to all those city traffic reports all around the world.
And yet, when you want to get the equivalent of that traffic report, where do you go?
Cloudflare Radar is our answer to that question. Each second, Cloudflare handles on average 18 million HTTP requests and 6 million DNS requests. We block 72 billion cyberthreats every day. Add to that 1 billion unique IP addresses connecting to Cloudflare’s network, we have one of the most representative views on Internet traffic worldwide. Before Radar, all this activity, good and bad, was only available internally at Cloudflare: we used it to help improve our service and protect our customers. With the release of Radar, however, we’re exposing it externally: shining a light on the Internet’s patterns for the world to see.
On the subject of spotting interesting patterns. Back in late June, our team noticed a weird spike in DNS requests for the 65479 Resource Record. It turns out, these spikes were a part of Apple’s iOS14 beta release — Apple were testing out a new SVCB/HTTPS record type. The aim: to patch a limitation that’s been inherent in the HTTPS and HTTP3 protocol. When a user types in a URL without specifying the protocol (e.g. HTTPS), the initial negotiation happens in plaintext because browsers will start with HTTP. Only once it’s established that an HTTPS or HTTP3 resource exists will the browser transition over to that. The problem here is twofold: latency, and also security.
But you know what happens before any HTTP negotiation can happen? A DNS request. And that’s what Apple had implemented that created this interesting pattern: the DNS request was effectively asking whether the site supported HTTPS, or HTTP3. As of Wednesday during birthday week, Cloudflare’s DNS servers will now automatically generate HTTPS records on the fly to advertise whether a particular zone supports HTTP/3 and/or HTTP/2, based on whether those features are enabled on the zone. The result: better performance, and improved security. Who says you need to pick just one?
Day 4, Thursday: API day
Nobody has ever doubted the importance of user interfaces. Finding ways for humans and computers to engage each other has been an area of focus since the very first computers were invented. But as the web has grown, data has become the new oil, and applications have proliferated, there’s another interface that has grown in importance: the interface between different types of applications. Day 4 of Birthday Week was all about APIs.
The first announcement was beta support for gRPC: a new type of protocol that’s intended for building APIs at scale. Most REST APIs use HTTPS and JSON to communicate values. The problem with these is that they’re really designed for that other type of interface mentioned above: for humans to talk to computers. The upside is it makes things human readable; the downside is they’re really inefficient, and as the use of APIs only continues to explode this inefficiency proliferates. The gRPC protocol is an answer to this: it’s an efficient protocol for computers to talk to each other. But up until now, that also came at a price: because gRPC uses newer technology (like HTTP/2) under the covers, existing security and performance tools did not support gRPC traffic out of the box. This meant that customers adopting gRPC to power their APIs had to pick between modernity on one hand, and things like security, performance, and reliability on the other.
Cloudflare’s announcement of support of gPRC fixes this trade-off: when you put your gPRC APIs on Cloudflare, you get all the traditional benefits of Cloudflare along with it. Apprehensive of exposing your APIs to bad actors? Need more performance? Turn on Argo Smart Routing to decrease time to first byte. Increase reliability by adding a Load Balancer. Or add security features such as Bot Management and the WAF.
Speaking of the WAF. If you think about the way our WAF works, it secures web application from attacks by looking for attack patterns — say, bot patterns that try to imitate human patterns, or abuse of how a browser interacts with a site; in both instances, the attack is intended to break something. But because what computers need to talk to each other is different from what computers need to talk to humans, the attack vectors are different. Therefore protecting APIs isn’t quite the same as protecting websites.
API Shieldis purpose-built for just this. It makes it simple to secure APIs through the use of strong client certificate-based authentication, and strict schema-based validation. On the authentication side, API shield uses mutual TLS — which is not vulnerable to the reuse or sharing of passwords or tokens. And once developers can be sure that only legitimate clients (with SSL certificates in hand) are connecting to their APIs, the next step in API Shield is making sure that those clients are making valid requests. It works by matching the contents of API requests—the query parameters that come after the URL and contents of the POST body—against a contract or “schema” that contains the rules for what is expected. If validation fails, the API call is blocked protecting the origin from an invalid request or a malicious payload.
And, as you’d expect from Cloudflare, gRPC and API Shield support each other out of the box.
Day 5, Friday: Automatic Platform Optimization (starting with WordPress)
The idea of caching static assets is not new, and it’s something Cloudflare has supported from its inception. It works wonders in speeding up websites: particularly if your origin is slow and/or your user is far from the origin server, then all your performance metrics will be affected. Caching also also has the added benefit of reducing load on origin servers.
However, things get a little more tricky when it comes to dynamic assets: if the asset could change, shouldn’t you go back to the origin just to make sure? For this reason, by default, Cloudflare doesn’t cache HTML content: there’s a chance it’s going to change for each user. The reality is though, most HTML isn’t really dynamic. It needs to be able to change relatively quickly when the site is updated but for a huge portion of the web, the content is static for months or years at a time. There are special cases like when a user is logged-in (as the admin or otherwise) where the content needs to differ but the vast majority of visits are of anonymous users.
Automatic Platform Optimization, which was announced on Friday, brings more intelligence to this — allowing us to figure out when we should be caching HTML, and when we shouldn’t. The advantage of this is it moves more content closer to the user, and it does it automagically — there’s no configuration required. The benefits aren’t trivial: a 72% reduction in Time to First Byte (TTFB), 23% reduction to First Contentful Paint, and 13% reduction in Speed Index for desktop users at the 90th percentile. We’re starting off with support for WordPress — 38% of all websites, but the plan is to expand this to other platforms in the near future.
All day, every day: Cloudflare TV
Ten years is a long time. The milestone for Cloudflare seemed to be the perfect opportunity to look back over the last ten years of the Internet — what’s changed, what’s surprised us? And more than that: what’s coming over the next ten years?
To look back and then peer out into the future, we were humbled to be joined by some of the most celebrated names in tech and beyond. Among the highlights: Apple co-founder Steve Wozniak, Zoom CEO Eric Yuan, OpenTable CEO Debby Soo, Stripe co-founder and President John Collison, Former CEO & Executive Chairman of Google and Co-Founder of Schmidt Futures Eric Schmidt, former McAfee CEO Chris Young, former Seal Team 6 Commander Dave Cooper, Project Include CEO Ellen Pao, and so many more. All told, it was 24 hours of live discussions over the course of the week.
And with that, it’s a wrap! To everyone who has been a part of the Cloudflare journey over the past 10 years: our customers, folks on the team, friends and supporters, and our partners all around the world: thank you. It’s been an incredible ride.
And, as our co-founder Michelle likes to say, we’re just getting started.
The collective thoughts of the interwebz
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
