TLS – Noise

Keeping the Internet fast and secure: introducing Merkle Tree Certificates

Luke Valenta — Tue, 28 Oct 2025 13:00:00 +0000

Cloudflare is launching an experiment with Chrome to evaluate fast, scalable, and quantum-ready Merkle Tree Certificates, all without degrading performance or changing WebPKI trust relationships.

Eliminating Cold Starts 2: shard and conquer

Harris Hancock — Fri, 26 Sep 2025 13:00:00 +0000

We reduced Cloudflare Workers cold starts by 10x by optimistically routing to servers with already-loaded Workers. Learn how we did it here.

Automatically Secure: how we upgraded 6,000,000 domains by default to get ready for the Quantum Future

Alex Krivit — Wed, 24 Sep 2025 14:00:00 +0000

After a year since we started enabling Automatic SSL/TLS, we want to talk about these results, why they matter, and how we’re preparing for the next leap in Internet security.

Addressing the unauthorized issuance of multiple TLS certificates for 1.1.1.1

Joe Abley — Thu, 04 Sep 2025 17:30:00 +0000

Unauthorized TLS certificates were issued for 1.1.1.1 by a Certification Authority without permission from Cloudflare. These rogue certificates have now been revoked.

The importance of encryption and how AWS can help

Ken Beer — Wed, 12 Feb 2025 19:18:47 +0000

February 12, 2025: This post was republished to include new services and features that have launched since the original publication date of June 11, 2020. Encryption is a critical component of a defense-in-depth security strategy that uses multiple defensive mechanisms to protect workloads, data, and assets. As organizations look to innovate while building trust with […]

Resolving a Mutual TLS session resumption vulnerability

Matt Bullock — Fri, 07 Feb 2025 20:13:14 +0000

Cloudflare patched a Mutual TLS (mTLS) vulnerability (CVE-2025-23419) reported via its Bug Bounty Program. The flaw in session resumption allowed client certificates to authenticate across different

A look at the latest post-quantum signature standardization candidates

Bas Westerbaan — Thu, 07 Nov 2024 14:00:00 +0000

NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take measure of them and discover why we ended up with so many PQ signatures.

Options for AWS customers who use Entrust-issued certificates

Zach Miller — Fri, 18 Oct 2024 12:48:47 +0000

Multiple popular browsers have announced that they will no longer trust public certificates issued by Entrust later this year. Certificates that are issued by Entrust on dates up to and including October 31, 2024 will continue to be trusted until they expire, according to current information from browser makers. Certificates issued by Entrust after that date […]

New standards for a faster and more private Internet

Matt Bullock — Wed, 25 Sep 2024 13:00:00 +0000

Cloudflare's customers can now take advantage of Zstandard (zstd) compression, offering 42% faster compression than Brotli and 11.3% more efficiency than GZIP. We're further optimizing performance for our customers with HTTP/3 prioritization and BBR congestion control, and enhancing privacy through Encrypted Client Hello (ECH).

Encryption in transit over external networks: AWS guidance for NYDFS and beyond

Aravind Gopaluni — Wed, 21 Aug 2024 15:23:24 +0000

On November 1, 2023, the New York State Department of Financial Services (NYDFS) issued its Second Amendment (the Amendment) to its Cybersecurity Requirements for Financial Services Companies adopted in 2017, published within Section 500 of 23 NYCRR 500 (the Cybersecurity Requirements; the Cybersecurity Requirements as amended by the Amendment, the Amended Cybersecurity Requirements). In the introduction […]

Introducing Automatic SSL/TLS: securing and simplifying origin connectivity

Alex Krivit — Thu, 08 Aug 2024 13:05:18 +0000

This new Automatic SSL/TLS setting will maximize and simplify the encryption modes Cloudflare uses to communicate with origin servers by using the SSL/TLS Recommender

Avoiding downtime: modern alternatives to outdated certificate pinning practices

Dina Kozlov — Mon, 29 Jul 2024 13:00:37 +0000

The number of outages caused by certificate pinning is increasing. We’ll explore why certificate pinning hasn’t kept up with modern standards and recommend alternatives to improve security while reducing management overhead

How we ensure Cloudflare customers aren’t affected by Let’s Encrypt’s certificate chain change

Dina Kozlov — Fri, 12 Apr 2024 13:00:09 +0000

Let’s Encrypt’s cross-signed chain will be expiring in September. This will affect legacy devices with outdated trust stores (Android versions 7.1.1 or older). To prevent this change from impacting customers, Cloudflare will shift Let’s Encrypt certificates upon renewal to use a different CA

Upcoming Let’s Encrypt certificate chain change and impact for Cloudflare customers

Dina Kozlov — Thu, 14 Mar 2024 14:00:23 +0000

Let’s Encrypt’s cross-signed chain will be expiring in September. To prepare for the change, after May 15th, 2024, Cloudflare will start issuing certs from Let’s Encrypt’s ISRG X1 chain. This change will impact legacy devices with outdated trust stores (Android versions 7.1.1 or older)

AWS Certificate Manager will discontinue WHOIS lookup for email-validated certificates

Lerna Ekmekcioglu — Tue, 09 Jan 2024 20:31:55 +0000

AWS Certificate Manager (ACM) is a managed service that you can use to provision, manage, and deploy public and private TLS certificates for use with Amazon Web Services (AWS) and your internal connected resources. Today, we’re announcing that ACM will be discontinuing the use of WHOIS lookup for validating domain ownership when you request email-validated […]

How to implement client certificate revocation list checks at scale with API Gateway

Arthur Mnev — Thu, 21 Dec 2023 14:21:01 +0000

ityAs you design your Amazon API Gateway applications to rely on mutual certificate authentication (mTLS), you need to consider how your application will verify the revocation status of a client certificate. In your design, you should account for the performance and availability of your verification mechanism to make sure that your application endpoints perform reliably. […]

Decrypting Zabbix TLS with Wireshark

Markku Leiniö — Mon, 06 Nov 2023 13:35:58 +0000

One of the built-in security features in Zabbix is TLS (Transport Layer Security) support for external connections. This means…

The post Decrypting Zabbix TLS with Wireshark appeared first on Zabbix Blog.

Messaging Service Wiretap Discovered through Expired TLS Cert

Bruce Schneier — Fri, 27 Oct 2023 11:01:00 +0000

Fascinating story of a covert wiretap that was discovered because of an expired TLS certificate:

The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired.

However, jabber.ru found no expired certificates on the server, as explained in a blog post by ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.

The expired certificate was instead discovered on a single port being used by the service to establish an encrypted Transport Layer Security (TLS) connection with users. Before it had expired, it would have allowed someone to decrypt the traffic being exchanged over the service...

Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections

Suleman Ahmad — Mon, 04 Sep 2023 13:00:51 +0000

In this blog we’re going to take a closer look at “connection coalescing”, with specific focus on manage it at a large scale

Introducing per hostname TLS settings — security fit to your needs

Dina Kozlov — Wed, 09 Aug 2023 13:00:41 +0000

Starting today, customers that use Cloudflare’s Advanced Certificate Manager can configure TLS settings on individual hostnames within a domain