Cloudflare is a Teenager: A Security Company? A Network? A CDN? No! A Connectivity Cloud
Cloudflare is a Teenager: A Security Company? A Network? A CDN? No! A Connectivity Cloud
We have been very successful with our spin-out companies. Overall, as a company grows, it will typically reflect the beliefs of its founders, and so any new startup needs to set itself up in the right way. And, so, one company that I have so much respect for its approach to its work is Cloudflare, and it celebrated its 13th birthday yesterday.
For me, I am a heavy user of Cloudflare, and its WAF (Web Application Firewall) helps me protect my site [https://asecuritysite.com].
Over the past month, my site has received 106K unique users (1.2 million per year), and 2.24 million requests (26 million per year) — of which over 44% of the content comes from a cache as near to the user as possible:
With the WAF, Cloudflare sits in-between the user and the Web site, and can break the HTTPS tunnel and examine the traffic. We can then filter for most of the details within packet header, such as for the country, words in the URI, and for known bots:
But where it gets most interesting is within the WAF (Web Application Firewall), and which breaks the connection between the client and my server and then can examine the traffic for virtually anything in the packets and/or session:
For the WAF, we can examine the URI in detail for any matching characteristic and then either block or challenge the client:
This is all free, for up to five rules. For cryptography, too, it is to Cloudflare that we can turn for the state-of-the-art, such as for their Fido 2 authentication for users, and which rids us of those pesky passwords.
The founder’s letter
And, so, it’s founders — Matthew Prince and Michelle Zatlyn are still highly passioniate about Cloudflare, and publish an annual founders letter:
https://blog.cloudflare.com/cloudflares-annual-founders-letter-2023/
To many Cloudflare is a security company, or a network, or a CDN (Content Delivery Network), but Matthew and Michelle dismiss this and say that they are none of these, they are a connectivity cloud — and which pushes content dynamically to the user
Basically Cloudflare is the mechanism in which we can move away from centralised cloud services, to one which distributes content across the world — and as near the user as possible.
And, I love when technology and art come togther, and where the leave with a little poem about the greatness of the Cloud:
The connectivity cloud, a wondrous sight to see,
Where data flows and knowledge is set free,
A place where minds meet and ideas take flight,
A world of endless possibility in sight.The success of Cloudflare
I really can’t say how good Cloudflare are as a company. For AWS, I need to enable my Web site in different regions of the world, and deliver caches with endpoint, and then put a WAF (Web Application Firewall) in front of these — and then make it all dynamic to cope with network demand. With Cloudflare, it is a few clicks, and they now act as a proxy to my Web site and buffer some of the content as near to the customer as possible. This considerably enhances the quality of service. But, the main thing they do is do a stateful deep packet inspection, and can fight off those nasty bots, or Denial of Service attacks. Cloudflare makes the Internet a much better place.
In Figure 2, we see that Alice does not connect directly to Bob’s Web site. For this, her connection is with Cloudflare. This is delivered over an HTTPs tunnel and then decrypted by Cloudflare with their WAF. Cloudflare will then do a deep back inspection and either forward the packets through to Bob or challenge Alice with a JavaSript or CAPTCHA challenge to prove that she isn’t a bot. Otherwise, Bob might not like certain IP addresses or country domains and can set up rules to drop these connections. Then, if acceptable, Cloudflare will then check Bob’s Web site for new content; if it is just the same, then a good deal of content can be delivered from Cloudflare’s cache. These caches are placed around the world and are as near to Alice as possible. With a click of a button, DDoS defence is enabled too, and at no cost for the basic service. It’s genius!
But, many people didn’t think that Cloudflare could actually create a business model with their approach. The investment in cloud services around the world would be massive, and then the cost of being able to cope with massive DDoS and botnet activity was a phenomenal challenge.
And, so, the co-founder of the company (Michelle Zatlyn) has said that she faced many people who said the Cloudflare was too risky and too disruptive in the market — and would never work. For us, as a university team, we have managed to produce a number of great spin-outs, and which have been highly successful in the market. And along the way, we have had people saying that our ideas would never work, but we have proven them wrong. For this, I think she makes a great comment [here]:
You don’t need to win them over. Everyone comes around at some point, and your job is to keep winning on the field, gaining progress, gaining ground …, and finding the people who do want to believe and be championed. If you spend your time on that, you’ll be much happier and more productive for it.
And that there are no “magic bullets” to be successful:
I think if you’re a founder and you’re not sure, that’s OK. There are lots of ways to be successful. If you talk to a hundred successful founders, you will get a hundred different ways.
And, for timing, stop over analysing, and go for it …
People don’t take opportunities because the timing is bad, or the financial side is unsecure. Too many people are overanalyzing. Sometimes you just have to go for it.
Cloudflare as a leader
There are so many ways that Cloudflare has led in looking after their customers, especially in areas of privacy and in the move towards Post Quantum Cryptography. For this, they have invested a great deal into R&D, and have developed new user authentication methods that move away from usernames and passwords — and toward the usage of Fido 2 tokens. Along with this, they have research related to to Zero Knowledge Proofs to protect their customer’s privacy, and in Post Quantum Cryptography. If you are interested, here is there CIRL library:
https://asecuritysite.com/circl
and which now support the NIST-defined PQC standards of Dilithium (for digital signatures) and Kyber (for key exchange). And, here’s Nick Sullivan, the Head of Research at Cloudflare, and an international leader in TLS mechanisms:
Conclusions
I say again, I love Cloudflare as a company. They look after their customers. And, as Federico Charosky says, “We fight bullies!”. The Internet is a much better place with Cloudflare in it. DDoS is a blunt weapon against companies, and Cloudflare has significantly blunted it. Their WAF allows small businesses to cope with attacks in the way that only large ones can.
If you want to try their amazing CIRL library, do it here: