New OpenSSL vulnerabilities: CloudFlare systems patched
2014-06-05
The OpenSSL team announced seven vulnerabilities covering OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 (i.e. all versions) earlier today....
CloudFlare is PCI Certified
2014-06-04
Great news for everyone using CloudFlare on an e-commerce site, or a site accepting or processing credit card transactions. After undergoing a Payment Card Industry (PCI) Data Security Standard (DSS) 2.0 security control assessment, we’ve been certified as a Level 1 service provider....
Welcome to Miami: HostingCon 2014
2014-05-28
This year’s HostingCon will be held in Miami Beach, and the CloudFlare team is busy prepping. This is our fourth year at the show and our team is excited to see partners, customers and friends....
CloudFlare Meetups: Set your mind on fire.
2014-05-27
Education, expertise, and community: these themes define Meetups at CloudFlare. Meetups in our office bring together industry leaders, academics, and field experts to examine topics ranging from the Go programming language, to databases, to cryptography, and more....
BPF - the forgotten bytecode
2014-05-21
Every once in a while I run into an obscure computer technology that is a hidden gem, which over the years has become mostly forgotten. This is exactly how I feel about the tcpdump tool and its kernel counterpart the packet filter interface....
The Web is World-Wide, or who still needs RC4?
2014-05-19
Two weeks ago we changed our TLS configuration to deprioritize the RC4 encryption method because it is widely thought to be vulnerable to attack. At the time we had an internal debate about turning off RC4 altogether, but statistics showed that we couldn't....
Killing RC4: The Long Goodbye
2014-05-07
At CloudFlare we spend a lot of time thinking about the best way to keep our customers’ data safe. Despite recent troubles, HTTPS is still the best way to deliver encrypted content for the web. ...
Tracking our SSL configuration
2014-05-03
Over time we've updated the SSL configuration we use for serving HTTPS as the security landscape has changed. In the past we've documented those changes in blog posts....
Searching for The Prime Suspect: How Heartbleed Leaked Private Keys
2014-04-27
Within a few hours of CloudFlare launching its Heartbleed Challenge the truth was out. Not only did Heartbleed leak private session information (such as cookies and other data that SSL should have been protecting), but the crown jewels of an HTTPS web server were also vulnerable....
Upcoming Meetups at CloudFlare
2014-04-21
At CloudFlare, we love connecting with our communities, and so we are excited to announce two meetups to be hosted here at the CloudFlare headquarters in San Francisco next month....
The Hidden Costs of Heartbleed
2014-04-17
A quick followup to our last blog post on our decision to reissue and revoke all of CloudFlare's customers' SSL certificates. One question we've received is why we didn't just reissue and revoke all SSL certificates as soon as we got word about the Heartbleed vulnerability?...
The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued
2014-04-17
Eleven days ago the Heartbleed vulnerability was publicly announced. Last Friday, we issued the CloudFlare Challenge: Heartbleed and simultaneously started the process of revoking and reissuing all the SSL certificates....
Certificate Revocation and Heartbleed
2014-04-12
As you may have noticed, the CloudFlare Heartbleed Challenge has been solved. The private key for the site cloudflarechallenge.com has been obtained by several authorized attackers via the Heartbleed exploit....
The Results of the CloudFlare Challenge
2014-04-11
Earlier today we announced the Heartbleed Challenge. We set up a nginx server with a vulnerable version of OpenSSL and challenged the community to steal its private key....
Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?
2014-04-11
Below is what we thought as of 12:27pm UTC. To verify our belief we crowd sourced the investigation. It turns out we were wrong. While it takes effort, it is possible to extract private SSL keys....
Jetpack for WordPress: automatic protection
2014-04-10
As we've said before, lots of our users run WordPress on their websites and its popularity makes it a big target. So when a new vulnerability is discovered, acting quickly is prudent....
Staying ahead of OpenSSL vulnerabilities
2014-04-07
Today a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kB of memory to a connected client or server (CVE-2014-0160). We fixed this vulnerability last week before it was made public. ...
Introducing CNAME Flattening: RFC-Compliant CNAMEs at a Domain's Root
2014-04-03
This post is about a new feature we've been quietly rolling out over the last few months. Last week we began enabling it for everyone by default. ...
The weird and wonderful world of DNS LOC records
2014-04-01
A cornerstone of CloudFlare's infrastructure is our ability to serve DNS requests quickly and handle DNS attacks. To do both those things we wrote our own authoritative DNS server called RRDNS in Go. ...
How to ensure your server's software stays secure?
2014-03-17
At CloudFlare, security is on the top of our minds. We are always looking for ways to better secure the data we are entrusted with and improve the security of our customers' websites. ...
