CLOUDFLARE IN 2014: BIGGER, FASTER, SECURER

At the end of 2013 we posted a blog article titled 2013: Rebuild the Engine; 2014: Step on the Gas which explained how in 2013 we had been rebuilding the engine that powers CloudFlare and how we expected 2014 to be when we stepped on the gas.

In that blog post, we said that we’d be expanding our network to betters serve customers in China and Latin America (as well as continuing other global expansions), and that we’d be making a big announcement around SSL.


CC BY-ND 2.0 image by Do Hyun-Kim

Looking back at 2014, we did a whole lot more and many of those changes had a meaningful impact well beyond CloudFlare. Now when we make a change, the needles on the Internet’s dials move: when we roll out support for new protocols, sites tracking those protocols see a sudden jump in usage.

Here’s a month by month review of CloudFlare’s 2014:

January 8: keeping our promise to Latin America, we opened our first data center there in Chile.

January 27: we published our first transparency report covering National Security Orders on the first day it became legal to discuss them.

February 13: we published details of a massive DDoS attack (that peaked at almost 400Gbps).

February 14: we introduced a new Strict SSL mode to ensure that connections between CloudFlare and customer web servers could not be subject to a MITM attack.

February 17: we rolled out support for the most recent version of the SPDY protocol (SPDY/3.1).

April 3: we rolled out support for CNAME flattening that includes the zone root.

April 7: March 2014 had been very quiet, but it was the calm before the storm. On this day, the Heartbleed vulnerability became public. CloudFlare clients were protected, but that wasn’t the end of the story.

Four days later, we set up the Heartbleed Challenge to determine if private keys were obtainable using Heartbleed. Nine hours after the start of our challange, we had the definitive bad news: yes, private keys could be obtained.

Because private keys could have been vulnerable, CloudFlare then revoked every SSL certificate that we’d issued and caused the CRL to grow massively in an unprecedented fashion. Later, we gave a detailed analysis of how the private keys could leak with Heartbleed.

May 3: we began publishing our SSL configuration so that others could use it.

May 7: faced with the fact that RC4 looked more and more vulnerable, we removed RC4 as a preferred cipher and saw an instant drop in the number of connections using it. We also followed up with an analysis of who still uses RC4

June 4: a big announcement for us and for anyone who wants to use CloudFlare for business: we’re PCI Certified.

June 5: even more OpenSSL problems, and we patched them all to protect our systems and out customers’ sites. The same day was World IPv6 Day when it became clear that 20% of the IPv6 is on CloudFlare (we also added special headers to ease the transition from IPv4 to IPv6)

June 12: we introduced Project Galileo which gives free CloudFlare service to sites likely to be attacked for exercising free expression rights.

June 13/16: two new CloudFlare data centers come online: first Madrid, Spain then Milan, Italy.

July 7/22: CloudFlare’s new data center in São Paulo, Brazil comes online, followed two weeks later by Medellin, Colombia.

August 5: we rolled out support for WebSockets.

September 18: we rolled out Keyless SSL and went deep into the details.

September 24: the ShellShock bug hit. We patched our systems and rolled out firewall rules for all customers.

September 29: we made SSL free for everyone with the announcement of Universal SSL, fulfilling the promise we made at the start of the year.

October 14: we dropped support for SSLv3 entirely because of the POODLE vulnerability.

November 10: we outlined our plans to upgrade certificates that use SHA-1 to meet Google Chrome‘s expected behavior.

December 3/9: two more data centers, this time it was Lima, Peru followed by Johannesburg, South Africa.

Looking back over 2014, we added new data centers around the globe and added capacity everywhere, rolled out Keyless SSL, WebSockets support, Universal SSL, CNAME flattening, SPDY/3.1 and more, stayed on top of nasty Internet bugs like Heartbleed, Shellshock, POODLE, and more.

What will 2015 bring? Much more: new data centers all over the globe (including in China), new product lines that we haven’t hinted at and some we have (e.g. DNSSEC support), and lots of surprises. This year, we plan on adding more equipment and network capacity than we have in CloudFlare’s combined first five years.

Best wishes for 2015.

If your New Year’s Resolution is to look for a change of employment (and you fancy working in London or San Francisco), check out our openings.

Leave a Reply

Your email address will not be published. Required fields are marked *