🧵🧵🧵
After all this time on Twitter, I don’t think I’ve ever written an introductory thread, so here it is! If you don't already follow me, or do but forgot why, here's who I am and what to expect from me on Twitter.
🧵🧵🧵
Fun fact: I wasn’t supposed to be in this video. I was just walking into work one day, saw Tom Scott in the lobby and asked “Aren’t you Tom Scott from YouTube?” and he interviewed me.
The camera is digital, but I grew up in the 80s so I reflexively used the term “videotape” 😅
Tom Scott retired his legendary YouTube channel after 10 years.
A favourite lesson: For encryption, Cloudflare uses a camera to videotape a wall of Lava Lamps. Then turns footage into a “stream of random unpredictable bytes” to make encryption keys for traffic on its network.
Thread.
I was recently privy to a conversation in which some really smart people in security shared their favorite papers or articles. Security engineering, like other disciplines, has a rich history worth learning from.
I'm going to list some of these papers in this thread.
DNS-over-HTTPS will be rolled out by default in Firefox for U.S. users starting at the end of September 2019. Firefox will default to using Cloudflare's 1.1.1.1 at first, but that may change if other resolvers adopt a comparably strong privacy policy.
Personal news!
Today marked a significant milestone for me. Ten years ago yesterday, I embarked on an incredible journey with a scrappy San Francisco startup. Now,
@Cloudflare
is a global powerhouse, and I am turning the page and announcing my departure.
Over the past decade,
This is huge! Cloudflare now offers a global NTP service at . It supports NTP and authenticated time via the new Network Time Security (NTS) spec. Authentication keys are established over TLS 1.3 on port 1234.
Facebook lets you know which advertisers uploaded a contact list with your info.
The next time you see an ad, follow this sequence:
Why am I seeing this ad->
Manage your ad preferences->
Advertisers->
Advertisers who uploaded a contact list with your info
How big is your list?
The 1.1.1.1 resolver now supports a new protocol: DNS over Twitter! Just send your queries to
@1111Resolver
.
We’re also working on even more interesting ways to access the DNS. Watch this space.
#1dot1dot1dot1
Encrypted Client Hello (ECH) is a new proposed standard that improves encryption and metadata protection for connections online that use TLS for security. After years of testing and refinement, it's finally happening.
Chrome has been testing ECH for months, and is now enabling
DNS should be fast and private. Cloudflare's new DNS resolver helps make this possible by running DNS-over-HTTPS with TLS 1.3 0-RTT on a massive global network with correctly aligned incentives.
"We don't see personal data as an asset; we see it as a toxic asset"
#1dot1dot1dot1
Introducing RFCGPT: the virtual assistant that has read the entire RFC series. Ask it anything about internet protocols and standardization!
This tool is built on OpenAI’s new “My GPT” feature and is available to all ChatGPT Plus customers. Note that
Announcing support for Encrypted SNI. Never leak your browsing history in plaintext to your ISP again.
#CryptoWeek
#BirthdayWeek
Cloudflare Announcement:
Technical Details:
IETF Draft:
TLS 1.3 was approved by the IESG.
The votes landed as follows:
Ben - Yes
Warren - No
Alissa - Yes
Benjamin - Yes
This means it’s in the hands of the RFC editors to make editorial changes and publish it as an RFC. This process typically takes a few months.
The post-quantum crypto experiments at
@Cloudflare
have begun. There are now two (hybrid) post-quantum key agreement algorithms supported in TLS 1.3 at Cloudflare's edge:
- One based on lattices (NTRU-HRSS: big key, low CPU)
- One based on isogenies (SIDH: small key, high CPU)
I left Apple 7 years ago. My code is still running in every iPhone and Mac on the planet. I wish it wasn’t, and that’s partially my fault. When you put code into the world, think about how to write it in a way that it can replaced with something better.
Does anyone ever think about all the code they’ve written? Where is it at today? Will it still be running in 100 years? Is a future developer 50 years from now going to see it and be like wow this is old school?
We deployed two post-quantum (aka quantum-resistant as far as we know) key agreement algorithms in TLS 1.3: one fast with big keys (ostrich) and one slow with smaller keys (turkey) and ran an experiment with Chrome to race them. Here are the results.
RFC 8565 is especially brilliant.
The HyperText Jeopardy Protocol (HTJP) inverts the request/response semantics of the Hypertext Transfer Protocol (HTTP) [..] Using HTJP, one connects to a server, sends an answer, and expects a correct question.
I wrote a blog post about why TLS 1.3 isn't in browsers yet:
@Lekensteyn
built a tool to help investigate TLS 1.3 failures due to middlebox interference:
Let's make 2018 the year of TLS 1.3
The Cloudflare Crypto team is working on a bunch of assembly-heavy (x86_64/ARM64) cryptography code in Go. This includes high-speed elliptic curves of various flavors (NIST, CFRG, MSFT, Pairing-friendly), post-quantum crypto, hashing. We're soliciting reviewers. DM for details.
It’s hard to overstate how bad this F5 bug is. It’s basically DROWN without needing SSLv2. If you have a vulnerable F5, anyone can sign things with your RSA private key. Bleichenbacher strikes again.
New Directions in Cryptography - Whitfield Diffie and Martin Hellman (1976)
It's hard to emphasize just how revolutionary the concept of public key cryptography is. This paper started it all, introducing D-H key agreement and digital signatures.
The 1.1.1.1 resolver also implements the latest privacy-enhancing standards such as DNS-over-TLS, DNS-over-HTTPS, QNAME minimization, and it removes the privacy-unfriendly EDNS Client Subnet extension. We’re also working on new standards to fix issues like
Awesome work at the IETF 102 hackathon by the encrypted SNI team consisting of folks from
@Cloudflare
@fastly
@mozilla
and
@apple
. There are now implementations in BoringSSL, NSS and picotls.
Working servers are live at and .
If you're going to impress us with factoring RSA public keys, factor one from the RSA Factoring Challenge. If you can factor the original 1991 RSA-2048 modulus by the end of the year, I'll match the original cash prize of $200,000. Show your work.
DNS interception and manipulation is real and pervasive. This paper is a great motivator for the deployment of encrypted DNS and DNSSEC.
#usesec18
Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path
Having encrypted DNS enables so many cool things online. For example, we have a new proposal for encrypting SNI that we'll be talking about at
#IETF102
.
Here's the draft:
In case you missed it, we built a TypeScript library to do zero-knowledge proofs over ECDSA signatures. ECDSA is ubiquitous, so there are potentially thousands of interesting real-world applications including adding privacy to WebAuthn attestation.
Reflections on Trusting Trust - Ken Thompson (1984)
This paper succinctly describes the concept that it's not enough to trust software, you also need to trust the software that compiles the software, and the software that compiles the compiler, and so on
I have an exciting update to share! Starting today, I'm available for 1:1 calls on Intro to help the next generation of startups. Keep reading ⬇️
For those who don’t know me yet, I’m a Computer Security and Cryptography Expert, the founder of Cloudflare Research, and was a
It's my seven(!) year anniversary at
@Cloudflare
today. I'm grateful for all the people I've met along the way and all the important work we've been able to do. That said, I feel like I'm just getting started.
Cloudflare now supports TLS 1.3 for the connection between Cloudflare and the origin server, enabled by default. There were issues with certain load balancers not handling the RFC version of the protocol, but these are mostly fixed. Non-trivial speed boost for dynamic content.
Welcome to
#CryptoWeek
at
@Cloudflare
!
Kicking it off with an introduction by me:
The Distributed Web Gateway (starring IPFS):
IPFS Gateway Validator extension:
Stay tuned every day for new announcements!
With the recent SHA-1 news, it’s important to understand why collisions and chosen-prefix attacks have different impacts on security. Luckily I wrote a blog post about this!
What an interesting few weeks to be working at
@Cloudflare
, especially on the blog. Well, don’t think we’re letting up. If you live for technical blog posts, block off a few hours and dust off your reading glasses because you’re in for a treat next week.
Today's my six year anniversary at
@Cloudflare
. Thank you to everyone who has been a part of this incredible run. There have been too many highlights to count, but if you'd like to stroll down memory lane for a bit, keep reading.
We’re at an interesting point in history with respect to internet protocols. TLS 1.3, DoH, Wireguard, HTTP/2 CERTIFICATE frame, MLS, and others are changing the game but aren’t widely deployed yet. Support your local e2e encrypted network protocol.
Some people say DNSSEC is useless. Recent events have convinced me otherwise. Since BGP hijacking is prevalent and the deployment of TLS-protected DNS protocols is focused on the user-to-resolver path (rather than resolver to authoritative), DNS poisoning is a real threat.
Monsters in the Middleboxes: a new blog post by
@gabbifish
and
@lukevalenta
highlighting recent work on the measurement of TLS-inspecting proxies. We also open sourced our code () and built a dashboard ().
Privacy has deservedly become a bit of a buzzword online. There are more opportunities to watch, profile, and surveil Internet users than ever. This is a growing concern as our lives and our stuff (there are more net-connected devices than people on earth) move online.
And it looks like they're blocking encrypted SNI outright (according to accounts on the ground). In some ways, this is our fault for not agreeing on a final spec and pushing it out to more clients faster. The politics around network privacy engineering are tricky. Cliffs abound.
Looks like South Korea has started filtering the internet across all ISPs using SNI (one thing we can't yet encrypt under TLS 1.3). Fuuuuuuck
#censorship
This World of Ours - James Mickens (2014)
A comedic article that helps emphasize the difference between targeted attacks by well-resourced adversaries and the more pedestrian threats faced by the general populace.
There’s been a lot of noise around new DNS encryption technologies lately, including DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).
This explainer by
@Lekensteyn
cuts through the noise with a clear explanation of how these technologies work.
We are now in the exciting early adopter phase of the post-quantum cryptography transition.
The last year has seen some major developments. In November 2022, Google deployed post-quantum cryptography for internal communications () and then by August 2023,
Some of the loudest complaints we hear about Cloudflare from folks on Twitter are about two things: end-to-end integrity and access through Tor. Next week we’ll be announcing two innovative new features to help resolve these issues.
#CryptoWeek
This may well be the most soothing 30 seconds of your day: a chaotic pendulum used to generate random numbers for secure communication (recorded at
@sciencemuseum
today, in the Top Secret exhibition).
Over 5% of HTTPS requests to Cloudflare use TLS 1.3. Getting to 50% of browser requests is possible by the end of the year. We're changing the defaults to get more sites on board.
It's all coming together for TLS 1.3 Draft 23. We've enabled it on Cloudflare, Chrome and Firefox support is landing imminently, and the working group has declared another Last Call
Having both DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS) is great. DoH is fantastic for browser clients who already implement HTTP/2 and all its multiplexing machinery, and DoT is perfect for the DNS backend. I look forward to more authoritative DNS servers supporting DoT.
As IETF 101 convenes in London, TLS 1.3 use on the internet soar. We're now seeing 2% of global connections to Cloudflare use TLS 1.3! This is mostly due to Chrome 65 enabling TLS 1.3 by default.
#tls13
It’s Crypto Week again at
@Cloudflare
! We’re very excited to share a week of cryptography-related announcements.
As a warm up, I wrote a post outlining why we do Crypto Week and some thoughts on securing the Internet of the future. Enjoy.
Thread
One of the perks of working at
@Cloudflare
is that technical people are encouraged to share their voice with the public on the company blog. Generous coworkers donate time, energy, and expertise to enable these amazing builders to teach and explain for the benefit of all.
Cloudflare's public time service, , is now serving over 1 million NTP requests per second at peak! It's been less than a year since the service was launched.
⌚️⌚️⌚️
Improving SSL Warnings: Comprehension and Adherence - Adrienne Porter Felt et al. (2015)
A data-driven study of how well/poorly user interfaces express security features to users in web browsers.
Thread.
Big announcement from Cloudflare today: we have opened our post-quantum cryptography alpha. We now support Kyber, a post-quantum key agreement in Cloudflare’s reverse proxy product and we want you to help test it with us.
Lest We Remember: Cold Boot Attacks on Encryption Keys - J. Alex Halderman et al. (2008)
Another security paper that explores the reasons why good encryption software can be insufficient in the face of physical attacks.
Even modern cryptographic protocols like TLS 1.3 are vulnerable to weak randomness in the underlying system. This risk can be mitigated in a general way using a secret key. Just use “this one weird trick” described by
@CasCremers
, myself, et al.
Format String Attacks - Tim Newsham (2000)
Still one of the most pervasive security issues, format string vulnerabilities demonstrate the dangers of mixing abstractions.
PSA:
@Cloudflare
’s WARP is *not* a VPN as the term is popularly used. It does not make you anonymous to the sites you are visiting. It does, however, encrypt your traffic so your local network and ISP can’t see it, providing enhanced privacy. Even for unencrypted HTTP and DNS!
It turns out there were printers running a “theorized” NSA backdoor into RSA’s TLS library, and this was discovered because people were searching for TLS 1.3-incompatible implementations and there just happens to be a namespace collision.
An under-the-radar new feature from
@Cloudflare
for sites with custom domains on shared hosting (such as Github pages or Heroku). You can now enable certificate validation (Strict mode) and Cloudflare will use the CNAME target to validate the cert.
Technical writing at
@Cloudflare
wouldn't be what it is without
@jgrahamc
, who always brings great perspective to even the most in-the-weeds technical topic.
I just presented a new HTTP header at
#IETF102
developed with
@Akamai
and
@Fastly
to prevent CDN looping attacks like . We’re looking for other reverse proxies/CDNs to collaborate. Let’s work together to fix common problems!
Day 4 of
#CryptoWeek
: Cloudflare launches its own Onion service on Tor for customers. This is a huge deal: it reduces friction for people using Tor while still allowing Cloudflare to block bots. Powered by alt-svc: no .onion certificate required!
If Zoom announces their own half-baked crypto protocol for group key agreement instead of announcing a plan to dedicate resources to help MLS be the best it can be, I consider this a failure.
We need *one* open and well-vetted standard with solid libraries, not another me-too.
To emphasize the need for secure time for HTTPS, I worked with researchers to measure the reliability of certificate revocation (OCSP) servers: the results were mixed. We need short-lived credentials.
(To be published at ACM IMC 2018)
#CryptoWeek
You can now access the Ethereum network through
@Cloudflare
via HTTP using the Distributed Web Gateway at . You can also create your own gateways using any hostname of your choosing.
#CryptoWeek
Thread
Real World Crypto 2020 is upon us. RWC is the marquee applied cryptography conference, bringing together academia and industry (51% of attendees have no academic affiliation). It's the largest RWC ever with 642 attendees.
Talk summaries to follow.
#realworldcrypto
I was chatting with a friend of mine who hires engineers who told me that in their company's hiring process they have an explicit focus on assessing the candidate's "grit" during the interview process.