Jump to content

Search the Community

Showing results for tags 'cloudflare'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 35 results

  1. Anti-piracy coalition ACE is continuing its crackdown on pirate sites, targeting several high profile actors. Represented by the MPA, the group requests a DMCA subpoena that requires Cloudflare to hand over personal information and account details relating to the operators of The Pirate Bay, YTS, 1337x, EZTV, Seasonvar, Tamilrockers, Lordfilms, and many others. As one of the leading CDN and DDoS protection services, Cloudflare is used by millions of websites across the globe. This includes many pirate sites. Copyright holders would ideally like the company to cease its ties with these platforms, but Cloudflare sees things differently. It positions itself as a neutral third-party intermediary that will only take action in response to valid court orders. Cloudflare DMCA Subpoenas Thus far, court orders that have required Cloudflare to block or terminate a pirate site have been very limited. More commonly, rightsholders obtain DMCA subpoenas from US courts requiring the CDN provider to hand over information it has on the operators of pirate sites. During the first half of 2020, Cloudflare received 31 of these requests which targeted 83 accounts. Many of these were adult sites or relatively smaller pirate portals. This month, however, the anti-piracy coalition ACE has upped the ante. Last week we reported that ACE had obtained a subpoena to go after several pirate streaming sites. This week the crackdown continues, with the anti-piracy coalition requesting Cloudflare to expose information associated with The Pirate Bay and many other high profile sites. ACE Targets The Pirate Bay and Other Top Pirate Sites The list of targeted sites (46 in total) includes several of the top torrent sites, including YTS, 1337x, EZTV, LimeTorrents, and Tamilrockers. Other high profile non-English targets such as Cinecalidad, Pelisplus, Gnula, Altadefinizione, and DonTorrent are listed as well. The subpoena is requested by the MPA’s Jan Van Voorn, who writes on behalf of ACE and its members Amazon, Columbia Pictures, Disney, Netflix, Paramount Pictures, and Universal City Studios. The requested information will help the anti-piracy group to investigate the sites in question. “The purpose for which this subpoena is sought is to obtain the identities of the individuals assigned to these websites who have exploited ACE Members’ exclusive rights in their copyrighted works without their authorization,” the request reads. “This information will only be used for the purposes of protecting the rights granted under Title 17, United States Code,” Van Voorn adds. Cloudflare Will Hand Over Personal Details At the time of writing the subpoena has yet to be signed off by a court clerk, but that is usually not a problem. ACE will then forward it to Cloudflare which will hand over the requested details, including names, IP-addresses, email addresses, physical addresses, phone numbers, and payment details. How useful the provided information will be to ACE remains to be seen. Many of the affected pirate sites should be aware of the possibility that their information can be shared, and could have taken precautions. Why Now? Aside from the many high profile targets in this legal request, ACE’s sudden attention to Cloudflare DMCA subpoenas is interesting by itself. In the span of just a few days, ACE has asked the company to identify the operators of more than 80 sites. Many of these sites, including The Pirate Bay, have been Cloudflare customers for years. Why ACE has decided to take action now, as opposed to years ago, is unknown. — A copy of ACE’s request for a DMCA subpoena, submitted to a California federal court, is available here (pdf). A full list of all the affected domain names is provided below. – yts.mx – pelisplus.me – 1337x.to F – seasonvar.ru – cuevana3.io – kinogo.by – thepiratebay.org – lordfilm.cx – swatchseries.to – eztv.io – 123movies.la – megadede.com – sorozatbarat.online – cinecalidad.is – limetorrents.info – cinecalidad.to – kimcartoon.to F – tamilrockers.ws – cima4u.io – fullhdfilmizlesene.co – yggtorrent.si – time2watch.io – online-filmek.me – lordfilms-s.pw – extremedown.video – streamkiste.tv – dontorrent.org – kinozal.tv – fanserial.net – 5movies.to – altadefinizione.group – cpasmieux.org – primewire.li – primewire.ag – primewire.vc – series9.to – europixhd.io – oxtorrent.pw – pirateproxy.voto – rarbgmirror.org – rlsbb.ru – gnula.se – rarbgproxied.org – seriespapaya.nu – tirexo.com – cb01.events – kinox.to – filmstoon.pro – descargasdd.net Source: TorrentFreak
  2. And Cloudflare customers get way better availability The Internet Archive, repository for some 468bn webpages, has become a fail-over service for Cloudflare customers, which could improve website availability for everyone. On Thursday, Mark Graham, director of the Wayback Machine at the non-profit Internet Archive, said the archive's web-focused warehouse, the Wayback Machine, will store snapshots of websites enrolled in Cloudflare's Always Online service to provide access to those sites in the event they go offline. Graham in a blog post today said the Wayback Machine has long archived URLs from a variety of different sources including its web crawler, its "Save Page Now" URL submission form, and other signals. Going forward, the Wayback Machine will also include websites enrolled in Cloudflare Always Online, a decade-old site availability service offered at no charge to Cloudflare customers (The Register being one of them). "What we're trying to do is make sure all of our customers' sites are available and reliable, no matter what happens to them," said Cloudflare CEO Matthew Prince in a phone interview on Thursday. Large customers, he said, have the resources to run their hosting infrastructure in a reliable way, but smaller ones may have a challenge when their hosting provider goes offline. "If we can't get to that content, then we can't serve it up across the network," said Prince, whose company, among other things, helps web publishers distribute cached web data via endpoints at the network's edge. Cloudflare has been trying to do this since 2010, shortly after the company was founded. "One of the things that we wanted to provide, especially for smaller customers, was a service that would allow them to remain online no matter what," said Prince. Early versions of the service "worked okay," he explained, but faced the challenge of making sure Cloudflare didn't cache internal or private information. And a lot of sites weren't easily cataloged. It was difficult, Prince said, to determine what Cloudflare could cache and what it could show if a website went offline. Initially, the company relied on watching where Google's crawler went and assuming it could cache those pages. That worked well enough for a time, when Google's traffic all hit Cloudflare's data center in Ashburn, Virginia, but over the past decade, Google's crawling infrastructure became more complicated. Five years ago, Prince said, Cloudflare built its own crawler to help fill in the gaps, but the project never got the attention it deserved. "We're not in the business of crawling websites, so it wasn't the smartest crawler out there," he said. About a year ago, a product manager at Cloudflare pointed out that the Internet Archive had an expansive copy of the web, so the network service biz began looking into whether the two organizations could work together. "Our hope is this will make the Internet Archive more thorough and better by giving it a more complete picture of the web [while also helping our customers]," said Prince. The updated Always Online service requires customers to provide the Internet Archive with some website information, such as a hostname and popular URLs, for crawling. Thereafter, if the site fails to respond to a network request, Cloudflare will answer with a status code in the 520 to 527 range. It will then try to provide a stale or expired version of the content cached from an edge data center that it can serve to the requesting website visitor. If that data can't be found, it will ask the Internet Archive for its most recent site capture and serve it with a banner indicating that the original website is inaccessible. In an email to The Register, Graham said the Internet Archive's arrangement with Cloudflare doesn't entail any financial or infrastructure support. "But we appreciate the support from the many individuals, organizations and companies that have provided support to date, and those that may support us in the future," he said. "In general terms, we focus on trying to be of service first and foremost." Graham acknowledged that storing the data from Cloudflare Always Online customers does add to the Internet's Archive's infrastructure costs. "We also benefit from learning about Web-based resources (via URLs) that we might not otherwise have known about, so the partnership helps us do a better job of archiving more of the public Web," he said. Source
  3. Anti-piracy coalition ACE is going after the operators of several pirate streaming sites. The members of ACE obtained a DMCA subpoena that requires Cloudflare to hand over the personal details and account information related to 37 domain names, including Flixtor.to, Myflixer.to, Watchserieshd.tv, HDSS.to and Soap2day.to. The online piracy ecosystem is constantly evolving. Ten years ago the entertainment industries were mostly concerned with torrent sites. Today, online streaming sites and services are the main challenges. To tackle this threat, some of the largest companies in the world bundled their powers. In 2017 they formed the Alliance for Creativity and Entertainment (ACE), which lists prominent members including major Hollywood studios, Netflix, Amazon, and other entertainment giants. ACE’s Ongoing Anti-Piracy Efforts The coalition has been very active both in- and outside of court. It has shut down various streaming sites and tools, including Kodi add-ons and builds, pirate streaming box vendors, and unauthorized IPTV services. These efforts often start with intelligence gathering. At ACE, a dedicated team of investigators is constantly trying to identify the people behind these sites and services. One way to do this is by subpoenaing Cloudflare for information. Late last week, ACE obtained such a DMCA subpoena at a California District Court. The subpoena specifically directs CDN provider Cloudflare to hand over all useful information it has on a wide range of popular pirate streaming sites. “The purpose for which this subpoena is sought is to obtain the identities of the individuals assigned to these websites who have exploited ACE Members’ exclusive rights in their copyrighted works without their authorization,” ACE wrote while requesting the subpoena. Targeting Flixtor.to, HDSS.to, Soap2day.to and others The legal paperwork lists 37 separate domain names, listed below. Several domains point to similar sites and the targets include Flixtor.to, Myflixer.to, Watchserieshd.tv, HDSS.to and Soap2day.to, which are all among the top hundred most-visited pirate streaming sites. Myflixer At the time of writing all these sites are still operational. Cloudflare doesn’t have to take any direct action against the targeted customers either, it merely has to hand over the requested information. Among other things, ACE is looking for the account holders’ names, IP addresses, and payment details. This information will be used “for the purposes of protecting the rights” of the Hollywood studios, Amazon, and Netflix. Cloudflare is legally required to comply with the subpoena. Previously, it was unknown what information the company typically hands over but the latest transparency report, published last week, provided further insight. Cloudflare to Share Names, IP-addresses, and More The CDN provider said that, in response to valid legal requests, it shares IP-addresses that are used to login to the site as well as the login times. In addition, it hands over ‘basic subscriber info.’ including names, email addresses, physical addresses, phone numbers, and payment details. How useful the provided information will be to ACE remains to be seen. However, it does show that the anti-piracy coalition is watching these sites closely. As such, it will likely do everything in its power to take them down. Finally, it is worth mentioning that several of the targeted domains are tied to the Donuts domain registry. For example, those with the .movie and .email extension. This is odd since Donuts has a voluntary agreement with the MPA, which is part of ACE, to suspend pirate site domains when they are properly reported. The MPA informed TorrentFreak that, in this case, they prefer to go for the Cloudflare subpoena route to support ACE’s investigations and the planned actions against the sites. Suspending the domains remains an option. — A copy of the letter ACE sent to Cloudflare informing it about the subpoena is available here (pdf). A full list of all the affected domain names is listed below. – flixtor.im – flixtor.is – flixtor.se – flixtor.vc – flixtor.it – flixtor.to – myflixer.site – myflixer.to – myflixer.com – xmovies8.pl – xmovies8.ac – xmovies8.com – xmovies8.si – xmovies8.tv – watchserieshd.tv – watchserieshd.cc – watchserieshd.io – gowatchseries.movie – gowatchseries.fm – gowatchseries.tv – series.movie – gowatchseries.video – 123movies2020.org – memovies.to – putlockers.email – top123movies.com – putlockers.me – putlockers.cr – 0123movies.su – hdss.to – moviesjoy.net – watchseries.movie – fmovie.sc – 1movies.is – soap2day.to – soap2day.se – soap2day.im Source: TorrentFreak
  4. Cloudflare doesn't remove anything in response to DMCA takedown notices unless it stores the content permanently. However, the company will hand over personal details of customers to copyright holders who obtain a DMCA subpoena. Over the past 12 months, Cloudflare was ordered to share information regarding more than 400 accounts. Popular CDN and DDoS protection service Cloudflare has come under a lot of pressure from copyright holders in recent years. The company offers its services to millions of sites. This includes multinationals, governments, but also some of the world’s leading pirate sites. Many rightsholders are not happy with the latter. They repeatedly accuse Cloudflare of facilitating copyright infringement by continuing to provide access to these platforms. At the same time, they call out the CDN service for masking the true hosting locations of these ‘bad actors’. Cloudflare sees things differently. The company positions itself as a neutral service provider that doesn’t ‘host’ any infringing content. They just pass on information that is cached on its services temporarily. This means that if copyright holders report Pirate Bay URLs to Cloudflare, the company takes no action other than forwarding the DMCA takedown notices to its customer. By doing so, Cloudflare is convinced that it operates in accordance with the law. Identifying ‘Infringing’ Customers Not all rightsholders agree with this approach and some have filed lawsuits to hold Cloudflare liable. Others have gone to court to obtain DMCA subpoenas, which require the CDN provider to hand over all personal details it has on allegedly infringing customers. We regularly report on these requests, which target torrent sites, streaming sites, and many other pirate portals. In its latest transparency report, Cloudflare reveals how many times it was asked to comply and what information was shared in response. Over the past 12 months, Cloudflare received 58 DMCA subpoenas and the company answered all but one. Together, these affected more than 1,000 domains and close to 500 Cloudflare customers. Previously it wasn’t clear what type of records the company could hand over, but the transparency report provides more information on that as well. What Information is Shared? To comply with the subpoenas, Cloudflare can share the IP-addresses that were used to login to the site as well as the login times. In addition, it can hand over so-called ‘basic subscriber info.’ “This basic subscriber data would include the information our customers provide at the time they sign up for our service, like name; email address; physical address; phone number; the means or source of payment of service,” Cloudflare writes. Whether copyright holders can do anything with this information remains a question. Many larger pirate sites are quite skilled at hiding the tracks that lead to their true operators. For smaller sites that may be different. Website Blocking The transparency report also touches on website blocking, which is another high-profile topic. While Cloudflare is very cautious with blocking, it may in some cases comply with law enforcement requests and foreign court orders. “If we determine that the order is valid and requires Cloudflare action, we may limit blocking of access to the content to those areas where it violates local law, a practice known as ‘geo-blocking’. We will attempt to clarify and narrow overbroad requests when possible,” Cloudflare writes. Cloudflare says it’s cautious because of “the significant potential impact on freedom of expression.” How many domains are blocked is not mentioned, but it does occasionally take action. For example, earlier this year the pirate site DDL-Music.to was blocked in Germany following a court order. Finally, we have to note that Cloudflare also offers hosting services to some clients. If that’s the case, it will remove content when appropriate. That happened three times over the past year, affecting one or two domain names. — Cloudflare’s latest transparency report is available here. Source: TorrentFreak
  5. Cloudflare Warp: beta clients for Windows and Mac are now available Internet company Cloudflare launched its DNS service to the public on April 1, 2018. Besides using one of the easiest to remember IP addresses, Cloudflare promised that would be one of the fastest DNS services, support DNS-over-HTTPS and DNS-over-TLS, and that it would honor user privacy. Cloudflare is one of the options in many, currently experimental, DNS-over-HTTPS implementations in web browsers (Chrome, Firefox) and operating systems (Windows). Cloudflare added optional filters to its service in April 2020 which block block access to undesirable sites on the DNS level. Cloudflare launched a companion app for its DNS service for Android and iOS in 2018, and extended the functionality with its WARP VPN service in 2019. The application enables the use of the company's DNS service on mobile devices, and users may also connect to the VPN service to improve protection further. Warp users get 100 Megabytes for free but need to subscribe for $4 per month for unlimited data. Warp and apps were only available for mobile operating systems up until now. Cloudflare published the first public beta clients of the programs for Microsoft Windows and Apple Macintosh devices this week. The download page reveals that the program is compatible with 64-bit Windows 10 version 1909 and newer versions of Windows, and Mac OS 10.15 or newer. Installation of the Windows client is straightforward; you need to accept the terms on first run before you can start using the client. Cloudflare Warp sits in the system tray area when it is launched. A click displays the main interface featuring a big toggle to connect or disconnect to the VPN network. Select the settings icon to switch between using Warp and, and only the DNS service The latter may be more convenient than setting up the DNS information manually, but it is better to configure the DNS provider manually as you won't need to run the software on your system for that task. The preferences list some useful options. You can change the DNS protocol from WARP to either DNS-over-HTTPS or DNS-over-TLS, and enable for Families functionality there if you want that. The few remaining options allow you to add networks that you want WARP to be disabled on automatically and to reset the encryption keys. The service worked fine during tests, but since it is labeled beta, it should only be run in test environments. Closing Words The beta Warp client for desktop systems enables you to connect to the WARP network and sue the DNS service. It is easy to use but lacks plenty of options and features, e.g. kill-switch functionality, that dedicated VPN clients from established companies offer. It is a beta version on the other hand and there is a possibility that some options and features will be introduced before it hits stable. Cloudflare Warp: beta clients for Windows and Mac are now available
  6. Texas-based model Deniece Waidhofer, known for selling access to sexy photos of herself online, is taking action against Thothub, a site that publishes leaked copies of her work. The site, its members, and services it works with, including Cloudflare, are accused of copyright infringement and being part of a RICO conspiracy, the suit alleges. The Internet has brought us many new creators and publishers, some of whom are able to make a decent living from their work. The stories about YouTubers who make millions are well known. These web-stars earn their money through advertising, but there’s also a group of creators that have a more direct approach. In recent years there’s been an influx of models who share their, often sexy, pictures and videos in exchange for a monthly subscription. These creators use platforms such as Patreon and Onlyfans to share and monetize their work. This is also the case for the Texas model (De)Niece Waidhofer, who has gathered a dedicated group of paying fans over the years. The exact size of her following is not known but with nearly two million Instagram fans, her appeal is obvious. Pirates Harm Business Model Waidhofer offers different subscription levels for her photos, going all the way up to $1,000 per month for the sexiest footage. That sounds like a profitable business, but as with all content that’s published on the Internet, pirates are a problem too. While there are plenty of people who are willing to pay for this type of content, pirates prefer to get it for free. These people gather on dedicated sites where they share the exclusive content with other users. On Thothub, for example, which describes itself as the world’s leading ‘free e-girl community porn site.’ Waidhofer is not happy with these sites and recently stopped sharing ‘VIP snaps’ because of this ‘leak problem.’ In an effort to stop the leaks, she also lawyered up and sued Thothub and third-party companies it works with, including CDN provider Cloudflare and advertisers Bangbros and Multi Media. Thothub, Cloudflare, and the Racketeering Conspiracy In the complaint, which was filed at a federal court in California, Waidhofer describes herself as a creator who sells photographs for herself in lingerie or costume. According to the legal paperwork, her earnings place her among the top 1% of all OnlyFans users. Thothub is messing with this successful business model by publishing the photos and additional unpublished nude works for free, the lawsuit alleges. “This is an action to stop a pirate website called Thothub, its Members, and co-conspirators from continuing to distribute digital content stolen from Waidhofer […] and to hold accountable Thothub and its co-conspirators for exploiting Waidhofer’s works and body for their own ends,” the complaint reads. Thothub not only uses the images without permission. The site and its members also exploit her as a sexual object, or in their own words, a ‘thot’. “Defendants display Waidhofer’s content on Thothub and describe her to millions of viewers as a dehumanized sexual object that lacks control and agency over her works and body, how her works and body are used, and by whom,” the complaint reads. Through the lawsuit, the model hopes to hold the site, its operator – who goes by the name “Captain Thotcakes” – and its members accountable for direct copyright infringement. The same also applies to Cloudflare, the CDN provider that’s used by the site. Allegations Against Cloudflare Cloudflare is also charged with other claims, including violations of the Racketeer Influenced and Corrupt Organizations (RICO) Act. “Defendant Cloudflare is a co-conspirator of Thothub that aids and abets Thothub’s criminal activity. Cloudflare contracts with Thothub to provide content delivery and security services for Thothub. In this role, Cloudflare makes unauthorized copies of creators’ stolen copyrighted works,” the complaint reads. Cloudflare isn’t only accused of copyright infringement. It’s also described as an anonymity shield that hides the true hosting location of Thothub. In addition, a lack of copyright enforcement makes the CDN provider popular among pirate sites, the complaint notes, pointing to a European Commission report which found that more than half of the top pirate sites used Cloudflare. “Cloudflare also acts as a lookout man for Thothub, masking Thothub’s true identity and server locations. This prevents creators from effectively enforcing their rights against Thothub. This is a major selling point for Cloudflare. “Cloudflare’s permissive approach to repeat infringement, and its willingness to pretend it can do nothing to stop the repeat infringement, is highly attractive for pirates like Thothub.” RICO Conspiracy Includes Advertisers According to Waidhofer, Cloudflare is part of a RICO conspiracy, together with Thothub, the site’s users, and the advertisers Bangbros and Multi Media. The complaint shows a screenshot of Thothub where the advertisers are prominently listed alongside a photo from Waidhofer. The complaint suggests that these companies, who also produce adult content, are immune from having pirated copies of their works published on Thothub in exchange for their financial support. “In exchange for their financial support, the Advertiser Defendants also receive a form of immunity or protection from Thothub against having their own digital content stolen and illegally distributed by Thothub and its associates,” the complaint reads. Through this lawsuit, Waidhofer hopes to shut down Thothub and hold it liable for the damage it’s done. The same also applies to the other defendants, including Cloudflare and the advertisers, which are claimed to be part of a racketeering conspiracy. Thus far none of the defendants has responded officially to the complaint. However, when we checked this morning, Thothub had removed all of Waidhofer’s images from the site. Instant update: Thothub is now down for maintenance with an ‘unknown’ ETA. A copy of the complaint filed at the US District Court at the Central District of California on behalf of Deniece Waidhofer is available here (pdf) Source
  7. Cloudflare's Speed Test promises better performance insights Cloudflare launched Speed Test some time ago; it is an online service that tests various networking related parameters such as the download speed, latency, or jitter. Speed tests are a dime a dozen on the Internet, and it is probably a good idea to start with Cloudflare's explanation as to why it launched its own Speed Test on the Internet. According to Cloudflare, it is all about the insights that its Internet speed test provides. Although there are a slew of speed testing tools out there, none of them give you precise insights into how they came to those measurements and how they map to real-world performance. With speed.cloudflare.com, we give you insights into what we’re measuring and how exactly we calculate the scores for your network connection. Best of all, you can easily download the measurements from right inside the tool if you’d like to perform your own analysis. Note: Performance data is collected and anonymized according to Cloudflare, but it is not sold. The company uses the data to improve its network. The code that Cloudflare uses is available on GitHub. Cloudflare Speed Test The speed test works similarly to other speed tests, e.g. Netflix Fast, in that it runs the measurements automatically when you connect to the site. The test takes a moment to complete as it will perform a number of operations including multiple file downloads. Cloudflare's announcement hints that Speed Test measures upload speed as well but disabled it because it received reports of incorrect measurements on "very fast connections". Speed Test displays the average download speed as well as the average latency and jitter at the top. There is also a graph that highlights performance over time. Below that is the device's IP address, and a map that displays the server location. The latency measurements and download measurements are provided as bar graphs and tabular data. Multiple tests are performed by Speed Test, and tables highlight each attempt and the measured performance. You may hover over i-icons and bars for additional information. The i-icons provide descriptions of the conducted tests for the most part while the bar overlays values such as min and max speeds. Interested users may download the speed data to the local system. A click on the download icon near the top downloads the data as a CSV file to the local system. You may open it in a compatible program, e.g. Microsoft Excel, afterwards. Closing Words Speed Test is a straightforward Internet performance testing service by Cloudflare that provides a good amount of information. Users may download the data to their systems and check out the code that Cloudflare uses. Some may have reservations against using Cloudflare's service because of the data collecting that is going on. Then again, most Speed Test sites appear to collect data, and some may even sell the data that they gather. Cloudflare's Speed Test promises better performance insights
  8. Cloudflare launches For Families with filter support Cloudflare launched its DNS service back in 2018 (on April 1) to the public promising a fast, private, and secure service. The company promised that would be privacy-friendly, that it would not sell user data or use it for targeted advertising, and revealed that the service would never log full user IP addresses and erase logs every 24 hours. A recently published audit by independent auditing companyKPMG uncovered some minor issues but backed up Cloudflare's claims. Yesterday, on April 1, Cloudflare announced an expansion of its DNS service called for Families which adds new DNS Server IP addresses and filters to the service to block certain requests automatically. Users who used OpenDNS and some other DNS providers in the past may recall that these providers offered something very similar for quite some time already. Filtering functionality was the number one request from home users according to Cloudflare and the main reason why for Families was created. For Families for Families comes in two different versions: the first blocks known malware requests, the second malware and adult requests. Here is the information required to use the new DNS servers on your devices: Malware Blocking Only Primary DNS: Secondary DNS: IPv6: 2606:4700:4700::1112 IPv6: 2606:4700:4700::1002 Malware and Adult Content Primary DNS: Secondary DNS: IPv6: 2606:4700:4700::1113 IPv6: 2606:4700:4700::1003 Cloudflare DNS without Filtering Primary DNS: Secondary DNS: IPv6: 2606:4700:4700::1111 IPv6: 2606:4700:4700::1001 The filtering is automated at this point in time; Cloudflare plans to introduce management options in the coming months to whitelist or blacklist sites, schedule filters for certain times of the day, and more. For now, the only option that you have to bypass filters, e,g. when a non-malware or non-adult site is blocked, is to switch the DNS service. How to set up for Families Windows users may do the following to replace the current DNS provider with Cloudflare's: Use the keyboard shortcut Windows-R to open the run box. Type netcpl.cpl to open the Network and Sharing Center (note that this may not be available in the newest builds of Windows 10) If it is not available, right-click on the network icon in the System Tray and select Open Network and Internet settings. On the page that opens, click on "change adapter options". Right-click on the active connection and select properties from the menu. Double-click on "Internet Protocol Version 4 (TCP/IPv4) Switch to "Use the following DNS server addresses". Enter the primary and secondary DNS server in the respective fields. Close the configuration window. Pro Tip: You may also change DNS servers using PowerShell. Here is how that is done: Use Windows-X to display the "secret" menu. Select Windows PowerShell (Admin) from the menu to open an elevated PowerShell console. Confirm the UAC prompt. Run the command Get-NetIPConfiguration and note the value of InterfaceIndex of the Network Adapter that you are using (use other information, e.g. the InterfaceAlias value to identify the right interface if multiple are available). Modify the command Set-DnsClientServerAddress -InterfaceIndex 10 -ServerAddresses, and run it afterward. Change the value after -InterfaceIndex to the right one on your device, and the IP addresses behind ServerAddresses to the desired DNS servers (first primary then secondary) Installation guides are available here for routers, Linux, Windows, and Mac. Cloudflare has created applications for Android and iOS that users may download to use the DNS service on their devices. You may use a program like Gibson's DNS Bechmark to test the performance of the servers. Source: Cloudflare launches For Families with filter support (gHacks - Martin Brinkmann)
  9. Cloudflare’s WARP VPN is launching in beta for macOS and Windows It will be available to WARP+ subscribers first Cloudflare’s WARP VPN service began its life last year as a free add-on to the company’s app — which itself is a DNS resolver application that promises faster internet — and was immediately popular. (There were, at one point in time, approximately 2 million people on its waiting list.) Today, the company announced in a blog post that it’s bringing WARP to macOS and Windows in beta. “While we announced the beta of with WARP on April 1, 2019 it took us until late September before we were able to open it up to general availability,” writes Matthew Prince, the company’s CEO. “We don’t expect the wait for macOS and Windows WARP to be nearly as long.” The beta will be available first to WARP+ subscribers — who pay to use Cloudflare’s Argo network, which makes their internet speeds even faster — with invites sent out sometime in the next few weeks. “The WARP client for macOS and Windows relies on the same fast, efficient Wireguard protocol to secure Internet connections and keep them safe from being spied on by your ISP,” Prince writes. “Also, just like WARP on the mobile app, the basic service will be free on macOS and Windows.” Linux support, he says, is coming soon. Source: Cloudflare’s WARP VPN is launching in beta for macOS and Windows (The Verge)
  10. New TLS protocol extension will shorten the window an attacker has to perform a man-in-the-middle attack. Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF). The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare. HOW TLS DELEGATE CREDENTIALS WORKS For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one. This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires. The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare's infrastructure must upload their TLS private key to Cloudflare's service, which then distributes it to thousands of servers across the world. The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key. The delegated credentials can live up to seven days and can be rotated automatically once they expire. TLS DELEGATED CREDENTIALS SHORTENS MITM ATTACK WINDOW The most important security improvement that comes with this new TLS extension is that if -- in the worst-case scenarios -- an attacker does manage to hack a server, the stolen private key (actually a delegated credential) won't work for more than a few days, rather than weeks, months, or even a year, as it does now. You can read more in-depth technical explanations about the new TLS Delegated Credentials extensions on the Facebook, Mozilla, and Cloudflare blogs. The IETF draft specification is available here. TLS Delegated Credentials will be compatible with the TLS protocol v1.3 and later. Source: Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard (via ZDNet)
  11. Cloudflare releases Privacy Pass 2.0 extension Internet company Cloudflare launched the Privacy Pass extension for Firefox and Chrome back in 2017 to reduce or even eliminate the number of captchas that Internet users are exposed to. Captchas may be displayed on websites as a form of verification to ensure that the visiting user is a human being and not a bot. Cloudflare operates one of the latest networks on the Internet that many sites use for protection against DoS attacks and for various other functions. If you connect to the Tor network or VPN networks regularly, you may have noticed that the number of captchas that you are need to solve to access sites increases significantly over regular Internet connections. One of the main issues is that the regular system does not take into account previously solved captchas. If you visited a site and solved a captcha, you may still be asked to verify another one on another site. Privacy Pass has been created in collaboration with researchers from several universities to bypass captchas without sacrificing privacy in the process. Privacy Pass, in a nutshell, allows clients to provide proof of trust without revealing where and when the trust was provided. The aim of the protocol is then to allow anyone to prove they are trusted by a server, without that server being able to track the user via the trust that was assigned. Basically, what happens is that users get tokens in advance that may be used later on to bypass captures that would otherwise be displayed. A simple visit to a captcha page could fill up tokens to 30 which would then be used automatically when compatible pages are encountered that require additional verification. Cloudflare launched Privacy Pass 2.0 for Firefox and Chrome on October 28, 2019. The new version makes the extension easier to use, integrates a new service provider (non Cloudflare), and improves the technology used by the extension. The, rather technical, post on the Cloudflare blog provides detailed information on the new version. One interesting new feature is the unlocking of the extension for other services. Cloudflare revealed that a new version of the extension will roll out soon that supports the provider hCaptcha. Internet users who solve a captcha provided by the provider will receive tokens if they run Privacy Pass that will be used automatically on other sites that use the provider's captcha solution. Closing Words The new version of the extension won't convince users who distrust Cloudflare to give it a try. Users who run into captchas, especially those by Cloudflare, regularly, may benefit from it as it should reduce the number of captchas that they are exposed to. Source: Cloudflare releases Privacy Pass 2.0 extension (gHacks - Martin Brinkmann)
  12. This week a zero-day vBulletin remote code execution vulnerability and exploit was publicly disclosed and is being used by bad actors to attack vBulletin forums. Cloudflare has now created a special rule that will prevent this exploit from working on vBulletin sites behind Cloudflare's service. Remote code execution vulnerabilities are the most critical as they allow attackers to execute commands, take over a site, install malware, or even distribute malware from a victim's computer and web site. Since the vBulletin exploit was released, threat actors have been seen heavily utilizing it to hack into vBulletin servers to recruit them into a botnet or for other purposes. To protect users, Cloudflare has created a new rule for their Web Application Firewall that will detect and block this exploit. This means that vBulletin sites using Cloudflare and who have their firewall enabled will not be affected by the exploit. New Cloudflare vBulletin Rule While this is a great perk of being a Cloudflare customers, it is obviously more important that affected vBulletin forums install the official patch so that that the vulnerability is properly fixed. Having worked with numerous forum operators in the past, I unfortunately know that installing a patch is not always easy for administrators due to a variety of reasons. Therefore, having this extra method of protection is very useful for those who may not have FTP/shell access, but do have Cloudflare access. How to enable Cloudflare's vBulletin CVE-2019-16759 protection To use Cloudflare's new vBulletin CVE-2019-16759 protection, you need to login to your site's Cloudflare dashboard and select Firewall and then Managed Firewall. When you are at the Managed Firewall page, you will see an option titled "Web Application Firewall" at the top of the page. This option should be set to On as shown below. Web Application Firewall is Enabled Now that the firewall is enabled, you need to enable the ruleset that contains the vBulletin CVE-2019-16759 protection. To do that, scroll down the page until you see a section titled "Cloudflare Managed Ruleset" and towards the bottom you should see a ruleset titled "Cloudflare specials". To enable this ruleset, set the toggle to On as shown below. Cloudflare Specials ruleset enabled Now that this ruleset is enabled, you are protected from the recent vBulletin vulnerability and when an attacker attempts to exploit the vulnerability, they will be blocked. Cloudflare blocking the exploit You can monitor whether the protection blocks any attacks by going into the Overview section of the Firewall settings. Any blocked attempts will show up under the WAF service category. You can then click on the blocked request to see the full details of what the attacker was trying to do. Source
  13. Cloudflare's Warp VPN is now available to all: a first look Cloud provider Cloudflare launched its privacy-focused DNS service in 2018 and published apps for Android and iOS in the same year. The company announced its Warp vpn service in April 2019 and invited users from all over the world to join a waiting list to test it. The once-restricted VPN service is now available to everyone who downloads and installs the company's Faster & Safer Internet application for Android or iOS. Warp establishes a VPN connection on the device to route traffic through Cloudflare servers; this hides the device's IP address and may improve performance. Cloudflare suggests that Warp+ users see a 30% improvement in performance on average when loading websites. Cloudflare Warp The application installs a VPN profile on the user's device when the option is selected. Cloudflare promises that it collects "as little data as possible" and that it won't "sell, rent, share or otherwise disclose" personal information. The app displays the terms on first start; these reveal what Cloudflare collects and what it does with the data. Data may include the app installation id, the amount of data transferred through Cloudflare's network, and the average speed. The registration ID is a unique random number that is assigned to each profile. Cloudflare notes that it is used for the referral system. The basic version of Warp is free and it has no traffic restrictions. Warp+ is an add-on service that improves the performance of connections made on the device by "avoiding traffic jams" and picking the fastest routes. Users may refer others to receive up to 1 Gigabyte of Warp+ traffic for free per month. Each referral that meets the criteria adds 100 Megabytes to the referring account. The second option that is available is to pay $4 per month to get Warp+ Unlimited which enables Warp+ for the duration of the subscription. The Cloudflare DNS service is always enabled and it may also be used without Warp if that is desired. The application works automatically once you have set up the VPN connection. It requires no registration. The main interface displays a huge toggle to connect and disconnect the VPN. The app displays a prompt when you disconnect that lists the following options: Pause for 15 minutes. Pause for 1 hour. Pause for this Wi-Fi. Until I turn it back on. The pause for this Wi-Fi option requires that you give the app location permissions. On Android, you get a notification that informs you when you are connected and controls to stop the connection from the notification area. The app has just a few settings. You may switch from using with Warp to just there, enable the dark theme, and open the connection options to disable the app for select applications. Some applications may not work correctly when you are connected to the VPN; this may be the case for applications that restrict content regionally. Use the whitelist to exclude these to continue using them. Two connection options -- protocol options and tunnel mode -- were grayed out in the Android version that I tested. Experience I ran several speed tests to test the performance of the service. The speed tests, e.g, Fast.com, were promising as the connection was maxed out when I ran them. It is possible that this may change in the coming weeks when more and more users start to use the application. I did not notice any improvements in regards to the loading of websites but the loading was certainly not slower than before. I did not test Warp+ but plan to do so in the future to see if it speeds up the loading significantly. All sites and services that I tried worked fine and without hitches. It needs to be noted that the app does not include any content blocking or protective features that other applications of its kind sometimes offer. The application gives users no control over servers and regions that it connects to. In fact, there is zero information about the server and region that you get connected to while using the application. A quick IP check revealed that Cloudflare routed me through data servers in Germany. I would have preferred an option to pick another region/country. Closing Words Cloudflare's Faster & Safer Internet application brings the company's DNS server and VPN service to Android and iOS. The VPN is free to use and without bandwidth limitations, but it limits options and features, and gives no control over regions and servers. Performance was excellent on the other hand and you get the benefits of being connected to a VPN. Cloudflare is not without criticism though and there will certainly be Internet users who won't go anywhere near the application. Privacy-wise, I'm worried about the unique ID associated with an account even though Cloudflare states that it is only used for the referral system. It may be better than requiring users to create an account to use the application, however. Source: Cloudflare's Warp VPN is now available to all: a first look (gHacks - Martin Brinkmann)
  14. Online security and content delivery company Cloudflare priced its shares at $15 per share on Thursday afternoon, $1 per share above its raised range. The company, which will begin trading on the New York Stock Exchange on Friday, first pitched its IPO between $10 and $12 per share, which it later increased to $12 to $14. At $15 per share, the company raised $525 million in its debut. Bloomberg first reported the pricing. The figure outstrips the company’s prior known fundraising. Cloudflare raised $332.1 million as a private company, with its most recent round totaling $150 million in March 2019. The company last had a private valuation of $3.25 billion. The San Francisco-based company’s debut on the public markets–it’s listing under the ticker symbol “NET”–comes on the heels of some potentially troubling revelations by the company. Cloudflare said in an updated filing on Wednesday that it “may have failed to comply with certain U.S. export-related filing and reporting requirements and may have submitted incorrect information to the U.S. government in connection with certain hardware exports.” “We identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC’s Specially Designated Nationals and Blocked Persons List (the SDN List), including entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions,” the company wrote in the filing. The news of the disclosure was first reported by the Wall Street Journal on Tuesday, but the company was still able to price above its target range. We’ll see how other investors feel about the company and its new valuation when it starts trading tomorrow. Source
  15. Cloudflare, a content delivery and Internet security firm, set an initial price range for its IPO this morning. The San Francisco-based company will target a per-share price of $10 to $12 when it goes public in the coming weeks. Selling an expected 35 million shares in its IPO, Cloudflare could raise as much as $420 million in the share sale. Add in the 5.25 million shares reserved for its underwriting banks, and the company could gross $483 million at $12 per share, the top of its range. According to its new S-1/A filing, Cloudflare anticipates having around 293 million shares outstanding when it goes public, valuing the firm between a little over $2.9 billion, and $3.5 billion. Given that the firm was last valued at $3.25 billion while private, it’s quite possible that the firm is hoping to raise its price range, giving it a higher valuation, and one larger than what its March 2019 Series E afforded it. Cloudflare has raised over $330 million during its life, including capital from Franklin Templeton Investments, Fidelity, Union Square Ventures, and NEA. Early investors include Pelion Venture Partners and Venrock. Financial Context Cloudflare generated $129.2 million in revenue during the first half of calendar 2019. That figure resulted in a gross profit of $100.0 million, giving the firm gross margins of 77.4 percent in the period. That’s perfectly fine for a software-style business, even if we have seen the occasional higher figure from companies like Slack. In the first half of 2019, Cloudflare posted revenue growth of 48.3 percent, along with a slightly higher net loss in dollar terms. The company’s net loss in percent-of-revenue terms fell from 37.3 percent in the first half of 2018 to 28.5 percent in the first half of 2019. Both figures, however, represent deteriorations from prior results, most especially the company’s 2017 results. In that year, Cloudflare grew revenue from $84.8 million to $134.9 million while losing just $10.8 million on a net basis. What’s driving the rise in losses measured in dollar, and not percent-of-revenue terms at Cloudflare? One answer is rising sales and marketing costs. In the first half of 2019, Cloudflare’s sales and marketing line item rose to 52 percent of revenue, the highest result listed including data going back to 2016. The company notes that sales and marketing headcount saw a “57 [percent] increase” from the first half of 2018 to the first half of 2019, for example. But as we noted in our first coverage of the company’s results, accelerating revenue growth and falling operating cash burn are an attractive pair. The above figures are largely what we already knew, but better framed today in the context of the firm’s prior, private valuation ($3.25 billion) and its new IPO price range ($2.9 billion to $3.5 billion). Has the firm generated material value gains since that Q1 2019 private market price; and if so, how much? If I was a gambling man, I’d wager $1 that we’ll see another S-1/A from Cloudflare with a new price range. Source
  16. 8chan has harbored a community of hate and three mass-shooters have now hosted manifestos on the platform. Cloudflare, a company that provides website security and internet infrastructure services, announced on Sunday that it would drop 8chan as a customer. "8chan has repeatedly proven itself to be a cesspool of hate," said Matthew Prince, Cloudflare CEO, in a statement published on late Sunday night. 8chan failed to moderate its content Prince said the site has failed to moderate its "hate-filled community." Because of this, 8chan, a forum and bulletin board, has now been the host of a third mass-shooter manifesto. Mass-shooters have uploaded manifestos explaining their actions on 8chan on three occasions before going out and committing terror attacks. The terror attack on two mosques in Christchurch, New Zealand, on March 15, 2019. Terror attack on a synagogue in Poway, California, on April 27, 2019. Attack at a Walmart store in El Paso, Texas, on August 3, 2019. The last shooting took place over the weekend, when a second mass-shooting also took place in the US, in Dayton, Ohio, although this has not been linked to 8chan. Nonetheless, both shootings have contributed to a growing voice of the US public against online communities and groups that keep harboring and radicalizing mass shooters. "The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths," Prince said. "Cloudflare is not a government" However, the Cloudflare CEO said the company struggled with the decision, as they felt they shouldn't be made to take decisions on what is good and bad on the internet. "Cloudflare is not a government," Prince said before arguing that law enforcement agencies should be the ones deciding when to ban this kind of sites from the internet, and not leave it to private companies to take these decisions. Cloudflare kicking 8chan off its infrastructure means the site is now open to DDoS attacks, among other things. Multiple hacktivists have announced online plans to attack the site after 12:00am PT on Sunday, when Cloudflare said it would drop the site from its servers. 8chan is still online, at the time of writing. The site's domain registrar has not announced a similar ban, meaning users will still be able to access the site, as the domain will still work. Second site kicked off Cloudflare after someone's death 8chan is the second controversial site that Cloudflare kicks off its infrastructure. In 2017, Cloudflare terminated The Daily Stormer, a neo-nazi news and propaganda site, after the website posted an article mocking a woman killed during white supremacy protests in Charlottesville, Virginia. Following Cloudflare's ban, the site was subsequentially banned and kicked off other platforms as well, but it has not gone down for good, continuing to operate to this day, albeit with some inconveniences and downtimes as it constantly switched web hosting providers and domain name registrars. Something similar is now expected to happen to 8chan, a website that users created from the old 4chan community and has a controversial history of its own. 8chan came to be after 4chan moderators started cracking down on violent content posted on their platform after the Gamergate sexism and harassment campaign -- with some harrassment against female gamers and journalists being called on and coordinated from the site's image boards. As a result, most of 4chan's most aggressive and extremist userbase found a new home on 8chan. "Unfortunately the action we take today won't fix hate online," the Cloudflare CEO said. "It will almost certainly not even remove 8chan from the Internet. But it is the right thing to do. Hate online is a real issue." Source
  17. Content delivery network provider Cloudflare Inc. is set to go public in September after filing a confidential S-1 application with the U.S. Securities and Exchange Commission, according to a report today from Business Insider. Cloudflare was first reported to be considering an initial public offering this year in October, but those plans were speculated to be on the back burner in March after the company raised $150 million from Franklin Resources Inc. That round is said to have valued Cloudflare at $3.2 billion with an IPO likely to see a valuation of somewhere in that vicinity as well, possibly a bit higher. Founded in 2009, Cloudflare offers a range of cloud services to improve services for websites. Best known for its CDN, the company also offers video delivery, denial-of-service protection, domain registration, security, DNS services and more. While competing with some of the biggest names in cloud services, specifically Amazon Web Services Inc., Google LLC and Akamai Technologies Inc., Cloudflare also sometimes works with them as well. In September, the company joined with Google, Microsoft Corp. and others on an initiative to lower bandwidth costs for their enterprise users. That Cloudflare would be looking for an exit for its investors this year isn’t surprising. Although the time to exit by venture capital-backed firms is getting longer, at 10 years of age Cloudflare has already past the median period for a tech startup looking to go public. Investors, who have put $332.1 million into the company to date, include Fidelity, Alphabet Inc., Microsoft, Baidu Inc. and Qualcomm Inc. Should Cloudflare go public, it won’t be the first CDN provider to do so this year. Smaller rival Fastly Inc. debuted on the New York Stock Exchange May 17 to a warm welcome from investors, popping 50% on its first day of trading on a debut price of $16 per share. Post-debut, the performance of Fastly hasn’t been great, its share price dropping as low as $17.13 a month later before rising again to have closed today at $21.70 compared to $23.99 on its first day. While investors will be looking at Fastly’s performance when considering Cloudflare, notably the company’s share price has never dipped below its float price, unlike IPOs from Uber Technoglogies Inc. and Lyft Inc. The performance of Uber and Lyft aside, most IPOs have performed strongly on debut this year with a record number of tech-related companies going public. Recent successful IPOs include Livongo Health Inc., Health Catalyst Inc., Medallia Inc. and Crowdstrike Holdings Inc. Source
  18. In a case filed in California, Cloudflare stands accused of failing to terminate customers that have been repeatedly called out as copyright infringers. The case wasn't filed by Hollywood or the major record labels, but by two manufacturers of wedding dresses. The CDN provider tried to have the case dismissed recently but in a new order, the court refuses to do so. Popular CDN and DDoS protection service Cloudflare has come under a lot of pressure from copyright holders in recent years. The company offers its services to millions of sites, including some of the world’s leading pirate sites. Many rightsholders are not happy with this. They accuse Cloudflare of facilitating copyright infringement by continuing to provide access to these platforms. At the same time, they call out the CDN service for masking the true hosting locations of these ‘bad actors’. Cloudflare’s activities have also triggered some lawsuits. Just last week, we reported that an Italian court ordered the company to terminate the accounts of several pirate sites. In the U.S. there’s an ongoing copyright infringement case as well, which brought more bad news for the company a few days ago. The case in question wasn’t filed by any of the major entertainment industry players, but by two manufacturers and wholesalers of wedding dresses. Not a typical “piracy” lawsuit, but it’s a copyright case that could have broad effects. In a complaint filed at a federal court in California last year, Mon Cheri Bridals and Maggie Sottero Designs argued that even after multiple warnings, Cloudflare fails to terminate sites operated by counterfeit vendors. This makes Cloudflare liable for the associated copyright infringements, they said. Cloudflare responded to the allegations and in April it filed a motion to dismiss the complaint. The company said that the rightsholders failed to state a proper claim, as the takedown notices were not proof of infringement, among other things. In addition, the notices were not formatted properly. “Plaintiffs characterize their notifications as ‘credible’ without stating any facts that demonstrate their credibility. In any event, defective notifications, like those the plaintiffs sent to Cloudflare, cannot support any claim of actual knowledge,” Cloudflare argued. According to Cloudflare, the notifications “may or may not be true”. Without a court determining whether they are accurate or not, the company says they don’t “convey actual knowledge of infringement.” As such, the company doesn’t believe it can be held liable. District Judge Vince Chhabria disagrees, however. In an order signed a few days ago he denies the motion to dismiss. According to the Judge, the allegations and claims made by the wedding dress manufacturers are sufficient at this stage of the case. “Cloudflare’s main argument – that contributory liability cannot be based on a defendant’s knowledge of infringing conduct and continued material contribution to it – is wrong,” Judge Chhabria writes. “Allegations that Cloudflare knew its customer-websites displayed infringing material and continued to provide those websites with faster load times and concealed identities are sufficient to state a claim,” he adds. Cloudflare also pointed out other deficiencies in the notices, and stressed that it’s not a hosting provider, but these comments were countered too. At this stage of the case, it’s enough to show that Cloudflare was aware of the alleged infringements, the Court notes. “The notices allegedly sent by the plaintiffs gave Cloudflare specific information, including a link to the offending website and a link to the underlying copyrighted material, to plausibly allege that Cloudflare had actual knowledge of the infringing activity,” Judge Chhabria writes. The denial of Cloudflare’s motion to dismiss means that the case will move forward. While the case has nothing to do with traditional pirate sites, any rulings could spill over, which means that other copyright holders will watch this case closely. Mon Cheri Bridals and Maggie Sottero ultimately hope to recoup damages for the losses they’ve suffered as well preliminary and permanent injunctive relief to stop all infringing activity. Cloudflare, for its part, will argue that it’s not actively participating in any infringing activity and that it merely has a role as a third-party intermediary, which is not liable for the alleged infringing activities of its customers. A copy of District Judge Vince Chhabria’s order is available here (pdf). VIEW: Original Article.
  19. The culprit? .*(?:.*=.*) Cloudflare has published a detailed and refreshingly honest report into precisely what went wrong earlier this month when its systems fell over and took a big wedge of the internet with it. We already knew from a quick summary published the next day, and our interview with its CTO John Graham-Cumming, that the 30-minute global outage had been caused by an error in a single line of code in a system the company uses to push rapid software changes. Even though that change had been run through a test beforehand, the blunder maxed out Cloudflare's servers CPUs and caused customers worldwide to get 502 errors from Cloudflare-backed websites. The full postmortem digs into precisely what went wrong and what the biz has done and is doing, to fix it and stop any repetition. The headline is that it was a cascade of small mistakes that caused one almighty cock-up. We're tempted to use the phrase-du-jour "perfect storm," but it wasn't. It was a small mistake and lots of gaps in Cloudflare's otherwise robust processes that let the mistake escalate. First up the error itself – it was in this bit of code: .*(?:.*=.*). We won't go into the full workings as to why because the post does so extensively (a Friday treat for coding nerds) but very broadly the code caused a lot of what's called "backtracking," basically repetitive looping. This backtracking got worse – exponentially worse – the more complex the request and very, very quickly maxed out the company's CPUs. So the three big questions: why wasn't this noticed before it went live? How did it have such a huge impact so quickly? And why did it take Cloudflare so long to fix it? The post answers each question clearly in a detailed rundown and even includes a lot of information that most organizations would be hesitant to share about internal processes and software, so kudos to Cloudflare for that. But to those questions… I see you CPU The impact wasn't noticed for the simple reason that the test suite didn’t measure CPU usage. It soon will – Cloudflare has an internal deadline of a week from now. The second problem was that a software protection system that would have prevented excessive CPU consumption had been removed "by mistake" just a weeks earlier. That protection is now back in although it clearly needs to be locked down. The software used to run the code – the expression engine – also doesn't have the ability to check for the sort of backtracking that occurred. Cloudflare says it will shift to one that does. So that's how it got through the checking process: what about the speed with which it impacted everyone? Here was another significant mistake: Cloudflare seems to have got too comfortable with making changes to its Web Application Firewall (WAF). The WAF is designed to be able to quickly provide protection to Cloudflare customers – it can literally make changes globally in seconds. And Cloudflare has in the past put this to good use. In the post, it points to the fast rollout of protections against a SharePoint security hole in May. Very soon after the holes were made public, the biz saw a lot of hacking efforts on its customers' system and was able to cut them off almost instantly with an update pushed through WAF. This kind of service is precisely what has given Cloudflare its reputation – and paying clients. It deals with the constant stream of security issues so you don't have to. But it uses the system a lot: 476 change requests in the past 60 days, or the equivalent of one every three hours. The code that caused the problem was designed to deal with new cross-site scripting (XSS) attacks the company had identified but – and here’s the crucial thing – it wasn't urgent that that change be made. So Cloudflare could have introduced it in a slower way and noticed the problem before it became a global issue. But it didn't; it has various testing processes that have always worked and so it put the expression into the global system – as it has with many other expressions. Cloudflare justifies this by pointing to the growing number of CVEs – Common Vulnerabilities and Exposures – that are published annually. War Games redux The impact however was that it created an instant global headache. What's more the code itself was being run in a simulation mode – not in the full live mode – but because of the massive CPU consumption that it provoked, even within that mode it was able to knock everything offline as servers were unable to deal with the processing load. That's where it all went wrong. Now, why did it take Cloudflare so long to fix it? Why didn't it just do a rollback within minutes and solve the issue while it figured out what was going on? The post gives some interesting details that will be familiar to anyone that has ever had to deal with a crisis: the problem was noticed through alerts and then everyone scrambled. The issue had to be escalated to pull in more engineers and especially more senior engineers who are allowed to make big decisions about what to do. The mistakes here are all human: first, you have to physically get other human beings in front of screens, on phones, and in chatrooms. Then you have to coordinate quickly but effectively. What is the problem? What is causing it? How can we be sure that's right? People get panicky under pressure and can easily misread or misunderstand the situation or decide the wrong thing. It takes a cool head to figure out what the truth is and figure out the best way to resolve it as quickly as possible. It appears from Cloudflare's post that the web biz actually did really well in this respect – and we can have some degree of confidence in its version of events thanks to the timeline. Despite the obvious initial thought that the company was under some kind of external attack, it pinpointed the issue as being the WAF within 15 minutes of receiving the first alert. Which is actually a pretty good response time considering that no one was watching this rule change. It was a routine update that went wrong. But there were several crucial delays. First the automated emergency alerts took three minutes to arrive. Cloudflare admits this should have been faster. Second, even though a senior engineer made the decision to do a global kill on the WAF two minutes after it was pinpointed as the cause of the problem, it took another five minutes to actually process it. Slow death Why? Because the people authorized to issue the kill hadn't logged into the system for a while and the system's protection system had logged them out as a result. They had to re-verify themselves to get into the system. When they did and authorized the kill, two minutes later it had kicked in globally and traffic levels went down to normal – making it clear that it was in fact the WAF that was the problem. This is the timeline: 13.42: Bad code posted 13.45: First alert arrives (followed by lots of others) 14.00: WAF identified as the problem 14.02: Global kill on WAF approved 14.07: Kill finally implemented (logging in) 14.09: Traffic back to normal Cloudflare has changed its systems and approach in response so in future this response time should go from 27 minutes to around 20 minutes (assuming it will always take some amount of time to figure out where the problem lies in a previously unidentified issue.) At this point, the problem was identified but WAF had been taken down so people were still experiencing problems. The Cloudflare team then had to figure out what in WAF had gone wrong, fix it, check it, and then restart it. That took 53 minutes. This is where the impressive openness and honesty from Cloudflare up until this point gets a little more opaque. One paragraph covers this entire process: "Because of the sensitivity of the situation we performed both negative tests (asking ourselves “was it really that particular change that caused the problem?”) and positive tests (verifying the rollback worked) in a single city using a subset of traffic after removing our paying customers’ traffic from that location. At 14:52 we were 100 per cent satisfied that we understood the cause and had a fix in place and the WAF was re-enabled globally." There's no more information than that, although it does mention later on that "the rollback plan required running the complete WAF build twice, taking too long." Timing off It also mentions that the Cloudflare team "had difficulty accessing our own systems because of the outage and the bypass procedure wasn’t well trained on" – although it's not clear if that leads to delays in fixing the WAF. It's hard to know without more detail whether Cloudflare did a great job here or whether its systems were found lacking - given its global reach and that it's entire function as a company is around this kind of work. For example: how long after the WAF was taken down did the engineer manage to pinpoint the specific code that caused the problem? Did it figure it out in five minutes and then run 47 minutes of tests? Or did it take them 47 minutes to find it and run five minutes of tests? The fact that Cloudflare doesn't say in an otherwise very detailed and expansive post suggests that this was not its finest hour. You would imagine that it would simply bring up a log of all the changes made just prior to the problems, cut those changes out, rebuild, and test. Maybe it did. Is 53 minutes a good timeframe to rebuild something that had just caused worldwide outages and put it live again? What do Reg readers think? Anyway, that's how it went down. To its credit, Cloudflare also acknowledges that its communication during the crisis could have been better. For obvious reasons, all of its customers were clamoring for information but all the people with the answers were busy fixing it. Worse, customers lost access to their Cloudflare Dashboard and API - because they pass through the Cloudflare edge which was impacted – and so they were really in the dark. The business plans to fix both these issues by adding automatic updates to its status page and by having a way to bypass the normal Dashboard and API approach in an emergency, so people can get access to information. So there you have it. It's not clear how much an impact this cock-up has had on people's confidence with Cloudflare. The post is keen to point out the company hasn't had a global outage in six years – not including Verizon-induced problems of course. Its honesty, clear breakdown and list of logical improvements – including not posting non-urgent updates to its super-fast global update system - will go some way to reassure customers that Cloudflare is not going all-Evernote and building more and more services on top of sub-optimal code. With luck it will be another six years until the Cloudflare-reliant internet goes down. Source
  20. Cloudflare, a company providing performance and security to websites, is having network problems of its own this morning — and taking down a lot of its customers’ sites and apps in the process. Affected companies include podcast app Overcast, chat service Discord, managed hosting provider WP Engine, eCommerce hosting provider Sonassi, public web front-end CDN service CDNJS, and many others — including the sites that rely on the web hosting or who partner with Cloudflare for their CDN service. According to Cloudflare, it identified a possible route leak that’s impacting some of the Cloudflare IP ranges, and its working now to resolve the issue. The problems were first identified around 7:02 AM EST, says Cloudflare, and the problem was identified shortly thereafter. Its status page has been providing continual updates. The company said at 8:34 AM EST, “this leak is impacting many internet services including Cloudflare. We are continuing to work with the network provider that created this route leak to remove it.” Update: The company at 12:42 AM UTC / 8:42 AM EST says the issue is resolved: The network responsible for the route leak has now fixed the issue. We are seeing improvement and are continuing to monitor this before we consider this issue resolved. Source
  21. Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks Free service prevents BGP hijackers from fraudulently obtaining browser-trusted certs. Enlarge nternet1.jpg by Rock1997 modified. Content delivery network Cloudflare is introducing a free service designed to make it harder for browser-trusted HTTPS certificates to fall into the hands of bad guys who exploit Internet weaknesses at the time the certificates are issued. The attacks were described in a paper published last year titled Bamboozling Certificate Authorities with BGP. In it, researchers from Princeton University warned that attackers could manipulate the Internet’s border gateway protocol to obtain certificates for domains the attackers had no control over. Browser-trusted certificate authorities are required to use a process known as domain control validation to verify that a person requesting a certificate for a given domain is the legitimate owner. It requires the requesting party to do one of three things: create a domain name system resource record with a specific text string; upload a document with a specific text string to a Web server using the domain; prove receipt of the email address containing a text string sent to the administrative contact for the domain The Princeton researchers demonstrated that this validation process can be bypassed by BGP attacks. Before applying for a certificate to a targeted domain, an adversary can update the Internet’s BGP routing tables to hijack traffic destined for the domain. Then, when a CA checks the DNS record or visits a URL, the CA's query goes to an attacker-controlled server rather than the legitimate server of the domain operator. When the attacker is able to produce the text string designated by the CA, that is considered proof of domain ownership and the CA issues a certificate to the wrong party. Reining it in But these attacks come with limitations. BGP attacks usually hijack only a portion of a domain’s incoming traffic, rather than all of it. As a result, computers in one part of the world will be directed to the attacker’s imposter server, while computers elsewhere will still reach the legitimate server. Cloudflare, with more than 175 datacenters worldwide, is unveiling a new service called multipath domain control validation that’s designed to exploit this limitation of BGP hijacking. As its name suggests, it performs the validation process from multiple origins that follow different Internet paths to the domain. Unless the results from multiple queries are identical, the validation will fail. “We’re going to be leveraging Cloudflare’s global network to perform this domain check, whether it’s DNS or HTTP, from various vantage points that are connected through various networks,” Nick Sullivan, head of cryptography at Cloudflare, told Ars. “If you’re hijacked, [the fraudulent data] only applies to a subset of the requests.” Agents and orchestrators Cloudflare will be making a programming interface available for free to all certificate authorities. The multipath check for domain control validation consists of two services: agents that perform domain validation out of a specific datacenter, and a domain validation “orchestrator” that handles multipath requests from CAs and dispatches them to a subset of agents. When a CA wants to ensure a domain validation hasn’t been intercepted, it can send a request to the Cloudflare API that specifies the type of check it wants. The orchestrator then forwards a request to more than 20 randomly selected agents in different datacenters. Each agent performs the domain validation request and forwards the result to the orchestrator, which aggregates what each agent observed and returns the results to the CA. Sullivan said Cloudflare has designed the new service to be an effective measure against another potential domain validation attack that spoofs IP addresses in DNS requests that use the user datagram protocol (UDP). Because the IP address of the computer making the request can be spoofed, an attacker can make a request to a targeted domain appear to come from a CA. Then, by manipulating a maximum fragment size setting, the attacker can receive a second identical response. The new Cloudflare API prevents these DNS spoofing attacks because it sends queries from multiple locations that can’t be predicted by the attacker, Sullivan said. In a message, he wrote: Multipath DCV was designed for and is primarily effective against on-path attacks. An additional feature that we built into the service that helps protect against off-path attackers is DNS query source IP randomization. By making the source IP unpredictable to the attacker, it becomes more challenging to spoof the second fragment of the forged DNS response to the DCV validation agent. Sullivan said Cloudflare is offering the service for free because the company believes that attacks on the certificate authority system harms the security of the entire Internet. He said he expects the use of multipath domain validation to become standard practice, particularly if it’s offered by other large networks. Eventually, he said, it may be mandated by the CA/browser forum, which sets industry guidelines for the issuance of TLS certificates. “I’m a little surprised this hasn’t happened yet,” Sullivan said. “We’re hoping that this announcement and this product helps spur the CA/Browser forum to adopt and require this more robust multiperspective validation for certificate authorities. It truly is a risk that hasn’t been exploited yet, and it’s just a matter of time.” Source: Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks (Ars Technica)
  22. Cloudflare revealed the company's first VPN product today called Warp which it plans to launch as part of the company's application soon. April 1st is probably the worst day to make announcements for products that do exist. Cloudflare apparently could not pass the opportunity to select April 1st, or 4/1, as the date to reveal Warp. The company launched a DNS service a year ago and with it the DNS applications for Android and iOS. The service supported security features like DNS-over-TLS and DNS-over-HTTPS, a strict no IP address logging policy, the deletion of logs in a 24-hour period, and fast speeds especially compared to default DNS services operated by most ISPs. Cloudlfare calls Warp a "VPN for people who don't know what V.P.N. stands for". The explanation that Cloudflare gives is relatively weak: according to Cloudflare, it is the simplicity that makes it attractive to users who don't know about VPN services. The explanation is weak as Cloudflare's solution is not the first that offers a simple option to use a VPN. Warp encrypts all Internet traffic, respects end-to-end encryption, and does not require that users install a root certificate on their devices.Unencrypted Internet connections will be encrypted but only between the user's device and Cloudflare's server (similarly to how all VPNs handle this). The same is true for all respected VPN services. Cloudflare promises that Warp's performance, reliability, and focus on preserving power are what will set it apart from comparable services. We’ve built Warp around a UDP-based protocol that is optimized for the mobile Internet. We also leveraged Cloudflare’s massive global network, allowing Warp to connect with servers within milliseconds of most the world’s Internet users. With our network’s direct peering connections and uncongested paths we can deliver a great experience around the world. Our tests have shown that Warp will often significantly increase Internet performance. Warp will be offered as a free option that is included in the company's application. Cloudflare is working on Warp+, a premium version of Warp that will be available for a "low monthly fee" for people who want more speed. It is not uncommon for companies to finance free versions of a product using premium offerings. Warp+ follows Cloudlfare's web-based servicing model. The company offers a base version of Cloudlfare for free and paid upgrades to unlock certain features. Cloudflare promises, in regards to the always hot topic privacy, that browsing data won't be sold or used for targeted advertising. user-identifiable log data is not written to disk. that users may use Warp without supplying their name, phone number or email address. that it will hire third-party auditors to make sure the service delivers what is promised. The service itself uses WireGuard combined with Cloudflare's Mobile SKD. Warp+, the premium version of Warp, will use Cloudflare's Argo next to that as well. Waiting list Android or iOS users can join the waitlist in the application. Some may not see the option to join the waitlist yet as update propagation takes some time usually. Closing Words Warp's strengths are that it is backed by a company that operates one of the largest networks on the planet, and that it will become a part of the on mobile for ease of use. Users don't have to sign up for it if they use the free version similarly to how Opera's browser VPN works. The difference is that Warp works globally while Opera's solution only in the browser. Desktop applications will be released at a later point in time. Warp won't convince users that distrust Cloudflare, but the success of the application has shown that there is a huge market out there for such a product. Source: Cloudflare announces Warp VPN service (gHacks - Martin Brinkmann)
  23. At a moment when free speech online and moderation policies are more controversial than ever, Cloudflare is facing accusations that it’s providing cybersecurity protection for at least seven terrorist organizations—a situation that some legal experts say could put it in legal jeopardy. Cloudflare offers a wide-range of services that are fundamental to operating a modern website, such as DDoS protection that prevents a site from being overwhelmed by too many simultaneous requests. It’s a massive organization that claims to handle 10 percent of all internet requests and is reportedly preparing $3.5 billion IPO. On Friday, HuffPost reported that it has reviewed numerous websites run by terrorist organizations and confirmed with four national security and counter-extremism experts that the sites are under the protection of Cloudflare’s cybersecurity services. From the report: While private companies like Facebook place certain limits on speech in their terms of service, Cloudflare prefers to remain as hands off as possible. Being a Facebook user is a choice that anyone can make for themselves and the price of admission includes playing by its rules. But services like hosting, domain registration, and the kind of protection that Cloudflare offers go to the heart of the internet’s infrastructure. Going as far back as 2012, Cloudflare’s CEO Matthew Prince has pushed back on the idea that the company should police speech and today its policy is strictly to comply with legal obligations. At least, that’s its operational policy. The policy from its terms of use gives Cloudflare the right to terminate services “with or without notice for any reason or no reason at all.” Last year, Prince broke with his own standards and discontinued his company’s work with the neo-Nazi website the Daily Stormer. At the time, Prince wrote to employees in an internal email: “I think the people who run The Daily Stormer are abhorrent. But again I don’t think my political decisions should determine who should and shouldn’t be on the internet.” That doesn’t mean that Prince doesn’t consider terrorism abhorrent, which in the case of the Daily Stormer, he freely admitted, “I woke up this morning in a bad mood and decided to kick them off the Internet.” Since then, he’s remained an absolutist when it comes to free speech and neutrality towards customers. The issue that HuffPost raises is whether Cloudflare is providing “material support” to sanctioned organizations. Some attorneys told HuffPost that it may be in violation of the law. Others, like the Electronic Frontier Foundation, argue that “material support” can and has been abused to silence speech. Cloudflare’s general counsel, Doug Kramer, told Gizmodo over the phone that the company works closely with the U.S. government to ensure that it meets all of its legal obligations. He said that it is “proactive to screen for sanctioned groups and reactive to respond when its made aware of a sanctioned group” to which it may be providing services. HuffPost spoke with representatives from the Counter Extremism Project, who expressed frustration that they’ve sent four letters to Cloudflare over the last two years identifying seven terrorist-operated sites without receiving a reply. Kramer would not address any specific customers or situations when speaking with Gizmodo. He said that’s simply company policy for reasons of protecting privacy. Kramer did say that just last week the company had a political pressure group request that it discontinue its services for a website that had been linked to a “warlord” on the other side of the world. He said that some people in the country were under U.S. sanctions, but not the specific person that was identified by the group, and therefore it didn’t take action. I asked if Cloudflare ever continues to provide services for a sanctioned group at the request of a government agency, for example if that agency wants to continue monitoring a specific website. Kramer said he was “not aware” of the company ever having “a situation like that.” He did say that Cloudflare has never been sent a request from the U.S. government to discontinue services for any customer. He speculated that the reason for that is because it doesn’t provide hosting and if the government wants to take down a website they tend to go elsewhere. Kramer says the only requests tend to come from political pressure groups and individuals. As deplatforming and boycott pressure has become an increasingly effective political tool, we’re more likely to see groups targeting infrastructure services. It’s up for debate whether that’s a good thing or not, but it will likely be much more consequential than losing your verified checkmark on Twitter. More At [HuffPost] Source
  24. Cloudflare has announced that they are expanding their domain registrar services so that all of their customers can register or renew a domain at cost. You heard me right. No more paying extra fees to register a domain. You pay what Cloudflare pays for a domain registration or renewal. Cloudflare already acts as a registrar for their enterprise clients, but have now expanded their service so that all of their customers can use them to register new domains or manage existing ones. “When we looked at the marketplace for domain registration, we were shocked at the deceitful pricing around a service that is really just a commodity,” said Matthew Prince, co-founder and CEO of Cloudflare in a blog post. “We realized that the one thing every Cloudflare customer needs is a domain, so they needed a registrar they could trust. With Cloudflare Registrar, we’re promising to offer our customers the best security practices at the best possible price. Our goal is simply to create the first domain registrar you can love.” As a registrar, for each domain that is registered, Cloudflare needs to pay a price to the company that manages the particular TLD. For example, when someone uses Cloudflare to register a .com domain, Cloudflare pays Verisign, who manages the .com TLD, $7.85 plus an ICANN fee of $0.18. This brings the total cost of a .com domain to $8.03. While most registrars would then add some extra money to make a profit, Cloudflare has stated that they will only charge a customer what they themselves have to pay. So if they have to pay $8.03 for a domain, that is all their customers will have to pay as well. Cloudflare has released the costs for registering .com, .net, .info, and .org domains. A .com domain would cost $8.03, a .net would cost $9.95, a .info would cost $11.02, and a .org would cost $10.11. Cost to register domain with Cloudflare While saving money is always great, Cloudflare is also offering increased security for their customers. This includes two-factor authentication, DNSSEC, automatic domain lock, and free whois privacy. For those who are interested in registering new domains or transferring domains to Cloudflare Registrar, Cloudflare is opening up their service to existing customers first to give them a chance to take advantage of these savings. As time goes on, this service will also be opened to others. For those who are interested in trying Cloudflare Registrar, you can sign up here. Source
  25. Company launches new Cloudflare Onion Service. Only Tor Browser 8 and Tor Browser for Android users will see less or no CAPTCHAs. Cloudflare launched today a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tro Browser --the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users who are dead tired of seeing an endless stream of Google reCAPTCHAs when accessing a Cloudflare-protected site are advised to update to one of these two versions. The new Cloudflare Onion Service is also free for all Cloudflare customers and can be enabled by switching on the "Opportunistic Encryption" option under the Crypto tab of the Cloudflare dashboard. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases. Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Source
  • Create New...