Jump to content

Search the Community

Showing results for tags 'cloudflare'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 29 results

  1. Cloudflare's Speed Test promises better performance insights Cloudflare launched Speed Test some time ago; it is an online service that tests various networking related parameters such as the download speed, latency, or jitter. Speed tests are a dime a dozen on the Internet, and it is probably a good idea to start with Cloudflare's explanation as to why it launched its own Speed Test on the Internet. According to Cloudflare, it is all about the insights that its Internet speed test provides. Although there are a slew of speed testing tools out there, none of them give you precise insights into how they came to those measurements and how they map to real-world performance. With speed.cloudflare.com, we give you insights into what we’re measuring and how exactly we calculate the scores for your network connection. Best of all, you can easily download the measurements from right inside the tool if you’d like to perform your own analysis. Note: Performance data is collected and anonymized according to Cloudflare, but it is not sold. The company uses the data to improve its network. The code that Cloudflare uses is available on GitHub. Cloudflare Speed Test The speed test works similarly to other speed tests, e.g. Netflix Fast, in that it runs the measurements automatically when you connect to the site. The test takes a moment to complete as it will perform a number of operations including multiple file downloads. Cloudflare's announcement hints that Speed Test measures upload speed as well but disabled it because it received reports of incorrect measurements on "very fast connections". Speed Test displays the average download speed as well as the average latency and jitter at the top. There is also a graph that highlights performance over time. Below that is the device's IP address, and a map that displays the server location. The latency measurements and download measurements are provided as bar graphs and tabular data. Multiple tests are performed by Speed Test, and tables highlight each attempt and the measured performance. You may hover over i-icons and bars for additional information. The i-icons provide descriptions of the conducted tests for the most part while the bar overlays values such as min and max speeds. Interested users may download the speed data to the local system. A click on the download icon near the top downloads the data as a CSV file to the local system. You may open it in a compatible program, e.g. Microsoft Excel, afterwards. Closing Words Speed Test is a straightforward Internet performance testing service by Cloudflare that provides a good amount of information. Users may download the data to their systems and check out the code that Cloudflare uses. Some may have reservations against using Cloudflare's service because of the data collecting that is going on. Then again, most Speed Test sites appear to collect data, and some may even sell the data that they gather. Cloudflare's Speed Test promises better performance insights
  2. Cloudflare launches For Families with filter support Cloudflare launched its DNS service back in 2018 (on April 1) to the public promising a fast, private, and secure service. The company promised that would be privacy-friendly, that it would not sell user data or use it for targeted advertising, and revealed that the service would never log full user IP addresses and erase logs every 24 hours. A recently published audit by independent auditing companyKPMG uncovered some minor issues but backed up Cloudflare's claims. Yesterday, on April 1, Cloudflare announced an expansion of its DNS service called for Families which adds new DNS Server IP addresses and filters to the service to block certain requests automatically. Users who used OpenDNS and some other DNS providers in the past may recall that these providers offered something very similar for quite some time already. Filtering functionality was the number one request from home users according to Cloudflare and the main reason why for Families was created. For Families for Families comes in two different versions: the first blocks known malware requests, the second malware and adult requests. Here is the information required to use the new DNS servers on your devices: Malware Blocking Only Primary DNS: Secondary DNS: IPv6: 2606:4700:4700::1112 IPv6: 2606:4700:4700::1002 Malware and Adult Content Primary DNS: Secondary DNS: IPv6: 2606:4700:4700::1113 IPv6: 2606:4700:4700::1003 Cloudflare DNS without Filtering Primary DNS: Secondary DNS: IPv6: 2606:4700:4700::1111 IPv6: 2606:4700:4700::1001 The filtering is automated at this point in time; Cloudflare plans to introduce management options in the coming months to whitelist or blacklist sites, schedule filters for certain times of the day, and more. For now, the only option that you have to bypass filters, e,g. when a non-malware or non-adult site is blocked, is to switch the DNS service. How to set up for Families Windows users may do the following to replace the current DNS provider with Cloudflare's: Use the keyboard shortcut Windows-R to open the run box. Type netcpl.cpl to open the Network and Sharing Center (note that this may not be available in the newest builds of Windows 10) If it is not available, right-click on the network icon in the System Tray and select Open Network and Internet settings. On the page that opens, click on "change adapter options". Right-click on the active connection and select properties from the menu. Double-click on "Internet Protocol Version 4 (TCP/IPv4) Switch to "Use the following DNS server addresses". Enter the primary and secondary DNS server in the respective fields. Close the configuration window. Pro Tip: You may also change DNS servers using PowerShell. Here is how that is done: Use Windows-X to display the "secret" menu. Select Windows PowerShell (Admin) from the menu to open an elevated PowerShell console. Confirm the UAC prompt. Run the command Get-NetIPConfiguration and note the value of InterfaceIndex of the Network Adapter that you are using (use other information, e.g. the InterfaceAlias value to identify the right interface if multiple are available). Modify the command Set-DnsClientServerAddress -InterfaceIndex 10 -ServerAddresses, and run it afterward. Change the value after -InterfaceIndex to the right one on your device, and the IP addresses behind ServerAddresses to the desired DNS servers (first primary then secondary) Installation guides are available here for routers, Linux, Windows, and Mac. Cloudflare has created applications for Android and iOS that users may download to use the DNS service on their devices. You may use a program like Gibson's DNS Bechmark to test the performance of the servers. Source: Cloudflare launches For Families with filter support (gHacks - Martin Brinkmann)
  3. Cloudflare’s WARP VPN is launching in beta for macOS and Windows It will be available to WARP+ subscribers first Cloudflare’s WARP VPN service began its life last year as a free add-on to the company’s app — which itself is a DNS resolver application that promises faster internet — and was immediately popular. (There were, at one point in time, approximately 2 million people on its waiting list.) Today, the company announced in a blog post that it’s bringing WARP to macOS and Windows in beta. “While we announced the beta of with WARP on April 1, 2019 it took us until late September before we were able to open it up to general availability,” writes Matthew Prince, the company’s CEO. “We don’t expect the wait for macOS and Windows WARP to be nearly as long.” The beta will be available first to WARP+ subscribers — who pay to use Cloudflare’s Argo network, which makes their internet speeds even faster — with invites sent out sometime in the next few weeks. “The WARP client for macOS and Windows relies on the same fast, efficient Wireguard protocol to secure Internet connections and keep them safe from being spied on by your ISP,” Prince writes. “Also, just like WARP on the mobile app, the basic service will be free on macOS and Windows.” Linux support, he says, is coming soon. Source: Cloudflare’s WARP VPN is launching in beta for macOS and Windows (The Verge)
  4. New TLS protocol extension will shorten the window an attacker has to perform a man-in-the-middle attack. Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF). The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare. HOW TLS DELEGATE CREDENTIALS WORKS For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one. This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires. The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare's infrastructure must upload their TLS private key to Cloudflare's service, which then distributes it to thousands of servers across the world. The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key. The delegated credentials can live up to seven days and can be rotated automatically once they expire. TLS DELEGATED CREDENTIALS SHORTENS MITM ATTACK WINDOW The most important security improvement that comes with this new TLS extension is that if -- in the worst-case scenarios -- an attacker does manage to hack a server, the stolen private key (actually a delegated credential) won't work for more than a few days, rather than weeks, months, or even a year, as it does now. You can read more in-depth technical explanations about the new TLS Delegated Credentials extensions on the Facebook, Mozilla, and Cloudflare blogs. The IETF draft specification is available here. TLS Delegated Credentials will be compatible with the TLS protocol v1.3 and later. Source: Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard (via ZDNet)
  5. Cloudflare releases Privacy Pass 2.0 extension Internet company Cloudflare launched the Privacy Pass extension for Firefox and Chrome back in 2017 to reduce or even eliminate the number of captchas that Internet users are exposed to. Captchas may be displayed on websites as a form of verification to ensure that the visiting user is a human being and not a bot. Cloudflare operates one of the latest networks on the Internet that many sites use for protection against DoS attacks and for various other functions. If you connect to the Tor network or VPN networks regularly, you may have noticed that the number of captchas that you are need to solve to access sites increases significantly over regular Internet connections. One of the main issues is that the regular system does not take into account previously solved captchas. If you visited a site and solved a captcha, you may still be asked to verify another one on another site. Privacy Pass has been created in collaboration with researchers from several universities to bypass captchas without sacrificing privacy in the process. Privacy Pass, in a nutshell, allows clients to provide proof of trust without revealing where and when the trust was provided. The aim of the protocol is then to allow anyone to prove they are trusted by a server, without that server being able to track the user via the trust that was assigned. Basically, what happens is that users get tokens in advance that may be used later on to bypass captures that would otherwise be displayed. A simple visit to a captcha page could fill up tokens to 30 which would then be used automatically when compatible pages are encountered that require additional verification. Cloudflare launched Privacy Pass 2.0 for Firefox and Chrome on October 28, 2019. The new version makes the extension easier to use, integrates a new service provider (non Cloudflare), and improves the technology used by the extension. The, rather technical, post on the Cloudflare blog provides detailed information on the new version. One interesting new feature is the unlocking of the extension for other services. Cloudflare revealed that a new version of the extension will roll out soon that supports the provider hCaptcha. Internet users who solve a captcha provided by the provider will receive tokens if they run Privacy Pass that will be used automatically on other sites that use the provider's captcha solution. Closing Words The new version of the extension won't convince users who distrust Cloudflare to give it a try. Users who run into captchas, especially those by Cloudflare, regularly, may benefit from it as it should reduce the number of captchas that they are exposed to. Source: Cloudflare releases Privacy Pass 2.0 extension (gHacks - Martin Brinkmann)
  6. This week a zero-day vBulletin remote code execution vulnerability and exploit was publicly disclosed and is being used by bad actors to attack vBulletin forums. Cloudflare has now created a special rule that will prevent this exploit from working on vBulletin sites behind Cloudflare's service. Remote code execution vulnerabilities are the most critical as they allow attackers to execute commands, take over a site, install malware, or even distribute malware from a victim's computer and web site. Since the vBulletin exploit was released, threat actors have been seen heavily utilizing it to hack into vBulletin servers to recruit them into a botnet or for other purposes. To protect users, Cloudflare has created a new rule for their Web Application Firewall that will detect and block this exploit. This means that vBulletin sites using Cloudflare and who have their firewall enabled will not be affected by the exploit. New Cloudflare vBulletin Rule While this is a great perk of being a Cloudflare customers, it is obviously more important that affected vBulletin forums install the official patch so that that the vulnerability is properly fixed. Having worked with numerous forum operators in the past, I unfortunately know that installing a patch is not always easy for administrators due to a variety of reasons. Therefore, having this extra method of protection is very useful for those who may not have FTP/shell access, but do have Cloudflare access. How to enable Cloudflare's vBulletin CVE-2019-16759 protection To use Cloudflare's new vBulletin CVE-2019-16759 protection, you need to login to your site's Cloudflare dashboard and select Firewall and then Managed Firewall. When you are at the Managed Firewall page, you will see an option titled "Web Application Firewall" at the top of the page. This option should be set to On as shown below. Web Application Firewall is Enabled Now that the firewall is enabled, you need to enable the ruleset that contains the vBulletin CVE-2019-16759 protection. To do that, scroll down the page until you see a section titled "Cloudflare Managed Ruleset" and towards the bottom you should see a ruleset titled "Cloudflare specials". To enable this ruleset, set the toggle to On as shown below. Cloudflare Specials ruleset enabled Now that this ruleset is enabled, you are protected from the recent vBulletin vulnerability and when an attacker attempts to exploit the vulnerability, they will be blocked. Cloudflare blocking the exploit You can monitor whether the protection blocks any attacks by going into the Overview section of the Firewall settings. Any blocked attempts will show up under the WAF service category. You can then click on the blocked request to see the full details of what the attacker was trying to do. Source
  7. Cloudflare's Warp VPN is now available to all: a first look Cloud provider Cloudflare launched its privacy-focused DNS service in 2018 and published apps for Android and iOS in the same year. The company announced its Warp vpn service in April 2019 and invited users from all over the world to join a waiting list to test it. The once-restricted VPN service is now available to everyone who downloads and installs the company's Faster & Safer Internet application for Android or iOS. Warp establishes a VPN connection on the device to route traffic through Cloudflare servers; this hides the device's IP address and may improve performance. Cloudflare suggests that Warp+ users see a 30% improvement in performance on average when loading websites. Cloudflare Warp The application installs a VPN profile on the user's device when the option is selected. Cloudflare promises that it collects "as little data as possible" and that it won't "sell, rent, share or otherwise disclose" personal information. The app displays the terms on first start; these reveal what Cloudflare collects and what it does with the data. Data may include the app installation id, the amount of data transferred through Cloudflare's network, and the average speed. The registration ID is a unique random number that is assigned to each profile. Cloudflare notes that it is used for the referral system. The basic version of Warp is free and it has no traffic restrictions. Warp+ is an add-on service that improves the performance of connections made on the device by "avoiding traffic jams" and picking the fastest routes. Users may refer others to receive up to 1 Gigabyte of Warp+ traffic for free per month. Each referral that meets the criteria adds 100 Megabytes to the referring account. The second option that is available is to pay $4 per month to get Warp+ Unlimited which enables Warp+ for the duration of the subscription. The Cloudflare DNS service is always enabled and it may also be used without Warp if that is desired. The application works automatically once you have set up the VPN connection. It requires no registration. The main interface displays a huge toggle to connect and disconnect the VPN. The app displays a prompt when you disconnect that lists the following options: Pause for 15 minutes. Pause for 1 hour. Pause for this Wi-Fi. Until I turn it back on. The pause for this Wi-Fi option requires that you give the app location permissions. On Android, you get a notification that informs you when you are connected and controls to stop the connection from the notification area. The app has just a few settings. You may switch from using with Warp to just there, enable the dark theme, and open the connection options to disable the app for select applications. Some applications may not work correctly when you are connected to the VPN; this may be the case for applications that restrict content regionally. Use the whitelist to exclude these to continue using them. Two connection options -- protocol options and tunnel mode -- were grayed out in the Android version that I tested. Experience I ran several speed tests to test the performance of the service. The speed tests, e.g, Fast.com, were promising as the connection was maxed out when I ran them. It is possible that this may change in the coming weeks when more and more users start to use the application. I did not notice any improvements in regards to the loading of websites but the loading was certainly not slower than before. I did not test Warp+ but plan to do so in the future to see if it speeds up the loading significantly. All sites and services that I tried worked fine and without hitches. It needs to be noted that the app does not include any content blocking or protective features that other applications of its kind sometimes offer. The application gives users no control over servers and regions that it connects to. In fact, there is zero information about the server and region that you get connected to while using the application. A quick IP check revealed that Cloudflare routed me through data servers in Germany. I would have preferred an option to pick another region/country. Closing Words Cloudflare's Faster & Safer Internet application brings the company's DNS server and VPN service to Android and iOS. The VPN is free to use and without bandwidth limitations, but it limits options and features, and gives no control over regions and servers. Performance was excellent on the other hand and you get the benefits of being connected to a VPN. Cloudflare is not without criticism though and there will certainly be Internet users who won't go anywhere near the application. Privacy-wise, I'm worried about the unique ID associated with an account even though Cloudflare states that it is only used for the referral system. It may be better than requiring users to create an account to use the application, however. Source: Cloudflare's Warp VPN is now available to all: a first look (gHacks - Martin Brinkmann)
  8. Online security and content delivery company Cloudflare priced its shares at $15 per share on Thursday afternoon, $1 per share above its raised range. The company, which will begin trading on the New York Stock Exchange on Friday, first pitched its IPO between $10 and $12 per share, which it later increased to $12 to $14. At $15 per share, the company raised $525 million in its debut. Bloomberg first reported the pricing. The figure outstrips the company’s prior known fundraising. Cloudflare raised $332.1 million as a private company, with its most recent round totaling $150 million in March 2019. The company last had a private valuation of $3.25 billion. The San Francisco-based company’s debut on the public markets–it’s listing under the ticker symbol “NET”–comes on the heels of some potentially troubling revelations by the company. Cloudflare said in an updated filing on Wednesday that it “may have failed to comply with certain U.S. export-related filing and reporting requirements and may have submitted incorrect information to the U.S. government in connection with certain hardware exports.” “We identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC’s Specially Designated Nationals and Blocked Persons List (the SDN List), including entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions,” the company wrote in the filing. The news of the disclosure was first reported by the Wall Street Journal on Tuesday, but the company was still able to price above its target range. We’ll see how other investors feel about the company and its new valuation when it starts trading tomorrow. Source
  9. Cloudflare, a content delivery and Internet security firm, set an initial price range for its IPO this morning. The San Francisco-based company will target a per-share price of $10 to $12 when it goes public in the coming weeks. Selling an expected 35 million shares in its IPO, Cloudflare could raise as much as $420 million in the share sale. Add in the 5.25 million shares reserved for its underwriting banks, and the company could gross $483 million at $12 per share, the top of its range. According to its new S-1/A filing, Cloudflare anticipates having around 293 million shares outstanding when it goes public, valuing the firm between a little over $2.9 billion, and $3.5 billion. Given that the firm was last valued at $3.25 billion while private, it’s quite possible that the firm is hoping to raise its price range, giving it a higher valuation, and one larger than what its March 2019 Series E afforded it. Cloudflare has raised over $330 million during its life, including capital from Franklin Templeton Investments, Fidelity, Union Square Ventures, and NEA. Early investors include Pelion Venture Partners and Venrock. Financial Context Cloudflare generated $129.2 million in revenue during the first half of calendar 2019. That figure resulted in a gross profit of $100.0 million, giving the firm gross margins of 77.4 percent in the period. That’s perfectly fine for a software-style business, even if we have seen the occasional higher figure from companies like Slack. In the first half of 2019, Cloudflare posted revenue growth of 48.3 percent, along with a slightly higher net loss in dollar terms. The company’s net loss in percent-of-revenue terms fell from 37.3 percent in the first half of 2018 to 28.5 percent in the first half of 2019. Both figures, however, represent deteriorations from prior results, most especially the company’s 2017 results. In that year, Cloudflare grew revenue from $84.8 million to $134.9 million while losing just $10.8 million on a net basis. What’s driving the rise in losses measured in dollar, and not percent-of-revenue terms at Cloudflare? One answer is rising sales and marketing costs. In the first half of 2019, Cloudflare’s sales and marketing line item rose to 52 percent of revenue, the highest result listed including data going back to 2016. The company notes that sales and marketing headcount saw a “57 [percent] increase” from the first half of 2018 to the first half of 2019, for example. But as we noted in our first coverage of the company’s results, accelerating revenue growth and falling operating cash burn are an attractive pair. The above figures are largely what we already knew, but better framed today in the context of the firm’s prior, private valuation ($3.25 billion) and its new IPO price range ($2.9 billion to $3.5 billion). Has the firm generated material value gains since that Q1 2019 private market price; and if so, how much? If I was a gambling man, I’d wager $1 that we’ll see another S-1/A from Cloudflare with a new price range. Source
  10. 8chan has harbored a community of hate and three mass-shooters have now hosted manifestos on the platform. Cloudflare, a company that provides website security and internet infrastructure services, announced on Sunday that it would drop 8chan as a customer. "8chan has repeatedly proven itself to be a cesspool of hate," said Matthew Prince, Cloudflare CEO, in a statement published on late Sunday night. 8chan failed to moderate its content Prince said the site has failed to moderate its "hate-filled community." Because of this, 8chan, a forum and bulletin board, has now been the host of a third mass-shooter manifesto. Mass-shooters have uploaded manifestos explaining their actions on 8chan on three occasions before going out and committing terror attacks. The terror attack on two mosques in Christchurch, New Zealand, on March 15, 2019. Terror attack on a synagogue in Poway, California, on April 27, 2019. Attack at a Walmart store in El Paso, Texas, on August 3, 2019. The last shooting took place over the weekend, when a second mass-shooting also took place in the US, in Dayton, Ohio, although this has not been linked to 8chan. Nonetheless, both shootings have contributed to a growing voice of the US public against online communities and groups that keep harboring and radicalizing mass shooters. "The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths," Prince said. "Cloudflare is not a government" However, the Cloudflare CEO said the company struggled with the decision, as they felt they shouldn't be made to take decisions on what is good and bad on the internet. "Cloudflare is not a government," Prince said before arguing that law enforcement agencies should be the ones deciding when to ban this kind of sites from the internet, and not leave it to private companies to take these decisions. Cloudflare kicking 8chan off its infrastructure means the site is now open to DDoS attacks, among other things. Multiple hacktivists have announced online plans to attack the site after 12:00am PT on Sunday, when Cloudflare said it would drop the site from its servers. 8chan is still online, at the time of writing. The site's domain registrar has not announced a similar ban, meaning users will still be able to access the site, as the domain will still work. Second site kicked off Cloudflare after someone's death 8chan is the second controversial site that Cloudflare kicks off its infrastructure. In 2017, Cloudflare terminated The Daily Stormer, a neo-nazi news and propaganda site, after the website posted an article mocking a woman killed during white supremacy protests in Charlottesville, Virginia. Following Cloudflare's ban, the site was subsequentially banned and kicked off other platforms as well, but it has not gone down for good, continuing to operate to this day, albeit with some inconveniences and downtimes as it constantly switched web hosting providers and domain name registrars. Something similar is now expected to happen to 8chan, a website that users created from the old 4chan community and has a controversial history of its own. 8chan came to be after 4chan moderators started cracking down on violent content posted on their platform after the Gamergate sexism and harassment campaign -- with some harrassment against female gamers and journalists being called on and coordinated from the site's image boards. As a result, most of 4chan's most aggressive and extremist userbase found a new home on 8chan. "Unfortunately the action we take today won't fix hate online," the Cloudflare CEO said. "It will almost certainly not even remove 8chan from the Internet. But it is the right thing to do. Hate online is a real issue." Source
  11. Content delivery network provider Cloudflare Inc. is set to go public in September after filing a confidential S-1 application with the U.S. Securities and Exchange Commission, according to a report today from Business Insider. Cloudflare was first reported to be considering an initial public offering this year in October, but those plans were speculated to be on the back burner in March after the company raised $150 million from Franklin Resources Inc. That round is said to have valued Cloudflare at $3.2 billion with an IPO likely to see a valuation of somewhere in that vicinity as well, possibly a bit higher. Founded in 2009, Cloudflare offers a range of cloud services to improve services for websites. Best known for its CDN, the company also offers video delivery, denial-of-service protection, domain registration, security, DNS services and more. While competing with some of the biggest names in cloud services, specifically Amazon Web Services Inc., Google LLC and Akamai Technologies Inc., Cloudflare also sometimes works with them as well. In September, the company joined with Google, Microsoft Corp. and others on an initiative to lower bandwidth costs for their enterprise users. That Cloudflare would be looking for an exit for its investors this year isn’t surprising. Although the time to exit by venture capital-backed firms is getting longer, at 10 years of age Cloudflare has already past the median period for a tech startup looking to go public. Investors, who have put $332.1 million into the company to date, include Fidelity, Alphabet Inc., Microsoft, Baidu Inc. and Qualcomm Inc. Should Cloudflare go public, it won’t be the first CDN provider to do so this year. Smaller rival Fastly Inc. debuted on the New York Stock Exchange May 17 to a warm welcome from investors, popping 50% on its first day of trading on a debut price of $16 per share. Post-debut, the performance of Fastly hasn’t been great, its share price dropping as low as $17.13 a month later before rising again to have closed today at $21.70 compared to $23.99 on its first day. While investors will be looking at Fastly’s performance when considering Cloudflare, notably the company’s share price has never dipped below its float price, unlike IPOs from Uber Technoglogies Inc. and Lyft Inc. The performance of Uber and Lyft aside, most IPOs have performed strongly on debut this year with a record number of tech-related companies going public. Recent successful IPOs include Livongo Health Inc., Health Catalyst Inc., Medallia Inc. and Crowdstrike Holdings Inc. Source
  12. In a case filed in California, Cloudflare stands accused of failing to terminate customers that have been repeatedly called out as copyright infringers. The case wasn't filed by Hollywood or the major record labels, but by two manufacturers of wedding dresses. The CDN provider tried to have the case dismissed recently but in a new order, the court refuses to do so. Popular CDN and DDoS protection service Cloudflare has come under a lot of pressure from copyright holders in recent years. The company offers its services to millions of sites, including some of the world’s leading pirate sites. Many rightsholders are not happy with this. They accuse Cloudflare of facilitating copyright infringement by continuing to provide access to these platforms. At the same time, they call out the CDN service for masking the true hosting locations of these ‘bad actors’. Cloudflare’s activities have also triggered some lawsuits. Just last week, we reported that an Italian court ordered the company to terminate the accounts of several pirate sites. In the U.S. there’s an ongoing copyright infringement case as well, which brought more bad news for the company a few days ago. The case in question wasn’t filed by any of the major entertainment industry players, but by two manufacturers and wholesalers of wedding dresses. Not a typical “piracy” lawsuit, but it’s a copyright case that could have broad effects. In a complaint filed at a federal court in California last year, Mon Cheri Bridals and Maggie Sottero Designs argued that even after multiple warnings, Cloudflare fails to terminate sites operated by counterfeit vendors. This makes Cloudflare liable for the associated copyright infringements, they said. Cloudflare responded to the allegations and in April it filed a motion to dismiss the complaint. The company said that the rightsholders failed to state a proper claim, as the takedown notices were not proof of infringement, among other things. In addition, the notices were not formatted properly. “Plaintiffs characterize their notifications as ‘credible’ without stating any facts that demonstrate their credibility. In any event, defective notifications, like those the plaintiffs sent to Cloudflare, cannot support any claim of actual knowledge,” Cloudflare argued. According to Cloudflare, the notifications “may or may not be true”. Without a court determining whether they are accurate or not, the company says they don’t “convey actual knowledge of infringement.” As such, the company doesn’t believe it can be held liable. District Judge Vince Chhabria disagrees, however. In an order signed a few days ago he denies the motion to dismiss. According to the Judge, the allegations and claims made by the wedding dress manufacturers are sufficient at this stage of the case. “Cloudflare’s main argument – that contributory liability cannot be based on a defendant’s knowledge of infringing conduct and continued material contribution to it – is wrong,” Judge Chhabria writes. “Allegations that Cloudflare knew its customer-websites displayed infringing material and continued to provide those websites with faster load times and concealed identities are sufficient to state a claim,” he adds. Cloudflare also pointed out other deficiencies in the notices, and stressed that it’s not a hosting provider, but these comments were countered too. At this stage of the case, it’s enough to show that Cloudflare was aware of the alleged infringements, the Court notes. “The notices allegedly sent by the plaintiffs gave Cloudflare specific information, including a link to the offending website and a link to the underlying copyrighted material, to plausibly allege that Cloudflare had actual knowledge of the infringing activity,” Judge Chhabria writes. The denial of Cloudflare’s motion to dismiss means that the case will move forward. While the case has nothing to do with traditional pirate sites, any rulings could spill over, which means that other copyright holders will watch this case closely. Mon Cheri Bridals and Maggie Sottero ultimately hope to recoup damages for the losses they’ve suffered as well preliminary and permanent injunctive relief to stop all infringing activity. Cloudflare, for its part, will argue that it’s not actively participating in any infringing activity and that it merely has a role as a third-party intermediary, which is not liable for the alleged infringing activities of its customers. A copy of District Judge Vince Chhabria’s order is available here (pdf). VIEW: Original Article.
  13. The culprit? .*(?:.*=.*) Cloudflare has published a detailed and refreshingly honest report into precisely what went wrong earlier this month when its systems fell over and took a big wedge of the internet with it. We already knew from a quick summary published the next day, and our interview with its CTO John Graham-Cumming, that the 30-minute global outage had been caused by an error in a single line of code in a system the company uses to push rapid software changes. Even though that change had been run through a test beforehand, the blunder maxed out Cloudflare's servers CPUs and caused customers worldwide to get 502 errors from Cloudflare-backed websites. The full postmortem digs into precisely what went wrong and what the biz has done and is doing, to fix it and stop any repetition. The headline is that it was a cascade of small mistakes that caused one almighty cock-up. We're tempted to use the phrase-du-jour "perfect storm," but it wasn't. It was a small mistake and lots of gaps in Cloudflare's otherwise robust processes that let the mistake escalate. First up the error itself – it was in this bit of code: .*(?:.*=.*). We won't go into the full workings as to why because the post does so extensively (a Friday treat for coding nerds) but very broadly the code caused a lot of what's called "backtracking," basically repetitive looping. This backtracking got worse – exponentially worse – the more complex the request and very, very quickly maxed out the company's CPUs. So the three big questions: why wasn't this noticed before it went live? How did it have such a huge impact so quickly? And why did it take Cloudflare so long to fix it? The post answers each question clearly in a detailed rundown and even includes a lot of information that most organizations would be hesitant to share about internal processes and software, so kudos to Cloudflare for that. But to those questions… I see you CPU The impact wasn't noticed for the simple reason that the test suite didn’t measure CPU usage. It soon will – Cloudflare has an internal deadline of a week from now. The second problem was that a software protection system that would have prevented excessive CPU consumption had been removed "by mistake" just a weeks earlier. That protection is now back in although it clearly needs to be locked down. The software used to run the code – the expression engine – also doesn't have the ability to check for the sort of backtracking that occurred. Cloudflare says it will shift to one that does. So that's how it got through the checking process: what about the speed with which it impacted everyone? Here was another significant mistake: Cloudflare seems to have got too comfortable with making changes to its Web Application Firewall (WAF). The WAF is designed to be able to quickly provide protection to Cloudflare customers – it can literally make changes globally in seconds. And Cloudflare has in the past put this to good use. In the post, it points to the fast rollout of protections against a SharePoint security hole in May. Very soon after the holes were made public, the biz saw a lot of hacking efforts on its customers' system and was able to cut them off almost instantly with an update pushed through WAF. This kind of service is precisely what has given Cloudflare its reputation – and paying clients. It deals with the constant stream of security issues so you don't have to. But it uses the system a lot: 476 change requests in the past 60 days, or the equivalent of one every three hours. The code that caused the problem was designed to deal with new cross-site scripting (XSS) attacks the company had identified but – and here’s the crucial thing – it wasn't urgent that that change be made. So Cloudflare could have introduced it in a slower way and noticed the problem before it became a global issue. But it didn't; it has various testing processes that have always worked and so it put the expression into the global system – as it has with many other expressions. Cloudflare justifies this by pointing to the growing number of CVEs – Common Vulnerabilities and Exposures – that are published annually. War Games redux The impact however was that it created an instant global headache. What's more the code itself was being run in a simulation mode – not in the full live mode – but because of the massive CPU consumption that it provoked, even within that mode it was able to knock everything offline as servers were unable to deal with the processing load. That's where it all went wrong. Now, why did it take Cloudflare so long to fix it? Why didn't it just do a rollback within minutes and solve the issue while it figured out what was going on? The post gives some interesting details that will be familiar to anyone that has ever had to deal with a crisis: the problem was noticed through alerts and then everyone scrambled. The issue had to be escalated to pull in more engineers and especially more senior engineers who are allowed to make big decisions about what to do. The mistakes here are all human: first, you have to physically get other human beings in front of screens, on phones, and in chatrooms. Then you have to coordinate quickly but effectively. What is the problem? What is causing it? How can we be sure that's right? People get panicky under pressure and can easily misread or misunderstand the situation or decide the wrong thing. It takes a cool head to figure out what the truth is and figure out the best way to resolve it as quickly as possible. It appears from Cloudflare's post that the web biz actually did really well in this respect – and we can have some degree of confidence in its version of events thanks to the timeline. Despite the obvious initial thought that the company was under some kind of external attack, it pinpointed the issue as being the WAF within 15 minutes of receiving the first alert. Which is actually a pretty good response time considering that no one was watching this rule change. It was a routine update that went wrong. But there were several crucial delays. First the automated emergency alerts took three minutes to arrive. Cloudflare admits this should have been faster. Second, even though a senior engineer made the decision to do a global kill on the WAF two minutes after it was pinpointed as the cause of the problem, it took another five minutes to actually process it. Slow death Why? Because the people authorized to issue the kill hadn't logged into the system for a while and the system's protection system had logged them out as a result. They had to re-verify themselves to get into the system. When they did and authorized the kill, two minutes later it had kicked in globally and traffic levels went down to normal – making it clear that it was in fact the WAF that was the problem. This is the timeline: 13.42: Bad code posted 13.45: First alert arrives (followed by lots of others) 14.00: WAF identified as the problem 14.02: Global kill on WAF approved 14.07: Kill finally implemented (logging in) 14.09: Traffic back to normal Cloudflare has changed its systems and approach in response so in future this response time should go from 27 minutes to around 20 minutes (assuming it will always take some amount of time to figure out where the problem lies in a previously unidentified issue.) At this point, the problem was identified but WAF had been taken down so people were still experiencing problems. The Cloudflare team then had to figure out what in WAF had gone wrong, fix it, check it, and then restart it. That took 53 minutes. This is where the impressive openness and honesty from Cloudflare up until this point gets a little more opaque. One paragraph covers this entire process: "Because of the sensitivity of the situation we performed both negative tests (asking ourselves “was it really that particular change that caused the problem?”) and positive tests (verifying the rollback worked) in a single city using a subset of traffic after removing our paying customers’ traffic from that location. At 14:52 we were 100 per cent satisfied that we understood the cause and had a fix in place and the WAF was re-enabled globally." There's no more information than that, although it does mention later on that "the rollback plan required running the complete WAF build twice, taking too long." Timing off It also mentions that the Cloudflare team "had difficulty accessing our own systems because of the outage and the bypass procedure wasn’t well trained on" – although it's not clear if that leads to delays in fixing the WAF. It's hard to know without more detail whether Cloudflare did a great job here or whether its systems were found lacking - given its global reach and that it's entire function as a company is around this kind of work. For example: how long after the WAF was taken down did the engineer manage to pinpoint the specific code that caused the problem? Did it figure it out in five minutes and then run 47 minutes of tests? Or did it take them 47 minutes to find it and run five minutes of tests? The fact that Cloudflare doesn't say in an otherwise very detailed and expansive post suggests that this was not its finest hour. You would imagine that it would simply bring up a log of all the changes made just prior to the problems, cut those changes out, rebuild, and test. Maybe it did. Is 53 minutes a good timeframe to rebuild something that had just caused worldwide outages and put it live again? What do Reg readers think? Anyway, that's how it went down. To its credit, Cloudflare also acknowledges that its communication during the crisis could have been better. For obvious reasons, all of its customers were clamoring for information but all the people with the answers were busy fixing it. Worse, customers lost access to their Cloudflare Dashboard and API - because they pass through the Cloudflare edge which was impacted – and so they were really in the dark. The business plans to fix both these issues by adding automatic updates to its status page and by having a way to bypass the normal Dashboard and API approach in an emergency, so people can get access to information. So there you have it. It's not clear how much an impact this cock-up has had on people's confidence with Cloudflare. The post is keen to point out the company hasn't had a global outage in six years – not including Verizon-induced problems of course. Its honesty, clear breakdown and list of logical improvements – including not posting non-urgent updates to its super-fast global update system - will go some way to reassure customers that Cloudflare is not going all-Evernote and building more and more services on top of sub-optimal code. With luck it will be another six years until the Cloudflare-reliant internet goes down. Source
  14. Cloudflare, a company providing performance and security to websites, is having network problems of its own this morning — and taking down a lot of its customers’ sites and apps in the process. Affected companies include podcast app Overcast, chat service Discord, managed hosting provider WP Engine, eCommerce hosting provider Sonassi, public web front-end CDN service CDNJS, and many others — including the sites that rely on the web hosting or who partner with Cloudflare for their CDN service. According to Cloudflare, it identified a possible route leak that’s impacting some of the Cloudflare IP ranges, and its working now to resolve the issue. The problems were first identified around 7:02 AM EST, says Cloudflare, and the problem was identified shortly thereafter. Its status page has been providing continual updates. The company said at 8:34 AM EST, “this leak is impacting many internet services including Cloudflare. We are continuing to work with the network provider that created this route leak to remove it.” Update: The company at 12:42 AM UTC / 8:42 AM EST says the issue is resolved: The network responsible for the route leak has now fixed the issue. We are seeing improvement and are continuing to monitor this before we consider this issue resolved. Source
  15. Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks Free service prevents BGP hijackers from fraudulently obtaining browser-trusted certs. Enlarge nternet1.jpg by Rock1997 modified. Content delivery network Cloudflare is introducing a free service designed to make it harder for browser-trusted HTTPS certificates to fall into the hands of bad guys who exploit Internet weaknesses at the time the certificates are issued. The attacks were described in a paper published last year titled Bamboozling Certificate Authorities with BGP. In it, researchers from Princeton University warned that attackers could manipulate the Internet’s border gateway protocol to obtain certificates for domains the attackers had no control over. Browser-trusted certificate authorities are required to use a process known as domain control validation to verify that a person requesting a certificate for a given domain is the legitimate owner. It requires the requesting party to do one of three things: create a domain name system resource record with a specific text string; upload a document with a specific text string to a Web server using the domain; prove receipt of the email address containing a text string sent to the administrative contact for the domain The Princeton researchers demonstrated that this validation process can be bypassed by BGP attacks. Before applying for a certificate to a targeted domain, an adversary can update the Internet’s BGP routing tables to hijack traffic destined for the domain. Then, when a CA checks the DNS record or visits a URL, the CA's query goes to an attacker-controlled server rather than the legitimate server of the domain operator. When the attacker is able to produce the text string designated by the CA, that is considered proof of domain ownership and the CA issues a certificate to the wrong party. Reining it in But these attacks come with limitations. BGP attacks usually hijack only a portion of a domain’s incoming traffic, rather than all of it. As a result, computers in one part of the world will be directed to the attacker’s imposter server, while computers elsewhere will still reach the legitimate server. Cloudflare, with more than 175 datacenters worldwide, is unveiling a new service called multipath domain control validation that’s designed to exploit this limitation of BGP hijacking. As its name suggests, it performs the validation process from multiple origins that follow different Internet paths to the domain. Unless the results from multiple queries are identical, the validation will fail. “We’re going to be leveraging Cloudflare’s global network to perform this domain check, whether it’s DNS or HTTP, from various vantage points that are connected through various networks,” Nick Sullivan, head of cryptography at Cloudflare, told Ars. “If you’re hijacked, [the fraudulent data] only applies to a subset of the requests.” Agents and orchestrators Cloudflare will be making a programming interface available for free to all certificate authorities. The multipath check for domain control validation consists of two services: agents that perform domain validation out of a specific datacenter, and a domain validation “orchestrator” that handles multipath requests from CAs and dispatches them to a subset of agents. When a CA wants to ensure a domain validation hasn’t been intercepted, it can send a request to the Cloudflare API that specifies the type of check it wants. The orchestrator then forwards a request to more than 20 randomly selected agents in different datacenters. Each agent performs the domain validation request and forwards the result to the orchestrator, which aggregates what each agent observed and returns the results to the CA. Sullivan said Cloudflare has designed the new service to be an effective measure against another potential domain validation attack that spoofs IP addresses in DNS requests that use the user datagram protocol (UDP). Because the IP address of the computer making the request can be spoofed, an attacker can make a request to a targeted domain appear to come from a CA. Then, by manipulating a maximum fragment size setting, the attacker can receive a second identical response. The new Cloudflare API prevents these DNS spoofing attacks because it sends queries from multiple locations that can’t be predicted by the attacker, Sullivan said. In a message, he wrote: Multipath DCV was designed for and is primarily effective against on-path attacks. An additional feature that we built into the service that helps protect against off-path attackers is DNS query source IP randomization. By making the source IP unpredictable to the attacker, it becomes more challenging to spoof the second fragment of the forged DNS response to the DCV validation agent. Sullivan said Cloudflare is offering the service for free because the company believes that attacks on the certificate authority system harms the security of the entire Internet. He said he expects the use of multipath domain validation to become standard practice, particularly if it’s offered by other large networks. Eventually, he said, it may be mandated by the CA/browser forum, which sets industry guidelines for the issuance of TLS certificates. “I’m a little surprised this hasn’t happened yet,” Sullivan said. “We’re hoping that this announcement and this product helps spur the CA/Browser forum to adopt and require this more robust multiperspective validation for certificate authorities. It truly is a risk that hasn’t been exploited yet, and it’s just a matter of time.” Source: Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks (Ars Technica)
  16. Cloudflare revealed the company's first VPN product today called Warp which it plans to launch as part of the company's application soon. April 1st is probably the worst day to make announcements for products that do exist. Cloudflare apparently could not pass the opportunity to select April 1st, or 4/1, as the date to reveal Warp. The company launched a DNS service a year ago and with it the DNS applications for Android and iOS. The service supported security features like DNS-over-TLS and DNS-over-HTTPS, a strict no IP address logging policy, the deletion of logs in a 24-hour period, and fast speeds especially compared to default DNS services operated by most ISPs. Cloudlfare calls Warp a "VPN for people who don't know what V.P.N. stands for". The explanation that Cloudflare gives is relatively weak: according to Cloudflare, it is the simplicity that makes it attractive to users who don't know about VPN services. The explanation is weak as Cloudflare's solution is not the first that offers a simple option to use a VPN. Warp encrypts all Internet traffic, respects end-to-end encryption, and does not require that users install a root certificate on their devices.Unencrypted Internet connections will be encrypted but only between the user's device and Cloudflare's server (similarly to how all VPNs handle this). The same is true for all respected VPN services. Cloudflare promises that Warp's performance, reliability, and focus on preserving power are what will set it apart from comparable services. We’ve built Warp around a UDP-based protocol that is optimized for the mobile Internet. We also leveraged Cloudflare’s massive global network, allowing Warp to connect with servers within milliseconds of most the world’s Internet users. With our network’s direct peering connections and uncongested paths we can deliver a great experience around the world. Our tests have shown that Warp will often significantly increase Internet performance. Warp will be offered as a free option that is included in the company's application. Cloudflare is working on Warp+, a premium version of Warp that will be available for a "low monthly fee" for people who want more speed. It is not uncommon for companies to finance free versions of a product using premium offerings. Warp+ follows Cloudlfare's web-based servicing model. The company offers a base version of Cloudlfare for free and paid upgrades to unlock certain features. Cloudflare promises, in regards to the always hot topic privacy, that browsing data won't be sold or used for targeted advertising. user-identifiable log data is not written to disk. that users may use Warp without supplying their name, phone number or email address. that it will hire third-party auditors to make sure the service delivers what is promised. The service itself uses WireGuard combined with Cloudflare's Mobile SKD. Warp+, the premium version of Warp, will use Cloudflare's Argo next to that as well. Waiting list Android or iOS users can join the waitlist in the application. Some may not see the option to join the waitlist yet as update propagation takes some time usually. Closing Words Warp's strengths are that it is backed by a company that operates one of the largest networks on the planet, and that it will become a part of the on mobile for ease of use. Users don't have to sign up for it if they use the free version similarly to how Opera's browser VPN works. The difference is that Warp works globally while Opera's solution only in the browser. Desktop applications will be released at a later point in time. Warp won't convince users that distrust Cloudflare, but the success of the application has shown that there is a huge market out there for such a product. Source: Cloudflare announces Warp VPN service (gHacks - Martin Brinkmann)
  17. At a moment when free speech online and moderation policies are more controversial than ever, Cloudflare is facing accusations that it’s providing cybersecurity protection for at least seven terrorist organizations—a situation that some legal experts say could put it in legal jeopardy. Cloudflare offers a wide-range of services that are fundamental to operating a modern website, such as DDoS protection that prevents a site from being overwhelmed by too many simultaneous requests. It’s a massive organization that claims to handle 10 percent of all internet requests and is reportedly preparing $3.5 billion IPO. On Friday, HuffPost reported that it has reviewed numerous websites run by terrorist organizations and confirmed with four national security and counter-extremism experts that the sites are under the protection of Cloudflare’s cybersecurity services. From the report: While private companies like Facebook place certain limits on speech in their terms of service, Cloudflare prefers to remain as hands off as possible. Being a Facebook user is a choice that anyone can make for themselves and the price of admission includes playing by its rules. But services like hosting, domain registration, and the kind of protection that Cloudflare offers go to the heart of the internet’s infrastructure. Going as far back as 2012, Cloudflare’s CEO Matthew Prince has pushed back on the idea that the company should police speech and today its policy is strictly to comply with legal obligations. At least, that’s its operational policy. The policy from its terms of use gives Cloudflare the right to terminate services “with or without notice for any reason or no reason at all.” Last year, Prince broke with his own standards and discontinued his company’s work with the neo-Nazi website the Daily Stormer. At the time, Prince wrote to employees in an internal email: “I think the people who run The Daily Stormer are abhorrent. But again I don’t think my political decisions should determine who should and shouldn’t be on the internet.” That doesn’t mean that Prince doesn’t consider terrorism abhorrent, which in the case of the Daily Stormer, he freely admitted, “I woke up this morning in a bad mood and decided to kick them off the Internet.” Since then, he’s remained an absolutist when it comes to free speech and neutrality towards customers. The issue that HuffPost raises is whether Cloudflare is providing “material support” to sanctioned organizations. Some attorneys told HuffPost that it may be in violation of the law. Others, like the Electronic Frontier Foundation, argue that “material support” can and has been abused to silence speech. Cloudflare’s general counsel, Doug Kramer, told Gizmodo over the phone that the company works closely with the U.S. government to ensure that it meets all of its legal obligations. He said that it is “proactive to screen for sanctioned groups and reactive to respond when its made aware of a sanctioned group” to which it may be providing services. HuffPost spoke with representatives from the Counter Extremism Project, who expressed frustration that they’ve sent four letters to Cloudflare over the last two years identifying seven terrorist-operated sites without receiving a reply. Kramer would not address any specific customers or situations when speaking with Gizmodo. He said that’s simply company policy for reasons of protecting privacy. Kramer did say that just last week the company had a political pressure group request that it discontinue its services for a website that had been linked to a “warlord” on the other side of the world. He said that some people in the country were under U.S. sanctions, but not the specific person that was identified by the group, and therefore it didn’t take action. I asked if Cloudflare ever continues to provide services for a sanctioned group at the request of a government agency, for example if that agency wants to continue monitoring a specific website. Kramer said he was “not aware” of the company ever having “a situation like that.” He did say that Cloudflare has never been sent a request from the U.S. government to discontinue services for any customer. He speculated that the reason for that is because it doesn’t provide hosting and if the government wants to take down a website they tend to go elsewhere. Kramer says the only requests tend to come from political pressure groups and individuals. As deplatforming and boycott pressure has become an increasingly effective political tool, we’re more likely to see groups targeting infrastructure services. It’s up for debate whether that’s a good thing or not, but it will likely be much more consequential than losing your verified checkmark on Twitter. More At [HuffPost] Source
  18. Cloudflare has announced that they are expanding their domain registrar services so that all of their customers can register or renew a domain at cost. You heard me right. No more paying extra fees to register a domain. You pay what Cloudflare pays for a domain registration or renewal. Cloudflare already acts as a registrar for their enterprise clients, but have now expanded their service so that all of their customers can use them to register new domains or manage existing ones. “When we looked at the marketplace for domain registration, we were shocked at the deceitful pricing around a service that is really just a commodity,” said Matthew Prince, co-founder and CEO of Cloudflare in a blog post. “We realized that the one thing every Cloudflare customer needs is a domain, so they needed a registrar they could trust. With Cloudflare Registrar, we’re promising to offer our customers the best security practices at the best possible price. Our goal is simply to create the first domain registrar you can love.” As a registrar, for each domain that is registered, Cloudflare needs to pay a price to the company that manages the particular TLD. For example, when someone uses Cloudflare to register a .com domain, Cloudflare pays Verisign, who manages the .com TLD, $7.85 plus an ICANN fee of $0.18. This brings the total cost of a .com domain to $8.03. While most registrars would then add some extra money to make a profit, Cloudflare has stated that they will only charge a customer what they themselves have to pay. So if they have to pay $8.03 for a domain, that is all their customers will have to pay as well. Cloudflare has released the costs for registering .com, .net, .info, and .org domains. A .com domain would cost $8.03, a .net would cost $9.95, a .info would cost $11.02, and a .org would cost $10.11. Cost to register domain with Cloudflare While saving money is always great, Cloudflare is also offering increased security for their customers. This includes two-factor authentication, DNSSEC, automatic domain lock, and free whois privacy. For those who are interested in registering new domains or transferring domains to Cloudflare Registrar, Cloudflare is opening up their service to existing customers first to give them a chance to take advantage of these savings. As time goes on, this service will also be opened to others. For those who are interested in trying Cloudflare Registrar, you can sign up here. Source
  19. Company launches new Cloudflare Onion Service. Only Tor Browser 8 and Tor Browser for Android users will see less or no CAPTCHAs. Cloudflare launched today a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tro Browser --the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users who are dead tired of seeing an endless stream of Google reCAPTCHAs when accessing a Cloudflare-protected site are advised to update to one of these two versions. The new Cloudflare Onion Service is also free for all Cloudflare customers and can be enabled by switching on the "Opportunistic Encryption" option under the Crypto tab of the Cloudflare dashboard. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases. Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Source
  20. A recent DMCA subpoena has ordered Cloudflare to expose the people linked to various popular pirate sites and tools. The request, quietly submitted out of public sight, comes from a group of movie studios attempting to hold site owners responsible for piracy damages. As one of the leading CDN and DDoS protection services, Cloudflare is used by millions of websites across the globe, some of which are notorious pirate sites. The company has taken a lot of heat from copyright holders over the past few years, who want it to expose the operators of these platforms. However, instead of taking a proactive stance, Cloudflare maintains its position as a neutral service provider. If copyright holders want it to take action, they have to follow the legal process. This usually means obtaining a subpoena, ordering the company to share the personal details of its customers. This is exactly what a group of movies companies, including Bodyguard Productions, Cobbler Nevada, Criminal Productions, Dallas Buyers Club, and Venice PI, recently did through a federal court in Hawaii. These companies are involved in a series of piracy lawsuits. Best known are the so-called “copyright trolling” cases against alleged BitTorrent pirates, but more recently they began expanding their horizons to the people behind piracy services, such as the popular streaming app Showbox. The subpoena was issued in the latter case after being filed last May. The documents were not posted publicly but TorrentFreak managed to obtain a copy, which shows that the movie companies want details of the operators behind Showboxbuzz.com, Showbox.software, Rawapk.com, Popcorn-time.to, Popcorntime.sh, YTS.ag, and YTS.gg. Some additional digging revealed that no motion to quash was filed by Cloudflare, so it is likely that the requested information will be handed over. The subpoena itself doesn’t reveal anything about the intentions of the movie companies, however. The targeted sites are not listed in the original lawsuit, but it’s possible the owners are suspected of being linked to the defendants. In any case, it is clear that the movie outfits see the information as potentially valuable evidence in their legal battle. The question remains, of course, whether the information Cloudflare has on record will be of use. Many operators of pirate sites and services do their best to shield the true operators from being exposed. Source
  21. Cloudflare has settled its piracy liability lawsuit with adult publisher ALS Scan. The case in question was scheduled to go to trial with the CDN provider standing accused of contributory copyright infringement. Details of the settlement agreement have not been made public, but Cloudflare must be happy to move on. As one of the leading CDN and DDoS protection services, Cloudflare is used by millions of websites across the globe. This includes many pirate sites. In recent years many copyright holders have complained about Cloudflare’s involvement with these platforms, and in 2016 adult entertainment publisher ALS Scan took it a step further by dragging the company to court. ALS accused Cloudflare of various types of copyright infringement, noting that several of its customers used the company’s servers to distribute pirated content to the public. During the legal battle that followed, the CDN provider managed to have several counts dismissed. However, the accusation of contributory copyright infringement remained. Earlier this year California District Court Judge George Wu ruled that Cloudflare can substantially assist copyright infringements by hosting cached copies of files. Whether Cloudflare did this and could be held liable was something to be decided at trial. However, according to a recent filing, there will be no trial. This week both parties filed a joint stipulation asking the court to dismiss all claims against Cloudflare. “ALS Scan, Inc. and Cloudflare, Inc. hereby stipulate to dismissal without prejudice of the claims and action against Cloudflare, Inc., with each side bearing its own attorney’s fees, costs, and expenses,” they write. ALS Scan and Cloudflare have signed a settlement agreement behind closed doors. The terms of the deal have not been made public, but each party will attorney’s fees, costs, and other expenses. While the court retains jurisdiction over the matter in case any settlement disputes arise, the lawsuit is essentially over. Whether Cloudflare agreed to pay a settlement fee is unknown, but the agreement takes away a lot of uncertainty for the CDN provider. If they had gone to trial, where the controversial “Daily Stormer” issue could be used as evidence, the company’s fate would be in the hands of a jury. A negative decision there could have severely impacted its future. TorrentFreak requested a comment from a Cloudflare spokesperson and ALS Scan’s attorneys on the matter, but neither has responded at the time of publication. — A copy of Cloudflare and ALS Scan’s stipulation of dismissal can be found here (pdf). Source
  22. Jime234

    Changing Mobile Data DNS

    Hi, I wanted to change the DNS of the Mobile Data of my Android Smart Phone. Its a simple process to Change DNS of WiFi but Mobile Data is just something else.. I've searched and tried some apps to change DNS but then I don't know it worked or not, there is no way to check ! Has anyone here tried it ?
  23. Cloudflare and the RIAA have agreed to a tailored process through which the music labels can expand their blocking efforts against the piracy site MP3Skull, if needed. The deal is part of a lengthy legal battle during which both sides dug in their heels, to secure their bottom lines. Representing various major record labels, the RIAA filed a lawsuit against pirate site MP3Skull three years ago. With millions of visitors per month, the MP3 download portal had been one of the prime sources of pirated music for a long time. In 2016, the record labels won their case , but the site initially ignored the court order and continued to operate. This prompted the RIAA to go after third-party services including Cloudflare, demanding that they block associated domain names. Cloudflare objected and argued that the DMCA shielded the company from the broad blocking requirements. However, the court ruled that the DMCA doesn’t apply in this case, opening the door to widespread anti-piracy filtering. The court stressed that, before issuing an injunction against Cloudflare, it still had to be determined whether the CDN provider is “in active concert or participation” with the pirate site. This has yet to happen. Since MP3Skull has ceased its operations, the RIAA has shown little interest in pursuing the matter any further. While there is no longer an immediate site blocking threat, the order opened the door to similar blocking requests in the future. Cloudflare, therefore, asked the court to throw the order out, arguing that since MP3Skull is no longer available the issue is moot. A month ago, US District Court Judge Marcia Cooke denied that request, urging the parties to go back to the negotiating table and find a solution both sides can live with. In short, the solution that Cloudflare and the RIAA agreed on is that the record labels can file an emergency motion requiring the CDN provider to block new domain names of MP3Skull, if the site resurfaces. “Plaintiffs may request in such an amendment a specific direction to Cloudflare to cease providing services to websites at specified domains without needing to show that Cloudflare is in active concert or participation with the Defendants with respect to such services,” the order reads. The RIAA must inform Cloudflare in advance if it plans to file such a request, which then has the option to respond. If there are no objections, the CDN provider is required to take action within 24 hours, or a full business day, whichever is longer. This is essentially what the RIAA was after, but Cloudflare was sure to make it clear that the ruling does not mean that they are seen as operating “in active concert or participation” with the pirate site. “For the sake of clarity, the Court’s direction to Cloudflare […] is not a finding that Cloudflare is ‘in active concert or participation’ with Defendants as provided in Rule 65(d) of the Federal Rules of Civil Procedure,” it reads. This means that the order, as with the previous injunction, leaves many options open and questions unanswered. It is specifically tailored to one site, without setting in stone how similar cases will be dealt with in the future. But considering the recent pressure from rightsholders on Cloudflare, it wouldn’t be a surprise if this battle is renewed in a new arena in the future. Meanwhile, MP3Skull, the site which got this all started, hasn’t been seen online for over a year. — A copy of US District Court Judge Marcia Cooke’s order is available here (pdf). Source
  24. Cloudflare has terminated its services to the anime torrent site NYAA.si. According to Cloudflare, the pirate site tried to interfere with and thwart the operation of the company's abuse reporting systems. The site's operator, however, says he's not aware of any wrongdoing. As one of the leading CDN and DDoS protection services, Cloudflare is used by millions of websites across the globe. The company’s clients include billion dollar companies and national governments, but also personal blogs, and even pirate sites. Copyright holders are not happy with the latter category and are pressuring Cloudflare to cut their ties with sites like The Pirate Bay, both in and out of court. Cloudflare, however, maintains that it’s a neutral service provider. They forward copyright infringement notices to their customers, for example, but deny any liability for these sites. Generally speaking, the company only disconnects a customer in response to a court order, as it did with Sci-Hub earlier this year. That’s why it came as a surprise when the anime torrent site NYAA.si was disconnected this week. The site, which is a replacement for the original NYAA, has millions of users and is particularly popular in Japan. Without prior warning, it became unavailable for several hours this week, after Cloudflare removed it from its services. So what happened? TorrentFreak spoke to the operator who said that the exact reason for the termination remains a mystery to him. He reached out to Cloudflare looking for answers, but the comany simply stated that it’s about “avoiding measures taken to avoid abuse complaints,” as can be seen below. One of Cloudflare’s messages The operator says he hasn’t done anything out of the ordinary and showed his willingness to resolve any possible issues. However, that hasn’t changed Cloudflare’s stance. “We asked multiple times for clarification. We also expressed that we were willing to attempt to work with them on whatever the problem actually was, if they would explain what they even mean. “Naturally, I have been stonewalled by them at every stage. I’ve contacted numerous persons at Cloudflare and nobody will talk about this,” NYAA’s operator adds. TorrentFreak asked Cloudflare for more details and the company confirmed that the matter was related to interference with its abuse reporting systems, without providing further detail. “We determined that the customer had taken steps specifically intended to interfere with and thwart the operation of our abuse reporting systems,” Cloudflare’s General Counsel Doug Kramer informed us. Cloudflare’s statement suggests that the site took active steps to interfere with the abuse process. The company added that it can’t go into detail, but says that the reason for the termination was shared with the website owner. The website owner, on the other hand, informs us that he has no clue what the exact problem is. NYAA.si occasionally swaps IP addresses and have recently set up some mirror domains, but these were all under the same account. So, he has no idea why that would interfere with any abuse reports. “I’m honestly unsure of what we could have done that ‘circumvents” their abuse system,” NYAA’s operator says, adding that the only abuse reports received were copyright related. It’s unlikely, however, that copyright takedown notices alone would warrant account termination, as most of the largest torrent sites use Cloudflare. NYAA’s operator says he can do little more than speculate at the point. Some have hinted at a secret court order while Japan’s recent crackdown on manga and anime piracy also came to mind, all without a grain of evidence of course. Whatever the reason, NYAA.si now has to move on without Cloudflare, while the mystery remains. “Frankly, this whole thing is a joke. I don’t understand why they would willingly host much bigger sites like ThePirateBay without any issue, or even ISIS, or the various hacking groups that have used them over time,” the operator says. If more information about the abuse process interfere becomes available, we’ll definitely follow it up. torrentfreak
  25. A Florida federal court has denied Cloudflare's request to vacate a recent order which opened the door to widespread site blocking efforts. The order, obtained by the RIAA, applies to the defunct website MP3Skull but could have broader consequences. Representing various major record labels, the RIAA filed a lawsuit against pirate site MP3Skull three years ago. With millions of visitors per month the MP3 download site had been one of the prime sources of pirated music for a long time. In 2016, the record labels won their case against the MP3 download portal but the site initially ignored the court order and continued to operate. This prompted the RIAA to go after third-party services including Cloudflare, demanding that they block associated domain names. Cloudflare objected and argued that the DMCA shielded the company from the broad blocking requirements. However, the court ruled that the DMCA doesn’t apply in this case, opening the door to widespread anti-piracy filtering. The court stressed that, before issuing an injunction against Cloudflare, it still had to be determined whether the CDN provider is “in active concert or participation” with the pirate site. However, this has yet to happen. Since MP3Skull has ceased its operations the RIAA has shown little interest in pursuing the matter any further. While there is no longer an immediate site blocking threat, it makes it easier for rightsholders to request similar blocking requests in the future. Cloudflare, therefore, asked the court to throw the order out, arguing that since MP3Skull is no longer available the issue is moot. This week, US District Court Judge Marcia Cooke denied that request. Denied This is, of course, music to the ears of the RIAA and its members. The RIAA wants to keep the door open for similar blocking requests in the future. This potential liability for pirates sites is the main reason why the CDN provider asked the court to vacate the order, the RIAA said previously. While the order remains in place, Judge Cooke suggests that both parties are working on some kind of compromise or clarification and gave two weeks to draft this into a new proposal. “The parties may draft and submit a joint proposed order addressing the issues raised at the hearing on or before April 10, 2018,” Judge Cooke writes. Article
  • Create New...