Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Service Accidentally Makes Websites 60% Faster

Soulskill posted more than 3 years ago | from the missing-the-punchline dept.

Security 81

EastDakota writes "CloudFlare was originally conceived by the team behind the open source community. Project Honey Pot as an easy way to protect any website from hackers and spammers. The concern from the beginning was that it would add latency. It was quite a surprise when the free service launched 8 months ago and ended up speeding up websites by 60%."

cancel ×

81 comments

Sorry! There are no comments related to the filter you selected.

slashvertisement (4, Insightful)

Anonymous Coward | more than 3 years ago | (#36371340)

The article about the anti-spam article looks itself to be astroturf spam.

Re:slashvertisement (2)

DWMorse (1816016) | more than 3 years ago | (#36371384)

Yo dawg, we heard you hate news about spam, so we put spam in your news so you can hate while you hate.

Re:slashvertisement (3, Insightful)

Nursie (632944) | more than 3 years ago | (#36371440)

Badly written too. FTFA -

"In 2007 the Department of Homeland Security reached out to Prince, essentially asking him if he had any idea what technology that he owned."

WFT?

Re:slashvertisement (0)

Anonymous Coward | more than 3 years ago | (#36371496)

"Yeah, it's what technology that formerly known as electric guitar."

Re:slashvertisement (2, Funny)

Anonymous Coward | more than 3 years ago | (#36371560)

I the article and I the entire thing perfectly.

Re:slashvertisement (0)

Anonymous Coward | more than 3 years ago | (#36372462)

I and I wrote the article perfectly, thanks to a good supply of skunk.

Re:slashvertisement (1)

randizzle3000 (1276900) | more than 3 years ago | (#36379380)

Did you accidentally the whole thing or was it on purpose?

Re:slashvertisement (1)

Nestea_Zen (1111953) | more than 3 years ago | (#36381562)

rofl

Re:slashvertisement (1)

GameboyRMH (1153867) | more than 3 years ago | (#36373746)

Hey guys, I haves a good use of the words "unsbuzzle."* My lungs unsbuzzle the air from the earth, as I can breathe... it. Period.

*"embezzle"

Re:slashvertisement (1)

Anonymous Coward | more than 3 years ago | (#36372254)

>WFT?

What fe thuck?

Re:slashvertisement (5, Funny)

JWSmythe (446288) | more than 3 years ago | (#36372610)

    No, it's Old English. "What Fuck Thee?" Roughly meaning "I found you in the barn with a sheep and a goat. Which one were you fucking?"

Re:slashvertisement (2, Funny)

chill (34294) | more than 3 years ago | (#36372880)

That wasn't a sheep and a goat, that was your wife and daughter.

Re:slashvertisement (0)

Anonymous Coward | more than 3 years ago | (#36373440)

Natural mistake since they're all covered in shit.

Re:slashvertisement (1)

brusk (135896) | more than 3 years ago | (#36373946)

That would be "What fucketh thou?"

Re:slashvertisement (0)

Anonymous Coward | more than 3 years ago | (#36377232)

No, it's, "What fuckest thou?"

Re:slashvertisement (2)

bipedalhominid (1828798) | more than 3 years ago | (#36373480)

WFT = Who Fucketh Thee?

Re:slashvertisement (1)

vgerclover (1186893) | more than 3 years ago | (#36374388)

Of course! It should read The Artist Formerly Known as Prince.

Re:slashvertisement (1)

Anonymous Coward | more than 3 years ago | (#36375738)

No, now that the restriction on his name is lifted he is the Artist Formerly Known As The Artist Formerly Known As Prince.

Re:slashvertisement (2)

lee1 (219161) | more than 3 years ago | (#36375952)

The entire article is incoherent. At the point we reach this particular garbled sentence, we have no idea what Prince's relationship is with Project Honey Pot. And we never hear anything further about DHS. We don't find out how exactly CloudFlare "makes sites faster," and I have no reason to believe it does that, or anything else useful.

Re:slashvertisement (0)

Anonymous Coward | more than 3 years ago | (#36377810)

Yes - TFA was submitted by CloudFlareCEO Matthew Prince (aka EastDakota). Proof:
TFA points to CloudFlare's blog - http://blog.cloudflare.com/top-tips-for-new-cloudflare-users .
Among the contributors to CloudFlare's blog is one Matthew Prince, who also goes by "eastDakota" here http://posterous.com/people/4xgdbOrGDRWV .

Astroturf, indeed.

Oh, FTFA: "One TNW reader asked about government intervention and requests to pull sites offline...", to which Prince responded "In terms of government censorship, CloudFlare is a US-based entity and we comply with the law. We’ve never received a request from the US government , or any other government for that matter, to block any content. Our privacy policy states that if we are ever ordered to turn over data by a court, we will disclose that to the extent we can " [emphasis added].

While they might be doing good things, we'll never know how often or to what extent they have already cooperated with government(s). In other words, all your packets are belong to us.

I've seen this before.. (0)

Anonymous Coward | more than 3 years ago | (#36371392)

I've seen this before, I do not know how it works inside so I would NEVER trust it to be my server DNS provider.

Speed up summary (5, Informative)

Anonymous Coward | more than 3 years ago | (#36371418)

According to the article, the speed boost comes from two things: 1) CloudFlare sniffs your content and inline replaces sections of it with equivalent content all served via the same connection... so the speedup comes from only having to use a single connection to get the entire page and 2) They are a globally distributed content system with 12 global data centers, similar to Akamai but smaller in scale, allowing content to come from a location closer to the end user.

Re:Speed up summary (1)

wamatt (782485) | more than 3 years ago | (#36372784)

I still don't understand. If my site is hosted in a rack in Colo A, and users access it, it goes out via the same pipes.

Are you talking specifically if I have 3rd party widgets embedded in your site? Because in the scenario above (Colo A), I don't see how it helps vs using a regular CDN.

Re:Speed up summary (1)

datapharmer (1099455) | more than 3 years ago | (#36373370)

It only helps versus a traditional CDN in the cost arena and versus some CDNs in that it provides protection against spam and hacking.

The service works by you pointing your nameserver records to them, then use them as a dns provider. client -> dns lookup -> cloudflare Colo A

Cloudflare acts as a reverse proxy cdn by replacing some dns records with their IPs instead of yours, so unless you tell them to not use their servers for a particular record the host is sent them, they check the hosts IP, if it is known to be bad it is presented with a captcha before it can go to the site, they also check for malicious queries such as sql injection etc and deny them. If the requestor and request string are not bad the CDN grabs a copy of the website files, cache static content and pass it on to the client. The next query for the site grabs your site's headers and if unchanged passes static content on to the client from the CDN while passing dynamic content straight through from your server which speeds up the site.

Re:Speed up summary (1)

seanadams.com (463190) | more than 3 years ago | (#36373656)

I worked for a now defunct company called Netli that did something like this. Not caching exactly, but putting proxies on either end of the path which would optimize TCP behavior. The speedups could be quite significant especially where latencies were high (long fat pipes), because your browser normally spends a lot of time waiting for entire round trips to occur as each new connection is opened and ramped up to speed. You can also "prefetch" content because you can determine which images the client will be requesting by looking at the HTML response.

It may not make sense to you that more speed is possible through the same pipes, but if you know how TCP/HTTP works at the lowest levels you would see there are a lot of delays that can be removed by such techniques. Google actually launched an equivalent service at some point but then withdrew it.

Custom HOSTS files can achieve the same (0, Informative)

Anonymous Coward | more than 3 years ago | (#36372850)

Here's an EASIER trick, with a FREE "Tool" you already own, that's only a single text file filter for your IP stack: A custom HOSTS file, that yields the same results!

(I think it'd be interesting to see this service, COMBINED w/ what I am about to speak of in custom HOSTS files usage, and benefits to the end-user).

"According to the article, the speed boost comes from two things" - by Anonymous Coward on Wednesday June 08, @12:42AM (#36371418)

The gains HOSTS files offer in both speed, & security, are twofold:

---

FOR ADDED SPEED:

1.) Blocks out adbanners & the lag they introduce into webpage loads/downloads for consumption

2.) Hardcoding in your favorite website (to avoid DNS roundtrip lookup & result return time)

---

FOR ADDED SECURITY:

1.) Blocks out KNOWN malicious sites/servers/hosts-domain names

2.) Protection vs. DNS issues (such as the "Kaminsky flaw", or downed/compromised DNS servers that have been "redirect poisoned")

---

They work, they're free, and you can obtain one easily!

(OR, just combine ALL of the ones listed in my 'p.s.' below, & a db import of the file using a SELECT DISTINCT query can do it for example, as a way, or mvps.org offers a tool called HOSTSMAN that does it also (there are others like it as well, I designed one, & so have others)).

You already can do this yourself since any OS that uses a BSD derived IP stack already has one (even ANDROID phones), easily, & populate the custom HOSTS file yourself from the sources noted above!

(I consolidate them all into a single de-duplicated/normalized version, that which currently blocks out 1,429,303++ KNOWN bad sites/servers/hosts-domains, AND, speeds me up VERY noticeably (via blocking out adbanners, a possible threat for years now in malicious code in them & a bandwidth + speed hog OR, by 'hardcoding in' my favorite sites (to bypass DNS lookup & return roundtrip time) also))

APK

P.S.=> Here are some reputable, & reliable sources for said HOSTS file security data (as well as prebuilt HOSTS files for instant download & usage on your parts):

http://safeweb.norton.com/buzz [norton.com]

http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples [emergingthreats.net]

http://securehomenetwork.blogspot.com/search?updated-min=2011-01-01T00%3A00%3A00-05%3A00&updated-max=2012-01-01T00%3A00%3A00-05%3A00&max-results=12 [blogspot.com]

http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com]

http://www.malwaredomains.com/ [malwaredomains.com]

http://hosts-file.net/?s=Download [hosts-file.net]

http://www.malware.com.br/lists.shtml [malware.com.br]

http://www.malware.com.br/lists.shtml [malware.com.br]

https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]

https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]

http://www.malwareurl.com/ [malwareurl.com]

http://someonewhocares.org/hosts/ [someonewhocares.org]

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]

... apk

Re:Custom HOSTS files can achieve the same (-1)

gavron (1300111) | more than 3 years ago | (#36372936)

Please mod the parent +1. It is informative. It is substantive, and this entire thread shouldn't exist because /. isn't how companies are supposed to astroturf/advertise their slimy-ass products.

Thank-You: It'd be interesting to see HOSTS & (-1)

Anonymous Coward | more than 3 years ago | (#36373058)

Working in combination though.

Anyhow/Anyways - Per my subject-line above:

"Please mod the parent +1. It is informative. It is substantive" - by gavron (1300111) on Wednesday June 08, @07:09AM (#36372936)

Thanks (IF you're referring to MY posting on HOSTS files benefits - I assume you did, because my post is parent to your own)!

Funniest part is?

Many times here on /., I get "trolled" to NO END here on HOSTS files posts I do!

(or, unjustly down-modded, w/ no technical justifications either, just "hit & run downmods")

I have also gotten my share of "mod ups" for them as well, so, I suppose it "evens out".

(The part that sort of "baffles me", is that I don't REALLY know why some people here "hate" HOSTS files either - doesn't make sense!)

I.E./E.G.-> I don't "sell" them, they are free, they work, & you have total control of them, yourself (unlike this service I imagine)!

That is, unless this somehow "threatens" certain parties, such as:

1.) Advertisers

2.) Malware makers/Botnet masters etc./et al (of like ilk, online scum imo)

3.) DNS admins (here? I would think they would LIKE that HOSTS files can lighten up request loads on their servers actually!)

Possibly others too... such as webmasters making their living from online adbanner clicks. These folks I don't like adversely affecting, but... once adbanners started showing malicious code in them? It wasn't about SPEED gains blocking banners gives you - it became a security issue (& it's my linetime I pay for to BE ONLINE too, & my money (and yours) imo, comes FIRST!)

(However - I don't post about HOSTS files for those that KNOW about them already, the minority online for sure in that case, but rather for those that DON'T KNOW about HOSTS files benefits - I put this up for the general online populace and for their good is all!).

---

"this entire thread shouldn't exist because /. isn't how companies are supposed to astroturf/advertise their slimy-ass products." - by gavron (1300111) on Wednesday June 08, @07:09AM (#36372936)

Heh, well... Yes, I agree: They are "pimping" their product, but... that's pretty much "how it's done", with others singing praises of it from the rooftops, so-to-speak.

So, I suppose I guess what I am saying here, is this: This is one I would make an exception for... because it's interesting, and has possible gains for users (and I would like to see how well it works combined w/ HOSTS files too, and IF it would work w/ them in combination (probably does I would guess)).

Still - I have to admit though, I was TRULY "curious" about this service, because I spotted it on yesterday's "recent" section here, & did some reading on it then... it sounded interesting actually

(However - This service? Well... it doesn't offer anything you cannot achieve YOURSELF, and HAVE COMPLETE CONTROL OVER YOURSELF, mind you on THAT note as well, that HOSTS files offer).

APK

P.S.=> Lastly/Again though: It would be VERY interesting to see the "combined results" of this service this article's about, alongside the speed & security gains HOSTS files offer!

... apk

Re:Thank-You: It'd be interesting to see HOSTS &am (0)

Anonymous Coward | more than 3 years ago | (#36374924)

Maybe THE people who "modded you down" did it BECAUSE your posts are "too full" of random caps, quotes, bold, and broken ENGLISH, and they were "fed up w/ your" gibberish.

AC

P.S.=#&> STFU, GTFO, and DIAF!

... ac

Judge not, lest YE be judged... apk (0)

Anonymous Coward | more than 3 years ago | (#36375092)

Disprove my points on HOSTS I put up in this exchange then...

That is, IF you can (I am certain you cannot), in regards to your off-topic trolling statement here:

"Maybe THE people who "modded you down" did it BECAUSE your posts are "too full" of random caps, quotes, bold, and broken ENGLISH, and they were "fed up w/ your" gibberish." - by Anonymous Coward on Wednesday June 08, @10:44AM (#36374924)

So, show me in THIS post where my points here in this exchange are "gibberish", ok?

It appears the "best you have", is off-topic adhominem attacks, writing style trolling critiques (effete & useless, as you can see my post was modded up & complimented by others here also) as per your trolling usual, & nothing more...

(Typical!)

APK

P.S.=>

"STFU, GTFO, and DIAF!" - by Anonymous Coward on Wednesday June 08, @10:44AM (#36374924)

If the best you have is adhominem attacks, in attempts to attack myself, rather than the points I put out? You FAIL!

( & rather badly, as well as your being off-topic & obviously trolling on your part!)

... apk

Re:Judge not, lest YE be judged... apk (0)

Anonymous Coward | more than 3 years ago | (#36378356)

For anybody who takes this ass clown seriously, all major OSs scan the hosts file line by line every time. 300gigabyte hosts files are terrible for performance. However, you can replace it with tinydns (to serve 127.0.0.0 for blocked domains) and dnscache (to keep a local cache of real domains) and get a much better performance boost.

You overlook diskcaching &/or DNS clientside c (0)

Anonymous Coward | more than 3 years ago | (#36379004)

A HOSTS FILE IS CACHED UPON INITIAL READ INTO RAM (or the local DNS clientside cache in Windows, if you have a "smallish" HOSTS file)!

Are you THAT MUCH OF A NOOB IN COMPUTING YOU DON'T REALIZE THAT?

(Apparently so!)

---

"For anybody who takes this ass clown seriously, all major OSs scan the hosts file line by line every time. 300gigabyte hosts files are terrible for performance." - by Anonymous Coward on Wednesday June 08, @02:39PM (#36378356)

See above - "drink it in, & digest it" because it will help you "eat your words" (now flavored with the "bitter taste of defeat" (your defeat - worst part? You defeated yourself via your own ignorance, lol!)).

---

"However, you can replace it with tinydns (to serve 127.0.0.0 for blocked domains) and dnscache (to keep a local cache of real domains) and get a much better performance boost.." - by Anonymous Coward on Wednesday June 08, @02:39PM (#36378356)

Why? So folks can waste CPU, Memory, & other forms of I/O as well as increasing their electric bill by running yet another program??

Real "smart" that, lol (not)... though you CAN run DNS servers alongside HOSTS too? DNS definitely has problems/issues... would you like me to list some of those as well?

APK

P.S.=> Look @ the "bright-side" of things now: Now, finally, you know (although you have "egg on your face" now for it, no small wonder you posted as AC... lol, you don't feel confident enough in your know-how in computing, and trust me, based on your results here? You don't!)

... apk

Re:Custom HOSTS files can achieve the same (3, Informative)

datapharmer (1099455) | more than 3 years ago | (#36373390)

please mod the parent -1 ignorant. The anonymous solution is for clients, the article is about servers. You all lose your geek membership cards.

HOSTS can work server-side too, you know (-1)

Anonymous Coward | more than 3 years ago | (#36373512)

As well as end-user/clientside!

The results with HOSTS files though?

The SAME... perhaps BETTER, in that YOU, the end-user, completely control a HOSTS file & what it can do, for you!

Additionally - per my subject-line above:

There is NO reason why HOSTS files cannot be implemented server-side as well really!

E.G./I.E.-> I've done it myself on various server types (to secure them better, & also speed them up too, bonus, via this "layered security" technique) also...

( &, yes, it works there as well, server-side!)

APK

P.S.=> I also noted it WOULD be rather "interesting" to see what this service can do in combination with the HOSTS files speed & security gains as well...

PLUS, & I failed to note this much, in my earlier replies?

Well - I'd also be interested in seeing what an end-user can do combining this service's merits, alongside HOSTS files, but also alongside the service OPERA offers in its "TURBO" feature too!

...apk

Re:Custom HOSTS files can achieve the same (0)

Anonymous Coward | more than 3 years ago | (#36375158)

Hey Taco, could you update the lameness filter to exclude APK's ramblings? Thanks!

The AC that overlooked DISKCACHING again? LOL! (0)

Anonymous Coward | more than 3 years ago | (#36379280)

Where you overlooked that the local diskcaching kernel mode subsystem all PC/Server OS' have cache larger HOSTS files (vs. the DNS clientside cache for Windows for smaller HOSTS files) in the URL link below:

http://it.slashdot.org/comments.pl?sid=2220314&cid=36379004 [slashdot.org]

LMAO - you REALLY need to learn more of how modern Operating Systems work buddy...

---

"Hey Taco, could you update the lameness filter to exclude APK's ramblings? Thanks!" - by Anonymous Coward on Wednesday June 08, @11:01AM (#36375158)

Who's the one rambling now? You are!

From that link above, You also look quite stupid for it.

APK

P.S.=> I certainly wouldn't want to be YOU right now, lol... you look like a fool, especially from the URL link above where you messed up on a SIMPLE CONCEPT in computing called diskcaching!

Do yourself a favor - Learn more about computing and how it works, before you shoot your mouth off again and look stupid for it as you did in the link above!

... apk

10 data centers (0)

Anonymous Coward | more than 3 years ago | (#36373096)

Great summary, better than the original summary, but the original article doesn't even get the number of data centers right:

"We run 10 (with more coming) data centers around the world and do DNS, caching, bot filtering and more for all of our users. " (http://blog.cloudflare.com/top-tips-for-new-cloudflare-users "posted 12 days ago".)

Re:Speed up summary (1)

matthewv789 (1803086) | more than 3 years ago | (#36382258)

From what I've dug up, there are several sources of potential speedup:
1) Acts as a CDN (with 5 data centers - 3 US, 1 Europe, 1 Asia) to cache static files (such as images, js, css) from a location on average nearer to most visitors, plus the cache servers are fast and well-connected. I read a claim somewhere that based on total traffic going through their system, they would be the 10th busiest site on the web (unverified).
2) Filters out enough "bad" traffic, which it never sends on to the site's originating server (while occasionally challenging a legitimate user with a CAPTCHA page in the process...), and the cached traffic of course, to noticeably reduce server load on the originating server (which is also where all non-static content comes from so the most likely to get overloaded)
3) Their internal network is claimed to be good enough and well enough connected/peered that (they claim) sites often see fewer hops and lower pings going through their network (even when not using the cache) than by a more "direct" normal route.
4) I'm sure they've enabled all the usual Apache performance enhancements, like gzip etc. (which may or may not be optimized on your average web server)
5) For the paid accounts, it uses Javascript to pre-load static files from cache for pages linked from the current page that it's determined (algorithmically through experience) a visitor is likely to go to next. Thus when you click a link, many of the needed files might already be in your browser's cache.

Other benefits:
1) Apparently (not sure if for both free and paid accounts, or for dynamic content also) can build a cached "picture" of your site (including HTML, which it normally does not serve from cache) so if your server goes down, it can still serve up its copy from cache. (Conversely, if most of its services fail, it's supposed to just pass the traffic through to your server.)
2) Unlike other CDNs, no need to modify ANYTHING on your site.
3) Can add apps such as Google Analytics or Pingdom to all pages on your site easily from their control panel (it inserts it into your HTML as it passes through their servers/filters)

Its security filtering goes both ways: incoming, it looks for various signs of malicious requests and blocks them (ie, potential SQL injection code in get/post data or other suspicious activity) and outgoing it can detect any email address and replace with a javascript, to deter harvesting of addresses. I'm not really sure what else.

They claim no bandwidth limits, but their caching probably selects some subset of the most frequently requested files to save space, and the dynamic content goes straight through to your server anyway.

The rest (aside from the filtering) is mainly DNS, and here is both the good and bad part: they become your DNS provider. In the sense that this provides an instant, zero configuration CDN (with caching and proxying) and security filtering for your site, it's great. In the sense that if their DNS has problems, your site disappears, well, this might not be ready for critical production sites that need constant uptime. And apparently they've had less-than-perfect reliability so far. (I don't know if it's terrible, or not bad but with a few bad stories, or what.)

For most of their services, failure just means traffic flows through to your site rather than gaining the benefits of their services (if it's well-designed), which is a nice mode of failure, but if the main DNS fails or some other problem makes your site inaccessible, well, that portion needs to be super-reliable and I'm not sure if they're quite there yet.

Another thing to consider is the impact on Google Analytics etc. - your server will likely see a noticeable drop in total traffic/page views (due to the filtering out of "bad" requests), but the quality of that traffic may go up (due to the filtering, and possibly a little due to your site performing better so people don't bounce as much in frustration). It's also possible Google will notice the DNS change etc. and that could also affect things.

Overall, it looks like a potentially very cool service, but I wouldn't want to use a critical/high-traffic site as a guinea pig either.

Wow! (0)

Anonymous Coward | more than 3 years ago | (#36371448)

Wow!

Slashdot corporate shill (1, Insightful)

Anonymous Coward | more than 3 years ago | (#36371476)

Could you at least try and hide the money you take to post ads as articles?

Re:Slashdot corporate shill (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36372250)

Does Slashdot even need a kickback? The comments bitching about it are giving Slashdor more content to serve ads with.

Re:Slashdot corporate shill (0)

Anonymous Coward | more than 3 years ago | (#36372638)

That's like saying "Do politicians even need kickbacks? The salary they receive gives them money to live on." Since when was more money considered a bad thing by the recipient?

Re:Slashdot corporate shill (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36372800)

Uh, ya, you totally missed the point of my post. I'll make it simpler: Slashdot would develop more 'integrity' if good stories got lots of comments and link-bait got none.

Re:Slashdot corporate shill (1)

IICV (652597) | more than 3 years ago | (#36372362)

You know, this is in part your fault. If you'd written a more interesting blog post than this and submitted it, it might have been posted instead of this article. Instead, you didn't and they posted this.

The gist of it (5, Informative)

Anubis IV (1279820) | more than 3 years ago | (#36371492)

They offer a security product for websites, and in the process of designing it so that it didn't add much latency, they inadvertently made it into a CDN that speeds things up. There. Now we all know what the trick is.

Re:The gist of it (5, Interesting)

enoz (1181117) | more than 3 years ago | (#36371568)

In a strange synergy your comment is roughly 60% the size of TFS but contains 100% more information about the topic at hand.

Re:The gist of it (1)

zonky (1153039) | more than 3 years ago | (#36371642)

How are they protecting anything if the bad people can still access the site directly if they can find it?

If it works anything like Akamai, the site DNS points to cloudflare, which then relays it all back to the origin host.

(Unless they're locking down the origin hosts to only accept requests from cloudflare networks, of course....)

Re:The gist of it (0)

Anonymous Coward | more than 3 years ago | (#36372386)

Bingo.

Re:The gist of it (1)

JWSmythe (446288) | more than 3 years ago | (#36372628)

    Don't forget, it's bound to mess up your logs. Connections aren't coming from the user any more, they're coming from the CDN. Good luck doing your own filtering server-side from there. If they're caching parts of it, that means you have no prayer of seeing that request. You might get a Via header for some requests, but the cached requests? There won't even be a hit back to your server.

    I'd consider using them for a few things I do, but there are some problems. I don't know who they are, other than from this story. Due to the kind of monitoring and filtering they are doing, there is a good chance that they are intercepting usernames, passwords, and other sensitive data. Even if they promise not to log it, how do I know that they really aren't logging everything.

    For some sites I'm involved in, that's not a big deal. But for others, where there is a wealth of personal data I can't possibly use it. It's not just my morals, nor company policy involved, but stacks of laws and huge fines for violations.

Re:The gist of it (0)

Anonymous Coward | more than 3 years ago | (#36372946)

If only there were a way to "tag" packets with their original source address..... hmmmmmmm

Re:The gist of it (1)

datapharmer (1099455) | more than 3 years ago | (#36373448)

Seriously? For your own filtering use X-Forwarded-For (built in to apache) or mod_cloudflare. Logs and filtering are not an issue unless you are incompetent. Cloudflare also only caches static content such as css and images, so there is still a hit for the main request page that you can see in logs and filter against. As for security, use ssl. Sure, they have a solution for ssl too, but you can easily add a record and not run it through their system at all such as secure.website.com. If you are running your passwords in plain text you are screwed anyhow.

Re:The gist of it (1)

JWSmythe (446288) | more than 3 years ago | (#36377390)

    In the article, they said that when Amazon's cloud went down, the sites continued to serve. That means they couldn't possibly be sending any hits back to the server (since it's down and all).

    It wouldn't matter at that point if you're logging X-Forwarded-For, or using SSL. Even with using SSL, that does nothing for you, if they have the key on their server to decrypt with.

    I've been doing a lot of packet analysis and logging lately. At the firewall and IDS level, we're decoding and classifying every inbound packet. That includes monitoring web based intrusion attempts. Bad packets get ditched. Good packets get passed. SSL is decoded at the firewall and IDS to determine if it's good or not. That's all fine and dandy, since it's equipment owned and operated by our company, where we have exclusive access. When that equipment is owned and operated by a 3rd party, you can't take "trust us" as proof that they won't do bad things (tm).

Do the same w/ a custom HOSTS file (-1)

Anonymous Coward | more than 3 years ago | (#36372822)

Here's an EASIER trick, with a FREE "Tool" you already own, that's only a single text file filter for your IP stack: A custom HOSTS file!

"They offer a security product for websites, and in the process of designing it so that it didn't add much latency, they inadvertently made it into a CDN that speeds things up. There. Now we all know what the trick is." - by Anubis IV (1279820) on Wednesday June 08, @12:56AM (#36371492)

The gains it offers in both speed, & security, are twofold:

---

FOR ADDED SPEED:

1.) Blocks out adbanners & the lag they introduce into webpage loads/downloads for consumption

2.) Hardcoding in your favorite website (to avoid DNS roundtrip lookup & result return time)

---

FOR ADDED SECURITY:

1.) Blocks out KNOWN malicious sites/servers/hosts-domain names

2.) Protection vs. DNS issues (such as the "Kaminsky flaw", or downed/compromised DNS servers that have been "redirect poisoned")

---

They work, they're free, and you can obtain one (or combine ALL of these, a db import of the file using a SELECT DISTINCT query can do it for example, as a way, or mvps.org offers a tool called HOSTSMAN that does it also (there are others like it as well, I designed one, & so have others)).

You already can do this yourself since any OS that uses a BSD derived IP stack already has one (even ANDROID phones), easily, & populate the custom HOSTS file yourself from the sources noted above!

(I consolidate them all into a single de-duplicated/normalized version, that which currently blocks out 1,429,303++ KNOWN bad sites/servers/hosts-domains, AND, speeds me up VERY noticeably (via blocking out adbanners, a possible threat for years now in malicious code in them & a bandwidth + speed hog OR, by 'hardcoding in' my favorite sites (to bypass DNS lookup & return roundtrip time) also))

APK

P.S.=> Here are some reputable, & reliable sources for said HOSTS file security data (as well as prebuilt HOSTS files for instant download & usage on your parts):

http://safeweb.norton.com/buzz [norton.com]

http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples [emergingthreats.net]

http://securehomenetwork.blogspot.com/search?updated-min=2011-01-01T00%3A00%3A00-05%3A00&updated-max=2012-01-01T00%3A00%3A00-05%3A00&max-results=12 [blogspot.com]

http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com]

http://www.malwaredomains.com/ [malwaredomains.com]

http://hosts-file.net/?s=Download [hosts-file.net]

http://www.malware.com.br/lists.shtml [malware.com.br]

http://www.malware.com.br/lists.shtml [malware.com.br]

https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]

https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]

http://www.malwareurl.com/ [malwareurl.com]

http://someonewhocares.org/hosts/ [someonewhocares.org]

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]

... apk

Why the technically unjustified mod down? (0)

Anonymous Coward | more than 3 years ago | (#36375660)

Dearest trolls: The best it appears you have, is a "hit-&-run" down moderation of my post on HOSTS files - poor showing boys!

(If that's "the best you've got" here? You've FAILED, badly!)

As for myself? The more this gets out to uninformed users that are unaware of the combined benefits that HOSTS files give end-users (and server owners also) in more speed, and more "layered security", the more I have done my part!

APK

P.S.=> In the end/bottom-line here: I'd like to know what it is you apparently FEAR from HOSTS files, because I will "overcome your 'objections'" easily, and with valid technical fact, vs. your b.s.

(After all: I've done that to my "naysayers" here so many times, it does appear that the "best you have" is off topic ad hominem attacks, or, unjustified mod downs - poor showing on your part(s), trolls)

... apk

Re:The gist of it (1)

colfer (619105) | more than 3 years ago | (#36372884)

It uses Javascript to obfuscate email addresses. That is helpful but not foolproof, contrary to the article. It stops most harvesters, at the cost of no-script users and the like. The chirpy article is less than trustworthy, so I would not assume the service is a CDN, or if it does cache that it will continue to maintain capacity. Or the speedup, if real, could be due to minifying html and serving small images in the Google News way, as inline data. The number of connections can be more important than speed.

SPAM? (2)

Trivial Solutions (1724416) | more than 3 years ago | (#36371520)

Is this spam?

Re:SPAM? (2)

dermoth666 (1019892) | more than 3 years ago | (#36371558)

It wouldn't be if they actually had invented the CDN. They's unfortunately about 12 years late...

Data privacy out the window (1)

Anonymous Coward | more than 3 years ago | (#36371632)

CloudFlare is touted for intercepting and altering HTML to and from client sites. Isn't this a Bad Thing? Passwords, PII, etc. all being captured, inspected, possibly altered, and sent along. What a lovely way to capture and control information. And it's spread across 12 datacenters (and growing) so who knows how many copies of your SSN there are across CF. But at least it allows IT admins to not have to care or think about customer data security.

Re:Data privacy out the window (0)

Anonymous Coward | more than 3 years ago | (#36372268)

CloudFlare is touted for intercepting and altering HTML to and from client sites. Isn't this a Bad Thing? Passwords, PII, etc. all being captured, inspected, possibly altered, and sent along. What a lovely way to capture and control information. And it's spread across 12 datacenters (and growing) so who knows how many copies of your SSN there are across CF. But at least it allows IT admins to not have to care or think about customer data security.

It's something the web sites have to sign up for, so I don't see that it's any different than the site hosting their own firewall, or relying on any other 3rd party to run security for them.

And just FYI, clients don't send html to the server, they send URL requests and receive html as an answer.

Re:Data privacy out the window (0)

Anonymous Coward | more than 3 years ago | (#36372318)

Just FYI, clients send HTTP requests not "URL requests".

Re:Data privacy out the window (1)

cbiltcliffe (186293) | more than 3 years ago | (#36374004)

HTTP requests only apply to web servers. If the same service can/could in future be used for FTP, or anything else, for that matter, then "URL request" is the appropriate terminology.

Re:Data privacy out the window (1)

Vegemeister (1259976) | more than 3 years ago | (#36372296)

example.com -> cloudfire's CDN ssl.example.com -> example.com's authentication server.

Duh.

Economically viable? (1)

Max Romantschuk (132276) | more than 3 years ago | (#36371682)

I read the article and peaked at the site. $20 a month, for what is practically a CDN?

I'm assuming they have some pretty heavy limits on the amount of traffic you can get for that amount... Bandwidth isn't free after all.

That being said this seems like a cool service for smaller sites, especially when you don't want to do everything yourself.

Re:Economically viable? (1)

muphin (842524) | more than 3 years ago | (#36371706)

it isnt a CDN per-se its a DNS proxy that caches a static page of your site when it goes down, the data from this is insignificant than when every users loads an image.
see How can CloudFlare afford to offer a free CDN? [cloudflare.com]

Re:Economically viable? (1)

Stewie241 (1035724) | more than 3 years ago | (#36371794)

Which is interesting in that the response starts with "We built our network from the ground up for a single purpose: making any
website faster and safer".

Which seems to stand in stark contrast to the premise of the article, which is that they didn't intend to make web sites faster. So which is it?

Further, I think that even if it prevents spam, it likely only delays it. In the article there is a quote that says: "“We challenged an engineer on our staff to sniff a packet of data to see if there was an email address inside of it. Then we wanted to know if we could replace it with a bit of JavaScript and bring it back so that it couldn’t be harvested.”"

This approach does seem to work, but one has to wonder how long it will be before this is detected and the Javascript is executed to obtain the address. This is only spam prevention by obscurity. I guess it works for now, but if it becomes too common it will fail.

Re:Economically viable? (1)

terrox (555131) | more than 3 years ago | (#36372976)

but they can just change the javascript at any time, and using random methods

Re:Economically viable? (1)

surgen (1145449) | more than 3 years ago | (#36376248)

The smartest crawlers out there don't just regex over the source any more, they have javascript engines baked in, some even rope in the rendering engines from an opensource browser so they can get a look at the finished product.

Re:Economically viable? (1)

larry bagina (561269) | more than 3 years ago | (#36375678)

I've found that proxies that do javascript injection tend to break things.

Re:Economically viable? (0)

Anonymous Coward | more than 3 years ago | (#36371880)

"We built our network from the ground up for a single purpose: making any website faster and safer."

accidentally, right?

Re:Economically viable? (1)

Paradise Pete (33184) | more than 3 years ago | (#36372384)

I read the article and peaked at the site...

...and it was all downhill from there.

Re:Economically viable? (0)

Anonymous Coward | more than 3 years ago | (#36374294)

I read the article and peaked at the site...

...and it was all downhill from there.

lmao

"gamer" (-1)

Anonymous Coward | more than 3 years ago | (#36371902)

What's that, like "lamer"? Losers.

Re:"gamer" (1)

delinear (991444) | more than 3 years ago | (#36372684)

Says the AC who can't even manage to post to the correct story [slashdot.org] :)

Binspam (0)

Anonymous Coward | more than 3 years ago | (#36372000)

This is clearly just binspam. How the hell did it get approved?

Interesting concept, but secure? (2)

Lazy Jones (8403) | more than 3 years ago | (#36372172)

While they can certainly protect a site from various threats better than the average programmer (XSS etc.), the downside is that all login and personal information also goes through their site, enabling them (or a rogue government) to collect it. Also, their concept is great for launching targeted attacks at specific users, i.e. sending them tailored content like trojans (of course such attacks by rogue governments are feasible without CF, but harder). The question is: should they be trusted more than your own employees and your ISP? Right now, here in Europe, I'd say: for important stuff, no.
That said, here's an idea for a useful "app": automated A/B-testing for your site (build 2 versions of your website and let them decide who sees what, combine with Google Analytics or other stats => see which version works better for your users).

Re:Interesting concept, but secure? (1)

bishopBelloc (1751712) | more than 3 years ago | (#36378552)

Just an FYI:
google already provides a tool for A/B testing with google analytics: website optimizer [google.com] .

Re:Interesting concept, but secure? (1)

Lazy Jones (8403) | more than 3 years ago | (#36379090)

I know, thanks ... But it requires 2 things to be handled by your web pages which CF could do more elegantly: a) put the Analytics JS on all pages, b) decide which version (A or B) to show a visitor and why (i.e. set a cookie so he still sees the same version when he comes back and all that) and modify the Analytics code accordingly. Putting that on the CF end would mean that even inexperienced people could set up 2 versions of their web site easily and benefit from Analytics A/B testing features (think wordpress blogs => instead of figuring out how to switch between layouts/designs on the same blog and insert appropriate A/B-code for Analytics, the author could just set up 2 blogs with the same content and let CF handle the A/B-switching).

Pat me on the back... (0)

Anonymous Coward | more than 3 years ago | (#36372412)

I was looking to make websites faster after slowing them down with security. I accidentally reinvented CDN. Please give me congratulations and business :) kthxbye

"It's a feature" (1)

gatkinso (15975) | more than 3 years ago | (#36372910)

Bring on the marketing creatures.

This is an advertisment? (0)

Anonymous Coward | more than 3 years ago | (#36373998)

Slashdot is posting sponsored content now?

its the editors choice (1)

Combatso (1793216) | more than 3 years ago | (#36374380)

and its the choice of a new generation.. :drinks pepsi:
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>