CloudFlare offers web encryption up the wazoo

Don't sweat your mixed content, promises web whacker


CloudFlare is promising to bring about the encrypted internet by adopting the latest web security protocols and offering a solution to the horror of mixed content.

Just over a week since Google warned it would start labeling HTTP websites as "not secure," CloudFlare promises to help the many, many website owners who have a mix of both secure and insecure content on their sites, through what it is calling "automatic HTTPS rewrites."

It is also adopting the latest version of TLS (transport layer security) – 1.3 – and offering "opportunistic encryption" by encrypting the connection between someone's browser and CloudFlare.

In short, the company – which makes its money from sitting inbetween a company's website and the broader, nastier internet – is making cutting-edge encryption readily available.

You have to sign up with CloudFlare of course, whose services range from free for tiny websites to hundreds of dollars a month for big corporate sites. It's a pretty compelling offering, especially for those without their own IT departments.

Lowdown

The "automatic HTTPS rewrite" service helps tackle probably the most widespread security problem with websites – mixed content. And it should help many get that little green padlock in browsers.

By embedding third-party videos, images or ads hosted elsewhere, a webpage's security is effectively compromised and use of SSL is lost. CloudFlare's solution to this is to search your site for non-secure HTTP links and compare the domains against two lists of secured domains (Chrome's HSTS and Electronic Frontier Foundation's HTTPS Everywhere list). If the link goes to a domain that supports HTTPS, CloudFlare will rewrite the URL to HTTPS.

This isn't a perfect solution, because your site may still host links to domains not on that list, but the idea is that as more and more of the internet moves over to secure connections, it will have a knock-on effect.

The TLS 1.3 spec is a good one in that it optimizes encryption and, CloudFlare claims, "makes encrypted connections just as fast as unencrypted." Well, we'll have to see, but it will be undeniably faster than previous versions, especially over phones.

CloudFlare head of cryptography, Nick Sullivan, says that the company has seen a 20 per cent decrease in page load times using 1.3 over 1.2. That's in large part because the spec reduces the number of handshakes required from 3 to 2.

There is a "but," however – TLS 1.3 is not yet fully supported by any browser, so you won't see those gains until browsers incorporate the new spec; something that both Mozilla and Google say they intend to do soon. You can enable it now if you want to tweak your browser settings.

And lastly, the "opportunistic encryption" that will see CloudFlare do your encrypting for you. It currently only works with Firefox but it will allow the far greater use of HTTP2, so it's a good bet that Google is looking at incorporating the standard into Chrome soon.

Over time

In short, CloudFlare is offering – incorporated into its existing services for no additional fee – a cutting-edge level of encryption that is mildly useful right now but should become increasingly useful as the drive to move to an encrypted internet becomes a reality. And you can be reasonably certain that CloudFlare has done a solid job in its introduction.

The company has some lively language describing it of course: "When it comes to browsing, we've been driving around in a beat-up car from the 90s for a while," it says in its PR bumpf. "Little does anyone know, we're all about to trade in our station wagons for a smoking new sports car."

The move may also undermine criticism of the company from individuals like alleged sex pest Jacob Applebaum, who argued earlier this year that CloudFlare "runs untrusted code in millions of browsers on the web for questionable security gains." Those gains are less questionable after today.

You can find out more about the tech in a CloudFlare blog post. ®


Other stories you might like

  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022