I love the Cloudflare blog, contributing to it is one of the best parts of working here. One of my favorite topics is how the Internet is evolving to become more robust, more secure, and more private with the help of cryptography and novel computer science research. In 2018, I wrote about DNSSEC, RPKI, Onion Routing, Roughtime, and IPFS. Cryptography to strengthen security.

blog.cloudflare.com/crypto-week-20…

Thread.

Big announcement from Cloudflare today: we have opened our post-quantum cryptography alpha. We now support Kyber, a post-quantum key agreement in Cloudflare’s reverse proxy product and we want you to help test it with us.

blog.cloudflare.com/experiment-wit… There are a lot of acronyms in this announcement blog post, so let me break them down. First is TLS, or Transport Layer Security. It’s the ubiquitous encryption and authentication protocol that protects web requests online.
cloudflare.com/learning/ssl/t…

Privacy has deservedly become a bit of a buzzword online. There are more opportunities to watch, profile, and surveil Internet users than ever. This is a growing concern as our lives and our stuff (there are more net-connected devices than people on earth) move online. The plumbing of the Internet is mostly invisible. We take it for granted that the Internet just works™ but an amazing amount of machinery is operating under the hood to coordinate the transfer using languages and protocols guided by standards set by groups like the IETF.

We’ve had some incredible people come through the Cloudflare Research internship program in the last year or so. Here are some of their stories. Cornell Tech PhD student @marina_sanusi studies password use online and joined us to understand how frequently Cloudflare users log in with compromised passwords variants and how correlated these log-ins are with Cloudflare’s Bot Score metric for identifying malicious requests.

Networking and performance stories today!
- A repeatable and probe-free methodology for measuring CDN performance (@Cloudflare wins, btw)
- A debugging story about global TLS termination
- How we identify multi-user IPs to improve our security services

#CloudflareResearch🔬 We know @Cloudflare is fast (the fastest in most places) and have the scans to prove it. However, most techniques that use active scanning to measure performance aren't verifiable, so as great as our scans are, they aren't enough to convince skeptics.
Enter research.

Even more from #CloudflareResearch🔬 today. This time we have a deep dive into our paper at ACM SIGCOMM about disentangling the mess of conventions around IP addresses, hostnames, and sockets. Plus, two posts about the future of our "favorite" authentication mechanism: passwords. Historically, most Internet systems assigned IP addresses to hosts based on which server a service is running on. Cloudflare was designed to be more flexible. In theory, there is no reason IP addresses have to correspond to individual machines or even to hostnames.

The Internet is not simply a loose federation of companies and billions of dollars of deployed hardware; it’s a network of relationships governed by technical standards that form the connective tissue that allows us to build important aspects of modern society on the Internet. Today on the @Cloudflare blog, we are sharing several articles that highlight how research and standards development intersect to help the Internet evolve into a more secure, more private, more reliable, and trustworthy technology.

#CloudflareResearch🔬

Thread

One of the perks of working at @Cloudflare is that technical people are encouraged to share their voice with the public on the company blog. Generous coworkers donate time, energy, and expertise to enable these amazing builders to teach and explain for the benefit of all. Some of these posts are timeless, some are extremely timely, and more than a few of them are deep. Very deep.

I'm going to highlight a few of my favorites from the last several years in this thread.

blog.cloudflare.com (bookmark, like, retweet, etc.)

I was chatting with a friend of mine who hires engineers who told me that in their company's hiring process they have an explicit focus on assessing the candidate's "grit" during the interview process. Specifically, they try to determine
1) how willing the candidate is to do the thankless grunt work that is needed for team success
2) how likely are they to spend their time reducing the amount of gruntwork their teammates have to do

Richard Barnes (@rlbarnes) just kicked off #RealWorldCrypto with a great overview of MLS, a new proposed standard for group message encryption. There’s still time to contribute: mlswg.github.io Joanne Woodage (@joannewoodage) outlines a really cool attack on Facebook’s abuse reporting mechanism for encrypted messages. A great example of how popular schemes like AES-GCM can be easily misused. #RealWorldCrypto

Crypto 2018 has affiliated events this year, which is fun. I’m currently attending the Quantum-safe Cryptography for Industry event, a big focus of mine lately. crypto.iacr.org/2018/affevents…

@Cloudflare is a sponsor of Crypto this year, so come see me if you want a webcam cover! We just heard from Adrian Stanger from the NSA. There is high confidence in the NIST process and no plans to invest in QKD. Algorithm recommendations (key agreement and signatures) to be made around 2023-24. There are no plans to replace AES-256 or SHA2-384.

Thread.

I was recently privy to a conversation in which some really smart people in security shared their favorite papers or articles. Security engineering, like other disciplines, has a rich history worth learning from.

I'm going to list some of these papers in this thread. New Directions in Cryptography - Whitfield Diffie and Martin Hellman (1976)

It's hard to emphasize just how revolutionary the concept of public key cryptography is. This paper started it all, introducing D-H key agreement and digital signatures.

ee.stanford.edu/~hellman/publi…

If you're in Vegas this week and looking for a change in scenery, reach out to me about @Cloudflare. We're building the next generation of internet services, and are at the forefront of deploying new cryptographic technology online. This thread includes some highlights from the last few years. If you have a history of innovating at scale and these are the kind of projects that you love to do, let me know. The Cloudflare Crypto Team is hiring in San Francisco, London, and New York.
boards.greenhouse.io/cloudflare/job…

I’ll be tweeting about some post-quantum crypto things as the come up this week in this thread. LEDAkem is a code-based crypto primitive for key encapsulation based on quasi-cyclic low-density parity-check codes (QC-LDPC). Large-ish keys (7KB+), slow (100ms+), but compact private keys, only simple binary field math and based on NP-complete problem. ledacrypt.org

I want to highlight a behind-the-scenes change that improves the security guarantees provided by Cloudflare’s global HTTPS service. Since last year, Cloudflare has been using a different set of session ticket encryption keys (STEKs) in each datacenter for TLS resumption. Previously, the same key was used across multiple datacenters, rotated every hour (blog.cloudflare.com/tls-session-re…). This was modeled after work by @j4cob and @jmhodges at Twitter (blog.twitter.com/engineering/en…) with more aggressive key rotation.