Apr.27

A Private Network for IoT Devices

Cloudflare has just announced an interesting and potential game changer for IoT-based threats:

“Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, Cloudflare protects it from exploits. And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.

For the last year, Cloudflare has been working with a number of IoT vendors to develop Orbit. Already more than 120 million IoT devices are safer behind Cloudflare’s network. Lockitron is one of the IoT companies using Cloudflare. “Keeping our products and customers secure is our primary concern,” says Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.””

Source: https://blog.cloudflare.com/orbit/

Security,News

Sep.05

CloudFlare, SSL & Unhealthy Security Absolutism (Troy Hunt)

Really interesting (and in my opinion) great artical by Troy Hunt on why CloudFlare’s SSL [free] offerings are awesome!

“First and foremost, if your choices are to either run entirely unencrypted or to protect against the 95% (or thereabouts) of transport layer threats that exist between your visitors and your origin, do the sensible thing. Nobody in their right mind is going to advocate for remaining totally unencrypted rather than using CloudFlare purely to encrypt between their edge nodes and your users. There are people not in their right mind that will argue to the contrary and that’s precisely what the title of this post suggests – it’s unhealthy security absolutism.”

Source: Troy Hunt: CloudFlare, SSL and unhealthy security absolutism

Security

May.11

 Upgrade Site Security with CloudFlare Origin CA

Really interesting development from CloudFlare on encrypting the webs connections. Takes their ‘Flexible SSL’ to the next level and beyond.

“Faster, more secure alternative to public CA certificates for your CloudFlare-fronted servers. Extraneous overhead removed to optimize performance.

With Origin CA, we questioned all aspects of certificate issuance and browser validation, from domain control validation (DCV) to path bundling and revocation checking. We asked ourselves what cruft public CAs would remove from certificates if they only needed to work with one browser, whose codebase they maintained? Questions such as “why bloat certificates with intermediate CAs when they only need to speak with our NGINX-based reverse proxy” and “why force customers to reconfigure their web or name server to pass DCV checks when they’ve already demonstrated control during zone onboarding?” helped shape our efforts.”

Source: CloudFlare Origin CA

Security,News

Mar.20

Website Updates – Security & Performance

I’m making some changes to the hosting and configuration of this site, you can see the rough goals below:

  • Changing hosting provider from a legacy shared server to a cloud hosting provider with better security and high availability.
  • Adding stricter (and end-to-end) encryption to the entire site using a combination of CloudFlare and LetsEncrypt.
  • Changing the sites security / performance configuration to support and enforce:
    • Content-Security-Policy
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Strict-Transport-Security
    • HTTP Strict Transport Security (HSTS)
    • Authenticated Origin Pulls
    • HTTP/2 + SPDY
    • IPv6 Compatibility
    • Scrape Shield

Using various tools this should actually be quite straightforward. I plan to detail the main stages / steps in some later posts.

Website,News

Mar.11

A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography – CloudFlare

This provides a really good explanation of Elliptic Curve Cryptography (ECC) and includes a fantastic real world analogy:

 

“By this measure, breaking a 228-bit RSA key requires less energy to than it takes to boil a teaspoon of water. Comparatively, breaking a 228-bit elliptic curve key requires enough energy to boil all the water on earth. For this level of security with RSA, you’d need a key with 2,380-bits.”

 

CloudFlare have also just blogged about their use of ECC when signing DNSSEC responses. The result is a very strong key with a significantly smaller response size (1181 bytes vs. 313 bytes).

Their engineer (Vlad Krasnov) even implemented the ECDSA signature algorithm in assembler speeding up signing by 21x!

CloudFlare’s reason for doing this is to limit the vector of DDoS based attacks using DNS reflection.

 

“By keeping our packet size small enough to fit in a 512 byte UDP packet, we keep the domains on us safe from being the amplification factor of a DDoS attack.”

 

Source: A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography

Security