cloudflare | Harry McLaren

Website Updates – Security & Performance

I’m making some changes to the hosting and configuration of this site, you can see the rough goals below:

Changing hosting provider from a legacy shared server to a cloud hosting provider with better security and high availability.
Adding stricter (and end-to-end) encryption to the entire site using a combination of CloudFlare and LetsEncrypt.
Changing the sites security / performance configuration to support and enforce:
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Strict-Transport-Security
- HTTP Strict Transport Security (HSTS)
- Authenticated Origin Pulls
- HTTP/2 + SPDY
- IPv6 Compatibility
- Scrape Shield

Using various tools this should actually be quite straightforward. I plan to detail the main stages / steps in some later posts.

A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography – CloudFlare

This provides a really good explanation of Elliptic Curve Cryptography (ECC) and includes a fantastic real world analogy:

“By this measure, breaking a 228-bit RSA key requires less energy to than it takes to boil a teaspoon of water. Comparatively, breaking a 228-bit elliptic curve key requires enough energy to boil all the water on earth. For this level of security with RSA, you’d need a key with 2,380-bits.”

CloudFlare have also just blogged about their use of ECC when signing DNSSEC responses. The result is a very strong key with a significantly smaller response size (1181 bytes vs. 313 bytes).

Their engineer (Vlad Krasnov) even implemented the ECDSA signature algorithm in assembler speeding up signing by 21x!

CloudFlare’s reason for doing this is to limit the vector of DDoS based attacks using DNS reflection.

“By keeping our packet size small enough to fit in a 512 byte UDP packet, we keep the domains on us safe from being the amplification factor of a DDoS attack.”

Source: A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography