🎂 What Launched Today - Friday, September 29
Welcome to Cloudflare Birthday Week 2023!
2023 marks Cloudflare’s 13th birthday! Each day this week we will announce new products and host fascinating discussions with guests including product experts, customers, and industry peers.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
- Cloudflare is free of CAPTCHAs; Turnstile is free for everyone
- Easily manage AI crawlers with our new bot categories
- Detecting zero-days before zero-day
- See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
- Network performance update: Birthday Week 2023
- Privacy-preserving measurement and machine learning
- Cloudflare now uses post-quantum cryptography to talk to your origin server
- Encrypted Client Hello - the last puzzle piece to privacy
- Post-quantum cryptography goes GA
Visit the Birthday Week Hub for every announcement and CFTV episode — check back all week for more!
Hello, hello. Welcome to Cloudflare TV. This is Friday, the last day of Birthday Week this week.
And so we're very excited to be here today to talk to you all about what we launched and deep dive into some of the announcements.
My name is Dina Kozlov.
I'm a product manager here at Cloudflare. And then Ayush and Adam, I'll let you introduce yourselves.
Yeah, Adam, you can go ahead first. Great. Hi, everyone.
My name is Adam Martinetti. I'm the product manager for our bot management offering for our upcoming fraud detection offering and what we'll be talking about today turns out.
And hi, everyone. My name is Ayush. I'm the product manager on our Cloudflare email security product here to talk about RetroScan, which is a cool new feature to look at threats in your inbox.
So excited to talk about that as well. Perfect.
So let's kick it off. We'll start with RetroScan. So Ayush, can you tell us, you know, what is it?
Who can use it? Why would they use it? Yeah, absolutely. So RetroScan is, you know, a really exciting thing that lets you have a very objective look on what threats are sitting in your inbox.
So for Office 365 customers who have that as their cloud email security system, what they can do is they can go to Cloudflare, have us look back retroactively.
Seven days right now, we're looking to expand it as we go to GA and actually start taking a look at, you know, what their current solutions missed.
So, for example, if you just are running Office 365 with no email solution, it's really, you know, what things did the Office 365 filter miss, right?
And really, at the end of the day, we've let everybody kind of use our ML tools and our ML models to be able to see these threats because we think, as we said, to build a better Internet, you should have a clean inbox.
So whether or not, you know, you use email security from Cloudflare, you should really be knowing what's sitting in your inbox and be able to remediate any issues that we find as well.
And so from talking to customers that, you know, might not be using Cloudflare yet, they're using other email security tools.
What are the common challenges that we're hearing from customers that they're dealing with?
Yeah. And it's crazy to think, you know, in 2023 that email is still such a commonly used tool for every sort of business operation.
So you're still having people use, you know, financial documents go through email and all these things, right?
So email is still a hot bet of attackers who want to leverage, you know, can I quickly pwn an organization?
Can I get some sort of, you know, credential harvesting, send some phishing emails?
Email is still like one of these like large threat vectors that attackers use.
And so really, since most attacks originate from an email, a phishing email or things along that, along those lines, what we really want to make sure is that there's no misses, there's no phishing emails that are sitting in your inbox.
So really, you know, if you have a current email security tool, that's great.
That's a great first step. We obviously have our own ML models and we think that it's worth, you know, taking a second look and just making sure that there's nothing dangerous sitting in your inbox that a user may click in before, you know, you have a security incident that's occurred within the organization.
No, for sure. I know this is such a big fear, I'm sure for so many IT teams, they're like, please don't click on anything.
But how exactly does RetroScan work?
What are some of the threats that it can detect? Absolutely. Yeah.
So we leverage kind of the tooling that Microsoft provides to our customers who have Office 365.
And what we do is we get all the messages that are kind of sitting in your inbox.
Right now, it's seven days. We're looking to obviously change some of that because this is released in a closed beta right now.
But really, what we're doing with that is treating it as we would with any other message with any other customer, paying customer we would have.
So for every message that we see within your inbox, we run it through our ML algorithms and we make the same assessments that we would in a real world deployment.
And so what that does is, one, you're getting the same fidelity that you would if you were to deploy Cloudflare email security area one today, right?
You'd see kind of the threats we would catch.
But really, it's, you know, kind of opening it up to everyone to be able to use these models that we've curated.
We process about, you know, 13 to 14 billion messages, you know, every year, a large amount.
So we see a lot of threats as well as Cloudflare as we have such a great insight into what's going on in the world's Internet.
These models are very fine tuned. And what we want to do is just make sure that everyone has access to them and can use them to see, again, what threats are sitting within their inbox if their current solution missed it.
Wow, that sounds great. And so for any customers out there that are listening, how can they get started?
How can they start using it? Yeah, absolutely.
So as I mentioned, it is in closed beta right now. So if you're interested and you're an Office 365 customer, reach out to your Cloudflare contact, whomever it may be, ask them like, hey, I'm interested.
And then essentially, what we'll do is work on our back end, get it set up on your account, and you should see a little little pop up in that area.
We do have a blog post, we do have our developer docs that show kind of the step by step process.
Once you see that on the different authorizations that you have to do, those are just to make sure that we can read the messages and read and get some understanding of what's going on in your email.
And then after that, you click Continue. And we start generating a report.
So once that report is generated, it'll show you every, as I mentioned, all of our models, you'll see your suspicious emails, you'll see your malicious emails that are dangerous.
But you also see things like spam and bulk emails that necessarily aren't the most dangerous, but still can cause a bit of a nuisance, right, when it comes to kind of using your email.
So you'll get this report with all this information, you can view the detections.
And so if you want that information, like I said, just contact your Cloudflare contact, and they'll be there, they'll be there to set it up for you.
That sounds great. And so let's say I'm using RetroScan and I get my report, what's next?
Where do I go from here?
Yeah, so I think there's a handful of things, depending on you know, the outcome of the report, kind of where your organization is sitting.
If you get the report, and you're like, hey, I noticed there's a large gap with where I thought my email security posture was and what it currently is today.
You know, you can talk to your Cloudflare contact, we've made it easy to access at the bottom of the page.
And you can say, look, like, I need to bridge this gap ASAP, right.
So you can immediately go if you want to get into the purchasing discussion of I want email security, or you can take that information and remediate it yourself, right.
So we're pretty transparent, we don't, you know, like hide things behind paywalls.
It is we'll give you every message we think is malicious with the message ID.
So you can go through and say, hey, I want to, you know, delete these messages, I want to go put them into quarantine, whatever your internal remediation process, maybe you can do that.
Finally, kind of the last step that you can do is and what I predict most people want to is that you see this gap, and you're like, I'm curious about how, you know, Cloudflare email security and how it works with different products and how it can protect me in the future is you can contact someone within Cloudflare set up with what's called a PRA, which is our phishing risk assessment.
And all that is, is a 30 day free trial where we essentially set up area one, our cloud, our email security tool within your deployment that we can be anywhere we can be, you know, you can make us in line, change some DNS records, have us point to our MX records, or we can be pretty passive.
And you can just have a scan via API or journaling, depending on how you want to deploy us, we'll just give you a 30 day free trial where you can kind of have another objective look at, oh, these are, you know, not only the ML models, but things on top that we built, like our email link isolation tool, which uses our remote browser isolation capabilities at Cloudflare, all these things, and as a package, you can kind of test them out for 30 days.
So those are the three things you can remediate yourself, you can go straight into purchasing, or you can be like, hey, I want a 30 day just test tribe, please, like set it up for me and all that we're here to support you in your journey through that process.
And can you explain the difference between the retro scan and the phishing risk assessment and when customers should do one or the other?
And then if they want to get started with PRA?
How can they do that? Yeah, so a retro scan is a great way to see how your posture looks today.
So obviously, we're going back in time and looking at historical emails and historical data.
So it's great to see what's currently sitting in your inbox.
But that, as I mentioned, our scanning ability, though, it is a big part of what we do, it's there's other parts of our product that really help protect your organization from threats that come in.
So things like a link rewriting, as I mentioned, you know, we have our own admin quarantine capabilities, there's just a lot that the total solution kind of offers.
So the retro scan is great to just see, you know, our models kick in and scan things.
But a PRA is really a more in depth dive where we set up a tenant.
And like I mentioned, it's a it's a full enterprise tenant for 30 days, you're able to get all access to all of our, all the parts of the product.
And then you're able to kind of run it within your environments and see, you know, not only is it what is it catching live that my current email solution has missed, but also what you know, what are these other areas that it's protecting me against?
So you know, and different levers that you can pull to kind of fine tune it and get it to that perfect state that you're looking for.
So I think that quite really, the differences of PRA is a live view on what's going on within your environment and how we're protecting organizations, you know, every you know, the present time versus a retro scan is more of a retroactive look, which is why it's called retro scan, but more of a historical look on what's sitting kind of latently within your inbox that has been missed.
So those are the two ways we think about it.
And we think there's a transition of once you run a retro scan that you want to see, okay, these are the threats that I have missed, or my current solution is missed.
Let's see, you know, for the next 30 days, how Cloudflare email security is preventing more attacks from coming in and into my mailbox.
No, that sounds great.
Thanks for explaining the difference between the two. But I would love to know myself and I'm sure the viewers would too, you know, what's coming up next for a retro scan, or even maybe for cloud email security?
What are some things that your team is working on?
If you can share with us? Yeah, super excited about retro scan, as I mentioned, it is in a closed beta, we're essentially figuring out some stuff on our end, and really are the end goal here is to GA this.
So we want to eliminate the friction altogether in the future that you need to, you know, contact a Cloudflare representative or someone that you know, and you can just run this live.
So you'll be able to self service it and go from there. So really, the thing we're pushing for is for this to go GA, no timelines on that.
But I'm, you know, knock on wood, I don't have any wood around me.
But, you know, I hope that happens pretty soon.
Nice, that sounds great. Um, well, thank you so much, Ayush. But now Adam, I know a really exciting day today, Turnstile finally went GA.
I remember the day it launched.
It was very exciting. But if we could take a step back, can you tell us a bit about you know, what is Turnstile?
And how does it improve from the regular CAPTCHA experience that I think we have all been through at least once?
Hey, Dina, thanks so much for the congratulations. We're all really excited over here on the Turnstile team.
So what Turnstile is, if you take a step back, it's it's a CAPTCHA in terms of its purpose where for it helps differentiate between humans and robots that might be automating a browser.
But it improves on the traditional CAPTCHA experience by never under any circumstances showing you a visual puzzle.
We find that those visual puzzles have become less and less effective over time, as machine learning and artificial intelligence have become more sophisticated.
I just saw a really interesting blog post about how OpenAI itself can now can now solve CAPTCHAs very easily across a wide variety of platforms.
And so for us, we felt these visual puzzles are incredibly frustrating for users.
They say on average, about 15% of people will churn the first time that they see CAPTCHA.
So it's not a good solution for something like an e-commerce business that would really rely on that transaction.
And at the same time, it's not providing a security benefit. So if it's aggravating to people, and it's easy for bots to get past that, then what's the point?
So we built a solution that only asks for very simple interactivity. The things that we're doing under the hood to determine human versus robot don't require any sort of identifying traffic lights to do that.
And we think that this is a much better experience for everyone.
Nice, that sounds great. And I would love to know, you know, how big is the actual impact of CAPTCHAs?
And by replacing this, like you mentioned, I know we're making a better user friendly experience, especially for anyone that's visually impaired.
Sometimes it can be very difficult to solve this. But also from the security and privacy point of view, turnstile is a much better solution.
So maybe if you could dive into like each aspect of it, and how turnstile is much better than CAPTCHAs.
Yeah, yeah. So just to take a step back, we decided to go on this journey, because we discovered that, I mean, for one thing, for a very long time, Cloudflare has had a CAPTCHA solution.
Customers really want to be able to only allow humans and not allow bots to specific pages.
We were working with a couple different CAPTCHA vendors in the past.
And we were finding that even if it was a customer deciding to deploy a third party solution, there was a Cloudflare logo on there.
And we were kind of owning that interaction, where if someone was unhappy with the fact that they were being presented with a CAPTCHA on one of our customer sites, and they didn't like the experience, we were getting blamed for it anyway.
And so at some point, about three and a half years ago, now, we made the decision that there's got to be a different way to do this, there's got to be something better.
And we started along the process where we spun up a small team to work on at first making incremental improvements to our CAPTCHA serving platform, and then eventually doing away with it entirely.
One of the big tests that we did that I was really excited about, was about late 2021, we started running our managed challenge, which is essentially turnstile, but issued through a Cloudflare hosted site.
And we were running that kind of A-B testing. And we found that with no interactivity at all, we had exactly the same solve rate as the CAPTCHA solution that we were using at that time.
And so that was really, we let that run for about six months, we wanted to see bad actors adapt to it and prove to ourselves that we could see what they were doing and also make it make adaptions back.
Privately, we call the team that works on turnstile, the CAT team. It stands for challenges in turnstile, but our own kind of in joke, is that it's always a cat and mouse game with bot operators.
Every day, every week, we're going through and we're finding what new bot operators are doing to try and get past turnstile, and we're making adjustments.
And so once we were really confident that we could make those adjustments, that we could see what they were doing, once they had adapted to what is now turnstile, and we could adapt back, that's when we started to make turnstile a solution that we felt that we could rely on and replace it entirely with CAPTCHA.
But that process itself took a long time. There were a lot of internal places where we had CAPTCHA, we had to get a lot of teams involved.
So it wasn't really until turnstile was just coming out of its beta that we could say, we finally introduced something that is across Cloudflare, there are no more CAPTCHAs anywhere in Cloudflare.
So that's a very long winded way of getting to the first part of your question.
The second part in terms of what is the actual impact, I think in general, the best way to think about that is the average time that a user takes to solve a CAPTCHA on a site is about 30 seconds.
So that's 30 seconds where they're not interacting with your site, they're feeling worse and worse about their user experience.
And in a lot of times that they're not even solving it.
There's about only 75% of time there's agreements between three users and studies that have been done in terms of what the actual correct solution is for a visual CAPTCHA.
And you mentioned audio CAPTCHAs too. Audio CAPTCHAs are worse, where in only about 33% of times is the CAPTCHA alternative kind of audio playback, is there agreement between what the actual solution is.
So two thirds of the time that three people try and solve an audio CAPTCHA, there's no agreement on what the right answer is.
So that's a really poor user experience.
We wanted to make something that was great for everyone, no matter how you're interacting with the Internet.
And so what we've done is we've driven the average solve time.
So the time that you spend on that page from about 30 seconds down to one second.
So we're extremely proud of that. Our abandon rate is well below 1%.
So it's a better experience for website operators that use it.
It's a better experience for the rest of the Internet. And we're really proud that we're going GA with this now.
Yeah, no, that's crazy. I remember there was one blog post, I think maybe it was when we launched Turnstile that talked about, if you think about the number of CAPTCHAs that are issued every day, and you multiply that by 30 seconds, just how much time that is.
And then now, I guess, if you reduce that down to one second, that is so much time that we are all collectively saving.
And by that, just as a, again, as a website operator, especially if you're in e-commerce, the time that it takes to load your page is so important.
If it takes a bit longer, it's going to impact your conversions. And sometimes that's not just latency, but it's also, for example, solving CAPTCHAs, it really instantly starts the experience off on in the bad direction.
So this is so great.
And one of the things that I also love about Turnstile is it's a privacy -centric solution, solution replacement to reCAPTCHA or CAPTCHAs in general.
Can you dive a bit more into that and what makes it a more private experience?
So as you know, reCAPTCHA owns about 98% of the CAPTCHA marketplace. And one of the things that Google will use to determine if you're a valid user or not is what things have you, what other websites have you visited?
And so part of its validation and its security is looking at your browser history, looking at the sites that you visited and seeing how they authenticated you.
And we don't feel that that's something that we should need to do to determine if you're a human or not.
So Cloudflare absolutely does not track anything about things that you've visited previously.
All we care about is in this very moment, are you a human or are you a bot?
We don't store any data in terms of PII. That's not relevant for us to be able to determine if you can pass a Turnstile challenge or not.
And we're investing in partnerships with other third parties to try and make this an even more privacy centric solution.
So one example of this is we, Turnstile is fully integrated with private access tokens.
And so when this, I know this is something that you're very well aware of too, because it was something that you helped implement.
But so what privacy, what private access tokens are is a way for us when we're talking specifically to an Apple device to get a cryptographically strong signal from that device that yes, this is a good device.
It's not jailbroken. It has the application in the foreground.
And all we're getting from Apple is a thumbs up, thumbs down.
We don't care about anything else about the device. We're not getting any other information from it, just good, bad.
And actually when we're using a private access token, which today we are for over 50% of all Apple devices, it actually decreases the solve time down even farther.
So it's about 50% of what the normal solve time is if we get to just use a private access token.
No, that makes sense.
And can you give us a real world example of how, for example, Turnstile can help with combating fraud?
I'm so glad you asked. So one of the things that we just did is we finished rolling out Turnstile on our own, Cloudflare's own signup page.
As I think folks are all aware, Cloudflare has a lot of really great services that we offer absolutely free.
And unfortunately what that means is sometimes those free services can be abused by bad actors looking to do things like host malicious content or abuse the web in some other way.
And so as we always do at Cloudflare, our ethos is we want to use our own tools.
We want to get our own feedback. We need to be customer zero.
And so Turnstile is now running on our signup page for 100% of all signups.
We found that over the past 30 days, we've blocked about 1 million signup requests.
We have alerts scheduled. So anytime that someone writes in a ticket about this, so if someone complains about Turnstile's blocking them from a signup, we know to go take a look at this.
We're extremely proud to say that we have yet to find a case where someone has done that.
And so we have zero false positives for now.
I'm sure that will eventually change, but we're closely monitoring it. And we're proud of the results so far that we've blocked 1 million signup requests without impacting a single good user.
That's so great. And another thing is, so I know it's been some time since we initially launched Turnstile, and a lot of changes came out from that period.
So I'd love to learn about what did we learn from the initial launch and the initial beta testing phase, and what improvements have we made since that now make it GA ready?
Yeah. So let me start with the end product, which is we've implemented a lot more callbacks and a lot more error codes.
So a lot more ways that you can deploy Turnstile and ask Turnstile to do something different depending on the needs of your application.
And we're also servicing a lot of specific error codes related to states that a user might get in.
And the reason that we did all this is because we found that there were a lot of cases that surprised us in terms of edge cases that we see on the Internet that maybe we hadn't expected.
So a couple of good examples of this are the first one is with users who might have very old computers.
So we're talking over 10-year -old desktop computers.
We find that very often at that point in time, the motherboard battery is dead.
The motherboard battery probably isn't replaced.
And why that can become an issue is because the motherboard battery controls the system time on the computer.
So if you shut off your desktop computer, the system time keeps incrementing, keeps following a normal clock schedule using that battery.
When the battery's dead, the system time stops until you boot up your computer.
And so if you keep it off for eight hours, your time is off by eight hours.
Now, Cloudflare uses those system time checks in Turnstile for a couple of things.
One is we, as I think you know as well, system time can be helpful for cryptography and ensuring that a good TLS connection is made.
The other thing that we use it for in Turnstile is we use it to make sure that a website operator didn't accidentally cache Turnstile or a challenge page.
Because if a page is cached, we do a lot of dynamic code obfuscation, a lot of dynamic encryption.
And so having a cached version of that page means you're actually getting an old and bad challenge that you'll never be able to pass.
So we need to keep those time checks in place.
But we found that for people who are operating very old computers, that was actually causing a problem where their system time was incorrect and causing them to not be able to pass challenges.
So we issue specific error codes for a number of things, including when your time is off.
And that way you can see a very user-friendly message that says you need to update your time.
As long as your time is within 24 hours, you will be able to pass Turnstile. And that made it a lot of a better user experience.
The other thing that we saw, and I'll keep this one brief, is we saw in user groups where folks were maybe privacy conscientious to the extreme, where they have privacy settings on maximum.
Now that's a community that in Cloudflare we very much want to support and that we very much feel aligned with.
But one of the things that we found that there were things about how they were interacting with websites that we didn't expect.
For example, third-party scripts would be disabled entirely.
Now Turnstile is a third-party script.
It's one that we need third-party scripts to be able to be executed in order to run.
Unfortunately, there's no way that we can get around it, but we need to make it obvious to the user that that is exactly what's causing a problem.
And so now if that is what's causing the problem, someone has disabled third-party scripts entirely, they now see a very clear and obvious error message that that's the case.
And so then they can make the decision, do I want to update my privacy settings so that I can proceed with this website?
Or do I want to preserve my privacy and maybe come back another time or do that in a different browser?
No, that sounds great. Those sound like really big improvements. And so I'm so glad for our customers to start using them.
And so I guess in that sense, if someone's interested and they want to get started today, how can they do that and who all is this available to?
So this is available to everyone. Anyone who signs up for a free Cloudflare account, it takes you about 10 seconds to supply an email address.
Once you've signed up for an account on the account level dashboard, you can click on Turnstile and create a free widget.
We offer use of our managed widget, totally free, unlimited usage for up to 10 different widgets, which is like a Turnstile deployment.
Nice. That sounds great. And since we only have a few minutes left, I figured I'd give a little overview of everything else that launched today.
So first of all, thank you both, Ayush and Adam. We're very excited about these announcements.
Thank you for diving deep into these with us. But in terms of other things that launched today, we had post-quantum cryptography going GA.
Essentially, we started rolling out post -quantum cryptography to our services, to all of our customers.
It's automatically available for free because we think that everyone should automatically be protected against the most advanced attacks.
We don't think that this is something that customers should pay for.
But in addition to that, what we also did is we launched post-quantum cryptography support for any connections that are going out to the origin.
So this is either when we're going out to make that request to your origin or if you're using workers and you're making a fetch call to go get a resource somewhere, you're also going to get the same level of protection there.
Other things that we announced, we are very proud to be closing the last privacy holes on the Internet.
And so today, we launched support for encrypted client hello.
Essentially, when you make a TLS connection, you send a client hello, but that can expose information about what website you are visiting.
But by encrypting that data, you can keep ISPs or any third parties from knowing what website you're going to and giving you that privacy back.
Another thing that we posted was a deep dive into privacy preserving metrics.
So again, in the theme of privacy, we think this is something that should come automatically.
And so we had a deep dive around the distributed aggregation protocol DAP.
And so we've talked through some examples of how it can be used, how we implemented it, and then talked a bit more about our open source aggregator server.
We also talked about how Cloudflare goes about detecting zero -day attacks before zero-day, essentially deep diving into our approach and ongoing research around these attack vectors, and how we see them and detect them in our WAF before they're even seen by a security researcher.
And then finally, for any Cloudflare user on any plan, they can now choose specific categories of bots that they want to allow or block.
And these are now going to include AI crawlers, which is really big and important, especially with the launch of all these AI applications.
And so another thing that we're going to be doing is recommending a new standard to robots.txt to make sure that we can make it easier for any website to direct how an AI bot can or cannot crawl.
But that is all we have.