Cloudflare TV

Nikita Borisov: visiting researcher on new and old encryption protocols

Presented by João Tomé, Nikita Borisov
Originally aired on 

In this segment, João Tomé gets to know Nikita Borisov, a visiting researcher in Cloudflare’s research team. We go over his experience as a cryptographer and as a professor at the University of Illinois at Urbana-Champaign. We explain what is the Rate-limited privacy pass (RLPP), its evolution and how it can be helpful for online privacy. Nikita also talks about some of the protocols he helped create — one of the first cryptanalyses of the WEP (Wired Equivalent Privacy) wireless encryption protocol and the Off-the-Record Messaging protocol.

Check the Cloudflare Research page:


Transcript (Beta)

Hello everyone, welcome to our Research Corner segment. I'm João Tomé and we're here for a conversation with Nikita Borisov, cryptographer that is a visiting computer security researcher at Cloudflare and is also a professor at the University of Illinois.

Hello, Nikita. Hi, João. Thanks very much for having me. And you're now a professor, not an associate professor, right?

You just moved out before we started, so you got promoted, that's good.

We had a lot of things to discuss here, but why not give a bit of your background in terms of where you grew up, where you come from, and can you give us a tour on that?

Sure, yeah. I was actually born in Moscow, in Russia, and I grew up there.

I lived there until I was a teenager, and then I moved to Canada with my mother.

And in Canada, I went to high school and then went to university at the University of Waterloo.

And then after getting my degree there, I went to graduate studies, and that's when I moved to the United States.

And so that was maybe 25 years ago now. And so I went to graduate school at the University of California, Berkeley.

And then upon graduating, I got an assistant professor position at the University of Illinois.

And then eventually became an associate and now full professor at U of I.

Exactly, that's good.

First, when you were born, it was still the USSR, right? It was USSR, that's right.

I just go by Russia. I talked to a bunch of people who were born right after the USSR existed, so I figured I'd use the current name.

I know the feeling.

But I still remember the USSR. That said, you were a teenager, you were saying that you were a teenager when you moved to Canada.

That's right. You were already interested in technology back then, or it was a taste that you acquired?

Before I moved to Canada, my mother was a scientist and she had a research visit to France when I was 12.

In what area was she a scientist? She was a scientist in biochemistry.

So she studied actually a lot of trying to understand how proteins and structures that make up the human and other part of biochemistry work.

And then when you got interested in technology, did she help there?

What happened was that I spent four months with her living in France and I didn't really know a lot of people, didn't have quite as much to do.

To occupy myself, I let people at my mother's institute let me use their computer for a while.

At first, I tried to find some games and there weren't any games.

And then I found a manual for programming.

I think it was basic at the time. And I thought, oh, well, let me see about that.

And I started working on that and I got really hooked. And so before we left France, my mom bought me a small laptop that I started working on after I came back to Russia.

And then after that, you know, it just very quickly became all -consuming in my life.

And so it's been really into computing ever since. But in terms of programming, in that case, in the basic part, it was programming late 80s, possibly?

This was early 90s, but yeah. But programming, you were programming things, doing stuff in terms of programming.

Yeah, so, you know, part of it was that I, because I couldn't find any games, I tried to figure out how to program some games at the time.

And that was the first thing that I started with. And then I went on to start learning other programming languages, programming, I don't know, all sorts of things.

Definitely built a few games as a kid and then started learning, you know, started connecting on to, I didn't get an Internet connection straight away, but I got a, I was able to start accessing Usenet when I lived in Canada and learned a lot there.

Discovered Linux when I was in high school and that was really cool.

And so I ended up learning a lot there. And then I went for my degree, my, at the university, my degree was in math and computer science.

And so I spent, you know, that was the foundation of my education there.

But in terms of, of course, cryptography is completely connected to mathematics, of course.

But when did your interest in cryptography started? Why do you think it's such an interesting area also?

Yeah, so that was, I mean, basically I was spending a lot of time on Usenet and then on the Internet in the middle of the 90s.

What is Usenet?

You were saying Usenet? Usenet is a set of, it's like a discussion group system that was, basically they had newsgroups that talked about all sorts of different things.

And so there'd be a newsgroup that talked about, you know, maybe C++ and there'd be a newsgroup that talked about recipes.

Beginning of social media in a sense.

It reminds me of IRC, MIRC. That was like in the late 90s.

That's right.

I connected to IRC at some point as well, but I spent a lot of time on message boards.

And I think one of the things that was really interesting to me was that, you know, as a teenage kid, if I worked really carefully in writing my message, I can interact with people who really didn't know who I was and they would, you know, they would have discussions with me.

And that was, you know, almost, I just read Ender's Game with my kids and I was reminded of their discussion, the discussion boards that Ender's brother and sister participated in as children.

And in terms of cryptography, if you were telling me. Right. So in terms of cryptography, one of the things I started learning a little bit about cryptography just by reading things.

And the two things that I found really interesting was, first is that it has a mathematical foundation.

I've always been interested in math.

Like I said, one of my undergraduates, one half of my undergraduate degree is in mathematics.

But the other thing is that it's kind of, it lets you do things that in some sense you might not make sense that you could do.

So, you know, when people think about cryptography, you sometimes think about, you know, very basic things like saying, I want to send a message, I want to encrypt it, I want to scramble it such that other people can't read it.

And that in itself is, you know, it's interesting and useful.

But with the development of things like public key cryptography, there's a thing where, for example, you and I can talk over a completely open channel, the channel that everybody else can hear.

And by exchanging numbers back and forth, we can agree on a secret that nobody except you and me will know.

And that's like magic, right? Like that's, that was the thing that I found very interesting is that you could do new things that really don't seem possible in the real world.

And so as I was spending a lot of time on the Internet, you know, the kind of creating new ways of doing things, new way of interacting things with people, new ways of working together.

And I think that's what really drew me to that.

But in terms of working really on things, it was already in the university, right?

When did you start thinking, oh, my God, I really may have a career here working on this?

Was there a moment or a guidance there? I'm not sure there was.

Well, probably the biggest moment in that direction was that I actually got a grant from USENIX, which is a professional organization that holds research conferences.

And to attend the USENIX security symposium in California when I was an undergraduate.

And so I applied for it and they paid for my trip out there in a conference registration.

And having attended the conference and heard people talk about various research things that they're doing, just my mind was just filled with wonder and ideas.

I was really excited. I had the best time learning about them.

And that's when I thought, OK, I want to go to graduate school.

I want to learn about this thing. This is where I want to work. This has been an interest of me, but it really cemented this idea that this is where I want my career to be.

Because, you know, this was the late 90s. This was the dotcom boom.

I had lots of friends who would go on to, you know, various companies and startups.

You know, money was falling out of the sky. I have some. Some of my friends became billionaires.

But, you know, what's up? That's just what happened.

Yeah, it was. Grad school really, really attracted me because I thought there's this again, this world of research.

There's this exploring these ideas of how you build secure systems, how you apply cryptography to solve problems.

Really, I found it intellectually incredibly stimulating.

And at the same time, it felt like.

As the Internet was becoming more pervasive in our lives in the sense that, you know, in the 90s, it was clear that there was an opportunity to really shape the way that people used the Internet, people interacted with each other over the Internet and provide good security properties there.

I'm curious in terms of when you thought you had your biggest achievement.

Like, oh, my God, I built something really impactful and important here.

I know you work on different things in terms of work.

One of the most known things, I think, is one of the first crypto analysis of the WEP, Wireless Encryption Protocol.

It's the Wireless Equivalent Privacy Protocol.

Right. So this is probably definitely the first moment where I felt like, OK, something I'm doing actually matters.

Because this was the early version of the protocol that's used in Wi-Fi for protecting your access.

So the very first versions of Wi-Fi, I'm sure that just had no encryption on them.

And then by the time we started getting it, they'd used this protocol.

So everyone could see what people were doing, their usage of the Internet.

I think so. Yeah. Yeah. Mostly that. When was this in terms of years? This was in about 99, 2000, around then.

This was basically when Wi-Fi was really coming on the scene.

So at Berkeley, when I was a grad student, we started getting these little PCMCIA cards they insert in your laptop.

They allow you to connect to routers.

And, you know, you could actually start connecting to use your laptop without plugging in a cable.

And that was something that was coming up that we started using.

And I became interested in how, what level of cryptographic protection they were using.

And then I started looking at it. I identified some real significant problems.

And so my two of my lab mates and I, we wrote a paper that looked at that.

And I mean, I think one of the things that was interesting to me is that by that was the time where I could say, OK, by looking at something and that is used in the real world.

Right. You know, there were products you can buy. There were probably, you know, millions of devices sold at that point in time that are running this thing.

Someone like me can take a look at it and identify a problem and say, OK, this is something that needs to change.

And so we published this paper.

We had, you know, we talked to the standards body that does that to try to explain to them what kind of things need to change.

We were interviewed by the Wall Street Journal.

And it was definitely a big kind of breakthrough moment for me is saying that I can do impactful work.

So you were analyzing it, but also like creating at the same time a protocol to resolve that problem in a sense, right?

I was mostly in that work.

I was mostly involved in the analysis and the kind of commenting on the next level design that the standards people undertook.

So the next level design was undertaken by the standards body, which was the industry participation.

I was a little bit. I mean, one of the things that is hard to understand from the outside is that it's easy for me as a graduate student to look at a specification and find a problem.

It's a lot harder for me to say, OK, here's how it should be done, because there's a lot of constraints that go into building a protocol that gets deployed on millions of devices that aren't necessarily apparent if you aren't working in there.

And so we're jumping forward a little bit.

That's actually one of the things that one of the reasons that I wanted to visit Cloudflare is that you're in a place where you're taking something, you're taking a protocol and try to deploy it where millions of people are using it.

And there and what I wanted to do is try to understand, you know, what's the, you know, understand the gap between a protocol that I can specify saying here's a better way of doing it.

And I can write a short prototype that that implements it and saying, OK, here's how you can do it.

And there's all sorts of constraints and saying you'd get you have to have a whole industry adopt the standard.

You have to have everybody use it.

You have to have everybody agree on things. You have to do things that are practical.

And so that's. So it's a good use case for you to test things, to put things to the test and see how it works, even without being a standard already, right?

As a researcher here at Cloudflare. Yeah, exactly. So that's something that but what I'm saying is that that's that was why the analysis part was something that we could do.

The revision part really had to be led by these committees that the industry committees, because they needed they understood the constraints of the devices, the constraints of interoperability and so forth much better than we could as graduate students.

Sure, sure. And you're also known for the design of the off the record messaging protocol, right?

What is that all about?

Yeah, so I can tell you this was. Let me see if I can explain it.

One of the things is that when I was in graduate school, the people were at the time a lot of Internet communication had just like the very origins of wireless communication had pretty much no cryptographic protection.

And so if you were able to watch traffic, you know, if you were an Internet service provider, you would see messages back and forth.

You would see you and me chatting right now.

You would see all the full video. You would see the text messages, the chat messages we exchanged right before having this meeting.

You would see an email, the contents of the email that I sent you this morning, right?

All these things.

So no privacy at all. Exactly. And then people were starting to think about saying, OK, well, we have this encryption technology.

We want to be able to have these conversations.

And so there were a few kind of fledgling plugins that people were creating to chat programs, to email programs and so forth.

The thing that really motivated the design of off -the-record privacy is that I was trying to match up what various cryptography can do to what you would actually want out of communication when you're doing, for example, instant messaging.

And what I wanted to do is I wanted it to be an ephemeral conversation that's not really, you know, this kind of thing where it's like right now, of course, we're talking and we're being recorded.

But normally when I have chat conversations with my wife, let's say, or my kids or whatnot, you know, these are things that I say back and forth.

They're not supposed to have any long-term value. And there's a connection to privacy there in a sense that you want it to be the case that if, for example, somebody steals my phone tomorrow, they might not be able to, they shouldn't be able to learn the privacy of the contents of the messages I sent yesterday.

You want to make sure that if somebody intercepts my message, they can't in any way have a cryptographic proof of this identity of the person who sent this message.

And so the design of OTR, or off -the-record messaging, was basically saying, here are the kinds of properties that casual off-the-record conversations should have, and here are the cryptographic tools that we need to build them.

And so we built a prototype, we released the paper, then we actually built something that was a plugin into a couple of common instant messaging platforms.

And over time, it became more popular.

We went from a few thousand to maybe tens or even hundreds of thousands of installs of our plugins on various devices.

But it also, I think more broadly, this idea that this is the property that communication should have, have also been adopted by other communication tools.

For example, Signal designed a protocol, actually their original protocol was using off-the -record, and then they improved a few things about it.

But the key thing is that these properties that you want to make sure that if your messages don't have cryptographic signature on them, that allows a third party to verify you said something.

And that later compromise will not reveal past messages.

So the principles are there. You began those principles associated to instant messaging, it was 2004, I think, right?

So the principles started there, and of course, then it evolved also for Signal, like you were saying.

Exactly. In terms of your work here at Cloudflare, first, what were your expectations before, and what do you think now in terms of the company, of your work here specifically?

What are those? So, let me see about the expectations.

I mostly was interested in working with a few people that I had known at Cloudflare.

So I've been in, I've known Nick Sullivan, who leads the research team for a number of years, we have talked and we have done some, a lot of discussions about various network privacy type topics.

And also Chris Wood, who works here is someone that Nick and I worked together with as well.

And I knew a couple other people, but I thought it would be really, you know, that was probably one of the things that most drew me towards Cloudflare, the opportunity to work with them.

I think the other thing that I was expecting is that I would get to see, like I said, how it is that Cloudflare is able to take a new cryptographic protocol or a new security design and get it to the point where they're running it in production with millions of users.

And if not billions of users, what are the steps and what are the, what kind of things that they face?

What kind of interesting thing in the process?

And I say that from that point of view, this has been, actually exceeded my expectations, because one of the things that is, I'd say a little bit surprising about Cloudflare is just how open various processes are in terms of trying to see how things, how things are run in the sense that there's a lot of documentation, there's a lot of discussions in chat rooms, and it's really easy.

It's just the barriers are almost non-existent for me to start reading about some things, you know, if I want to find out various projects.

I can go and read various, you know, functional specifications that are published.

I can go and look at tickets that were, you know, problems that people have run out.

I can look at, I can jump into the chat groups.

And the other thing is that people are… Participate in the discussions, right?

It's really easy to, you know, I kind of felt, it took me a little while to get comfortable with in a sense that I feel like, okay, here I am an outsider.

I'm not, you know, I'm not really a Cloudflare person.

I'm just here visiting, you know, what kind of things are people willing to tell me?

What kind of things, you know, are they willing to take their time to explain things to me?

But generally, that's been the really impressive part is that I can go, I can find whatever team it is, I can find, I can look at their discussions and a question and I can bring it up and usually we get a quick answer.

In other cases, I can schedule a meeting with somebody and they'll usually take my request.

And so, in that sense, I think that has really fulfilled my expectations.

I mean, what's been interesting is that the project I'm working on is not what I expected to be doing.

Because initially, I was thinking of continuation of my own research that looks at privacy of the domain name systems and namespace for the Internet.

And we started trying to think about various projects there.

But then I started learning about this new work on these privacy pass tokens that was being done between Cloudflare as well as a collaboration with Apple.

And I got really interested in that project. And that's over the last six months ended up becoming a bigger focus of what I've been doing.

That's interesting because you found a new path in terms of it was interesting for you to explore.

It's a rate limited privacy pass, right? What is it really? How does it work?

So, rate limited privacy pass has this idea that lots of people want to say that somebody should be able to access my website, but not too much, not too often.

For example, a lot of newspapers say, I want to be able to access, you should be able to read 10 articles a month.

Or a website might say, okay, I want a user to be able to go visit my site, but not more than 100 times a day.

Because after that, they're worried about attacks, they're worried about various other problems and so forth.

So, there's this idea that you want to have a limited form of access that you provide to people.

And how do people do this now? There's really one of two ways.

One is to say, okay, well, we're going to need you to sign up for an account.

We're going to need you to register, maybe even verify your identity somehow, and so forth.

And then we can track everything. To be honest, there's a lot of entropy there.

Doing that, having to do that, it's entropy. More clicks, more, right?

So, it's a lot of work on your part, but it also has a privacy component.

Because now, a newspaper knows exactly what articles I'm reading, or a site knows exactly what pages I'm visiting.

And do I want this thing? But you're right, there's also just the base level overhead, from your perspective, that you just have to spend this time on doing that.

Or if the website is trying to do this and saying, okay, well, I don't want to bother the users, then what they will do is they will try to do some kind of behind-the-scenes tracking.

One very simple thing they can try to do is just say, okay, we'll use your Internet address, your IP address that your computer has.

Now, my Internet address that I'm using right now is only shared with the people in my house.

But in a lot of other parts of the world, an Internet address that you're using might be shared by dozens, if not hundreds of people.

And so now, if somebody starts applying rate -limiting there to say, okay, only 10 articles a month per IP address, then now you're sharing this.

And this actually, unfortunately, it lines up well with the development scale of the world, is that the developing world is much more likely to be in a situation where your access is limited.

Or they can do some kind of more surreptitious tracking.

They can do various privacy-invasive things to try to say, okay, we'll track cookies, fingerprints, and so forth to try to, you know, the same thing kind of advertisers do to try to learn every single detail about my life.

And again, just you can use the same techniques to try to rate-limit, but they're very invasive.

So what rate -limited privacy pass tries to do is let people accomplish this task, but not have anybody learn to be able to connect what people are visiting what websites and what pages they're looking at.

So there's this, what we call is relationship anonymity.

You're not able to connect me, my identity with the websites that I visit.

But it separates in a bit those two areas. And it doesn't put the pressure on the IP, given that, like, if you rate-limit, a lot of people can be impacted.

One people can do the 10 visits and the others won't have access because their IP was already used for that purpose, right?

Right. And so what this allows you to do is it allows you to have a different, it actually allows you to have, you know, a more precise form of identity, which you can do by registering with various things.

So right now, for example, some of this is done by registering through your device or registering your account with somebody that are generally hard to maintain, and that will be your base of identity.

And you can ask people to have, you can protect this identity somehow to make sure that, you know, the device isn't compromised, your account isn't compromised.

And, you know, that's something that a bunch of large companies around the world have been trying to do for the places where they have people access accounts.

So this allows you to leverage that to have rate-limited access to places where I don't need to learn your actual identity.

But in terms of cryptography, how does the protocol works?

But also, in what way is it already being implemented?

It's not a standard already, like being completely generally used, right?

No, it's not at the deployment phase yet. So this is an early phase protocol.

It's derived from a collection of protocols called Privacy Pass that actually have been, you know, originated at Cloudflare about, I think, five years ago and deployed there.

And that protocol has been evolving and is going through the standardization process at the Internet Engineering Task Force, the IETL.

And the rate-limited version is under design right now.

And so this is, you know, a good time for me to be participating because it's still evolving.

I'm trying to get you, you know, kind of the high-level picture is that it involves essentially what you do is you split up this functionality of enforcing rate limit between two different parties.

One of them who knows the identity of the person doing the accesses, and the second one who knows the website that's being visited.

But by splitting them up and you run a small cryptographic protocol between them, what you can do is you can track the number of visits and you can make sure that it's not exceed some sort of rate without anybody seeing the full picture.

And this is kind of, this is in some sense typical of cryptography.

And this is one of the things that I think is really interesting is that you can create some clever ways of computation back and forth so that everybody sees, you know, some part of the picture, but only, you know, only I can see where I'm, what website I want to see.

The website doesn't know who I am.

One of them, the people who know who I am don't know what website I'm going to.

It separates those things. That's interesting. And it creates that layer of privacy.

Where do you think this area is going, for example? Do you think it could be helpful for new regulation that is coming?

Europe, we all know that is pushing for regulation driven privacy.

Where do you see it going in terms of the future?

Great question. I mean, I think one of them is that it's now in, I think these privacy regulations might motivate some of these technologies to be deployed, because one of the things is that things like, you know, European GDPR says that if you handle privately identifiable data, then personally identifiable data rather, then you need to have all these sort of safeguards and practices.

And, you know, there's a responsibility that comes along with it.

And so, I think this technology allows you to accomplish...

Even for websites cookies, cookies like the worst experience ever, you have to approve every time you enter a website.

I mean, they're kind of in this space where nobody likes them.

The regulators don't like them because it can be used to track.

The users don't like them because, you know, maybe you get these, you know, maybe not so informative notification things that say, okay, it's cookie.

We have this cookie policy. I actually saw a really great presentation that says, you know, whenever you get this notification about cookie policies, is it even telling you anything useful?

And a lot of times, not so much. It's a waste of time.

At the same time, it's not really what you need if you want to just say, okay, I want to have people access my site with, you know, some sort of reasonable limit.

You just need some way to make sure that this limit is preserved.

And so, the privacy technologies allow you to do that. And then, now all of a sudden, you say, okay, I don't have to have a cookie banner on my site.

I don't have to be subject to, for example, removal or data requests that GDPR mandates because I don't have your personal info.

I don't know who's visiting my site, but I can still make sure that this is done in a way that satisfies my goal.

My goal is to make sure that somebody can't exceed this limit, can't, you know, in some sense, abuse the policy that I have for accessing the site.

Makes sense.

And it seems like, for your description there, like a cookie killer. Well, I mean, cookies are used for a lot of things, including advertising.

And so, there's, you know, some of these technologies, the base cryptographic schemes that are used here are under discussion in the advertising world to do something similar for advertising tracking.

Like, you know, in some sense, what we're doing is we're building some profile that says Nikita has visited this site 10 times over the past month.

And this profile is built in some encrypted hidden way that nobody really sees it.

It's not the case. But then you're still able to act on it.

And at a high level, the same technology is people are thinking about for advertising is to say, okay, well, the advertisers want to build a profile about me, but maybe we don't have to have this profile explicitly stored in some database.

Maybe I can have it in an encrypted profile that then is used to serve me ads.

And there's actually went to a workshop hosted by Google, where they're thinking about this kind of application.

So, I don't think this specific protocol is going to serve that, but it is something that, you know, the technology goes in that direction.

That's really interesting, because actually we wrote, I think it was last year, a blog post in Fluffler's blog that stated that humanity loses 500 years on CAPTCHAs, like people writing the CAPTCHAs to enter websites.

And I think cookies, if someone like does the math, you lose a lot of time of your life clicking on cookies just to see a website.

And if it refreshes, another cookie comes along sometimes.

It's a very bad experience. So, everything that we can do to minimize that could be interesting.

I think this is interesting. You know, one of the things that we see in computer science when you think about people interaction is sometimes, like, sometimes if you're not sure how to make a decision, you know, you have this thought of, oh, maybe I just voice this off in the user.

I'll say, well, like, for example, I was just presenting two different versions of this protocol that had some trade-offs.

And I could say, okay, well, maybe I could make a toggle that says, you know, when you install your browser, you say, do you want this one or that one?

But the problem is that, like, it's really hard to make this meaningful choice.

If I, you know, with a PhD can't decide which version is better, then most people who are just wanting to do their work probably won't be able to get there.

And I think this cookie law has the same properties that, like, they're kind of saying, okay, well, if we have this transparency and we let people make choices, but choices are not always enough.

You need to have some way to make an informed choice.

You need somebody to have a way to efficiently do this without making this, you know, trying to make this decision for every single site, for every single cookie, for every single cookie type.

Every time you visit that website, if I push, I know that this batch of websites, I can approve cookies and I do it once, that's okay.

Once like every three months or whatever, six months. But the problem is it's always there appearing for the same user.

So it's really a bad experience as it works.

Right, right. Well, and I mean, you probably visit, you know, in a month, I'm sure you've visited dozens, if not hundreds of websites.

And so even if you do it once a month, you have to have this thinking, okay, well, does this shoe company, should I approve this cookie because they can give me better deals on shoes?

Or do I worry about tracking things like that? The mental load of doing that is just unmanageable.

It is. Right. So that's, I mean, that's one of the things that I think the high level things that I try to do in my work is try to say, you know, what, how do we connect the high level goals?

What are kind of things people would want and connect them to the experience that they have?

So that was...

Makes sense, makes sense. Perfect. Just to wrap things up, where in terms of Cloudflare, you're still prolonging a few more months, your presence?

I'm here going to, I'm going back to teaching next semester, but I'll be here part time for a couple months to complete this work.

Right now, we still need to do some work to get the protocol changes that I made analyzed, implemented, and so forth and described in a precise way.

Yeah. So that will be my goal for the next little bit. That's interesting.

Just to wrap things up, where do you see this area going in terms of the future, in terms of more interesting protocols or things that are being worked that could make maybe a game changer eventually on cryptography?

Well, so one of the things that I think is really interesting about this work is that is really trying to redefine the notions of identity that we have on the intranet.

One of the things that this work and the previous work related to a privacy pass enables is the ability to have strong notions of identity while preserving some other privacy components.

And so we're already seeing some shift to this notion that your identity on the Internet is tracked by a few big companies in the sense that, you know, when you go to a site, you say, well, you can log into the site using Google or using Apple or using, you know, Facebook and so forth.

But I think there's this also, there is this evolution of, you know, exactly what do these identities mean?

And are there going to be other instances where you have an even stronger notions of identity, maybe a government version of identity that is being used here and can it be exploited in a privacy preserving way for kind of things where, you know, maybe identify with my bank?

You know, I wouldn't, I don't think my bank would let me log in using Facebook, right?

But if I had some sort of government based provider, that might be a direction to go.

And then overall, there's this, this notion of identity is, in many ways, one of the central challenges for Internet security.

Because, you know, if you think about one of the core things that Cloudflare does, it prevents the distributive denial of service, right?

How does it distribute the denial of service? It's basically when one person is pretending to be a million people trying to access the site at the same time, right?

So, I think there's some potential to integrate this more deeply into the functionality of the Internet and really build better security solutions that rely on identity.

But I think it depends on how this identity provider landscape evolves.

Makes sense. And Europe, in the Digital Service Act and Markets Service Act, there's some identity related, online identity related stuff there in terms of bringing your identity where you want to bring it online.

Right, right.

I mean, there's like, right now, there's things that are still very clunky. For example, I have accounts with, you know, you kind of have to have accounts with Google and Facebook.

I used to have an account with Twitter. I still do. But like, you know, maybe there's some questions about whether that will work going forward.

And then, you know, when I go to some random, you know, if I go to a shoe store to buy shoes, I'm a runner, so I'm always buying shoes.

You know, they ask me to log in and they say, you can log in with Google, Facebook, you know, and give me 500 providers.

And I have to remember, like, which one did I use last time?

And then if I want to switch, should I say, okay, I don't really use Google anymore, I want to use Facebook or vice versa.

That's a really clunky service. So, I think there's this, you know, there's a lot of technology, there's a lot of user experience components, and there's a lot of regulation almost certainly that needs to happen in this space.

But I think there's, from my point of view, I think what's interesting is that there are opportunities to also think about privacy in this context.

Because, you know, tracking identity is essential. Make it better in terms of user experience, but also private, right?

Exactly, exactly. Because identity, tracking people and their identities is in some sense, you know, one of the central privacy threats that people worry about, right?

So, there's this question of, as identity plays a larger role in the Internet, trying to make sure that corresponding privacy protections come up.

I mean, that's really one of the overarching goals of my research.

And it's quite an exciting one.

Thank you so much. This was great. Learned a lot. So, it was great. Thank you.

I really enjoyed our conversation. And that's our time. That's a wrap. Thank you.

Thumbnail image for video "Cloudflare Research"

Cloudflare Research
Don't miss these great sessions from the Cloudflare Research team!
Watch more episodes