Estas Semanas en Cloudflare en Español
Learn about the latest in the world of Cloudflare — presented in Spanish by Alex Mayorga Adame.
Transcript (Beta)
Hello, good morning, good afternoon, good evening, wherever you tune in today live or are watching the broadcast of this program.
My name is Alex Mayorga Adame and I am a Solutions Engineer at Cloudflare.
Welcome to Estas Semanas en Cloudflare en Español.
Today is October 28, 2022 and we are going to start with our program. A little bit of the logistics of the program for those who tune in for the first time.
In the transmission window, in the lower part, you can see an email and a phone number in which you can send your questions, if you have them, and we will try to answer them during the broadcast or in subsequent missions of this program.
Well, let's get started.
The first thing we review in the program is the Cloudflare .com website, where we can see all the latest Cloudflare product news.
So let's get started and let's review what we have.
We have the speed limit announcement, without limits, which is available for all payment plans, where the cost per use of this functionality is basically eliminated.
And well, customers will have an integrated or similar experience at all levels and can now build more efficient speed limit rules.
We have a link here to the blog post where our colleagues explain more about this change.
I invite you to check it out if you use rate limiting. Well, this is going to be very useful.
Then we have the Magic Network announcement in network monitoring, called Magic Network, which allows us to have visibility of our network and start planning capacity expansions or doing forensic investigations with the identification of potential attacks of distributed service denial.
We can also now send NetFlows and Sflows to Cloudflare, which will allow us to have more detailed analytics within Cloudflare.
This version is available on your Cloudflare account and you can also contact us if you wish to obtain the functionality through the link that is in that blog.
Then we have the construction of services that preserve privacy in Cloudflare's edge network.
We have the Privacy Edge service, where we have, for example, services for code audit, we have Privacy Gateway, Privacy Proxy and Cooperative Analytics, which are a suite of products that will allow developers to create new products that better preserve user privacy.
Again, we have the link to the corresponding blog post. I invite you to visit it.
We also have an announcement of the botnet feeds or botnet threats that will be available for free to service providers.
Well, this is in order to help reduce the impact of these attacks or threats that can abuse networks.
Service providers will be able to obtain the feeds of malicious IPs and also those that are generating service denial attacks, which would help reduce bandwidth and CPU costs.
It will also help improve the reputation of networks and prevent IPs from being placed on blacklists or being banned on the network.
This is available in an early beta in which you can register through that blog post.
Continuing with another product announcement, we have the launch of Cloudflare Turnstile, which is a free CAPTCHA option available in Cloudflare.
This Turnstile service helps you replace CAPTCHAs to confirm that visitors are real when they visit the site and offers a better user experience than other CAPTCHAs that may currently be on the market.
We have here the link to the product or the Cloudflare developers page and we also have the link to the blog post where the official announcement of this functionality is made.
Another novelty we have here is regarding Forrester analysts who have placed Cloudflare in their analysis of web applications firewalls for the third quarter of 2022, where this Forrester analyst firm has recognized Cloudflare as a leader in this space.
He mentioned here that Forrester evaluated 12 web applications firewalls or 12 providers in 24 characteristics or criteria, including supply, strategy, and presence in the market.
And Cloudflare, in this case, received the highest score of all the providers that were evaluated.
And we have here a link to the report of the analysts.
We also have the announcement of new generation page rules.
Well, as you may already know, page rules are one of our best known products.
And well, however, it had some limitations in terms of the number of them that we can have or, well, generally internal technology issues that could be improved.
So we have this update where the page rules now have many improvements and have been separated into what we now have cache rules, configuration rules, dynamic redirects and rules for the origin.
So these products are expected to be able to increase the number of rules that they can have for each of them, give us additional functionalities and a better granularity in the administration.
We also have the link to the corresponding blog post on this side.
We also have the announcement of an open beta of WebRTC for live streaming.
This open beta of Cloudflare Stream was announced to do live video streaming using WebRTC technology, which provides the ability to have latency in less than seconds.
To be able to have people who see our stream basically unlimited concurrently.
So if you are interested in this part of doing video streaming using WebRTC, we invite you to review the documentation that is linked here or the blog post where you can register for the open beta.
We also have a closed beta, in this case for Cloudflare Calls, which provides an API for video and audio calls in real time or communication systems, with which developers can create scalable and highly performant solutions to make video calls in real time for their users very quickly.
We also have the link here. If you are interested in participating in this beta, please review the blog and contact the team.
We also have Cloudflare Queues available in private beta.
It allows us to send messages with delivery guarantee.
We have the ability to send messages in batches. We can also have this without basically having return charges by bandwidth.
It tells us here, in case there is a flood of messages or messages requests, they could cause problems in the functionality of your services due to the excessive amount of traffic.
And what Cloudflare does is basically send and receive those messages in the amount that your system can handle without being overloaded.
This again is in a private beta, so if you wish, please review the blog and register in the form that we have available there.
Another novelty that we have is the filters in the Log Push functionality.
Log Push, as you may already know, is a feature that we have for business clients in which we allow them to send the logs and store them in a CIEM or storage system that they require for later analysis or to keep them for longer.
And now what we have is a function that allows us to make filters and generate alerts in those logs.
You can find more information in this blog.
Well, continuing with the program, then we review Cloudflare.com webinars, where we can see all the webinars that come to be aware of Cloudflare's news.
We have here the first webinars, which is the product roadmap for application security services.
This will be presented by Stephanie Barnett, who is the head of engineering solutions in Asia-Pacific, and Fernando Certo, who is our architect and evangelist in the region as well.
They will be talking about the news that will be in application security.
This will be on November 2nd, so I invite you to register.
We also have a collaboration between Cloudflare and CrowdStrike, where they will tell us about the path to Zero Trust, how to build this architecture and ensure our organizations better.
Also on November 2nd, you can register in the links that appear below.
Then we have one more webinar where we have a talk about the risks that our APIs can have and how Cloudflare API Gateway can help us protect these APIs in a better way.
This will also be available on November 2nd.
We have a webinar on Cloudflare R2, Cloudflare's object storage solution, and how this can help us reduce our return costs.
This will be on November 3rd, and you can register again.
Then we have a successful case of a client called Investec, how they have been able to improve the digitalization of their banking services.
And we will have a fireside chat with Mr. Christopher Nadeau, who is the head of digital at Investec, and you can see him there on November 3rd.
Then we have another product roadmap, the Red and Zero Trust solutions.
Again, we have Stephanie Barnett and Fernando Certo, who will be informing us about the news in these two lines of Cloudflare products on November 8th, so you can tune in.
And, as always, there are many more webinars that you can register for.
And we also have all the webinars that are already on demand, where you can review at any time that is convenient, the recordings of the previous webinars.
If you couldn't take them in real time, you can review them on demand.
Well, then we continue with the other part of the program, which is to review the Cloudflare blog a bit.
To begin with, we have a blog by Mari and Christopher, where our colleagues talk to us about Privacy Gateway, which is a proxy that preserves privacy and is built on Internet standards.
They tell us here, well, if our interest is to have an application that is privacy-oriented or has an Internet service that wants to preserve user privacy, unfortunately the options to protect user privacy in a verifiable way are unfortunately limited.
You can, for example, reduce the number of records or folders that you maintain or reduce the amount of data that is collected.
But, well, even so, at the network level, each of the HTTP requests are identifiable, they come from a particular site.
This information that the requests generate contains information such as IPs or TLS fingerprints of users.
And well, if it is combined with information from the application, it could be able to identify users in an important way.
Important improvements have been made in the protection of user privacy, but the way in which the HTTP requests are sent and how the logic of the application works is required to be changed.
Well, what they mention to us is basically the reason or motivation to create Privacy Gateway.
What Privacy Gateway does is encrypt the HTTP requests and answers from a client to a server.
Basically, Cloudflare can know where the request comes from, but it does not know what it contains.
And vice versa, the application as such knows what the request contains, but not where it came from.
And well, this, as they highlight here, means that neither Cloudflare nor the application has the complete information, which helps to increase the privacy of the end user.
They tell us about a specific case where Privacy Gateway was used by FlowHealth, which is a provider of female health applications, in which they launched their anonymous mode.
And well, here they link us both to the app and some articles that were seen in the press that highlighted this innovation.
Well, in the case of Flow, having Privacy Gateway in place, what they could do is create the anonymous mode for their users, which basically completely encrypts the traffic from the application to Flow.
And it also prevents Flow from seeing the IP addresses of the users. And at the same time, Cloudflare cannot see the information of the data they have.
So, here we have some other applications that can be created, which our colleagues mention.
For example, applications can be created to store telemetry in browsers that maintain user privacy, without having to, for example, store identifiable personal information.
Another case that they describe to us could be the potential of being able to report exposures to COVID -19, without having to worry about our IP addresses or our physical locations being registered.
We also have the power that DNS servers can serve DNS queries without having to link them to whoever made the request from the sites they are visiting.
In this case, this technology is called DNS Oblivio, and there they also link us to another blog that goes into more depth on this topic.
They tell us, well, as I mentioned, Privacy Gateway is based on Oblivio HTTP, which is an emerging standard in IETF, and it also uses hybrid public key cryptography.
Now they explain to us a little bit how it works. In this case, we have basically three actors.
The client, which is the device of the end user, which will send information to the Privacy Gateway.
Privacy Gateway is the service operated by Cloudflare and that will transmit requests between the client and the gateway without being able to observe the content of the same.
And then finally we have the application server, which is where the web application or the web server will be served, which will be able to decrypt client requests and encrypt an answer.
Here we see in a diagram basically how this happens. The client gets a key to encrypt the application, and then the client encrypts this message to pass it to the gateway in this case.
Obviously the gateway in this case cannot obtain the information of the messages.
And then it re-sends these requests without the information of the IP of the original client or the metadata it could have had to the application server.
And well, this can decrypt the message itself.
Here we see, well, this is obviously an HTTP Oblivion transaction using Privacy Gateway in this case.
Here we see in more detail what we already described, the steps that occur to have this functionality.
And well, we see how this improves the privacy of the end user.
And well, we basically have two sections or two parts of this privacy.
One is the privacy of the request and the other is the privacy of the client.
They explain here that, well, the privacy of the request means that the application or the application server basically does not obtain information that would have been revealed with the HTTP request, such as having the IP address, the geolocation or the TLS or HTTPS fingerprints and some other characteristics of the message.
Since Privacy Gateway uses a separate connection, which is not the same as the application server.
And well, this information only stays in the gateway.
Or basically, the application server obtains the information from the Privacy Gateway, not from the client itself.
And well, it also mentions here that it is important that the application developer does not send identifiable information in the content of the requests.
They comment in this case, well, that if in the case that the package itself contained identifiable information, such as phone numbers or email, then a little would be eliminated the benefit that the Privacy Gateway could do.
And well, about the privacy of the client, since Cloudflare and the application server do not share user information, each transaction came basically from an independent client in the Privacy Gateway.
In the case that the configuration is done correctly, it means that the applications cannot know that two requests come from the same client.
And well, in this case, this is what helps to improve or make communications more private.
Here we have an example, in this case, of a direct connection between a client and a server.
And well, as we can see, there it will contain the IP address, location information, or the TLS fingerprint in this case.
And well, instead, if we use the Privacy Gateway, in this case, we have a direct connection that the information that all the components after the Privacy Gateway would see, would basically be the information of this private gateway.
And well, here it mentions that it is important, in this case, that the applications themselves must be careful not to reveal sensitive information in the individual requests.
This, obviously, the gateway cannot guarantee it, since the messages it observes are encrypted and we really can't know what they contain.
Since, as mentioned here, the application data cannot be observed in plain text.
This, well, again, the application must be careful to do so.
They also mention here that in the case of Privacy Gateway, you can't, or well, it is not the intention to use it as a generic proxy for arbitrary applications or arbitrary traffic.
Its objective is to be a specific purpose proxy for sensitive applications.
For example, what we already mentioned, such as DNS, data telemetry, or generic API requests, like the ones that were already mentioned above.
They talk to us about how we can integrate Privacy Gateway in our applications.
We have to, well, a requirement is that the applications, both the application and the client, on the server side, must implement Oblivious HTTP.
And they tell us a little bit about what should happen here.
We have the integration with the server. The server basically has two tasks.
One of them is to publish a public key so that the messages can be encapsulated and decrypt the encrypted messages of its clients.
And also to re-encrypt any response that UHSN sends to the client.
They give us more details of this public key of encapsulation.
What characteristics should it have?
Basically, they should be able to support multiple keys and also be able to rotate them.
Identify the cryptographic algorithm for encryption and decryption and the public key.
The clients on their side will need this public key to be able to create their requests.
Well, they detail here that there are multiple ways to do this.
And basically they link us to the relevant documentation to be able to do it.
Since the public key has already been generated and distributed, they can then send encapsulated messages from the clients.
The server will need to decrypt these messages and then encrypt the response.
Then, well, they link us here to several open source libraries for ObliviousHTTP, where we can do this work.
And they link us again to GitHub, where the libraries or implementations that are required to achieve this are located.
On the client side, we also have some changes that should be made, such as being able to obtain the public key and encrypt the requests and send them to the Privacy Gateway.
Here, well, they leave us specific code examples that we can use. And finally, they indicate a link where if we want to use the Privacy Gateway service, we can get in touch with the team directly to use this solution.
So, for all companies that want to improve their users' privacy, if you are interested, I invite you to visit this product page in particular.
Well, I see that we are out of time. I'm going to check if we have any questions.
Apparently, we don't receive any. Again, if you have any questions when reviewing the recording of the program, please invite them to contact us in the email that appears below.
And we will be happy to answer any questions you have.
We will try to solve it in a future edition of your program this week in Cloudflare in Spanish.
Have a happy rest of the day and well, continue in the month of security, which is October.
And also, well, for all those who celebrate Halloween, Day of the Dead, have a great time.
Have a good day. See you later.