🔒 Security Week Updates for Cloudflare TLS
Welcome to Cloudflare Security Week 2023!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Catherine Newcomb, Dina Kozlov, and Tanushree Sharma.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare Security Week Hub
<v Catherine Newcomb> Hello, and welcome to Cloudflare TV. We're here today to talk about two new updates in the world of TLS at Cloudflare.
Sure, at Cloudflare it's important to us that we keep innovating and adding features relating to TLS.
TLS allows users to browse the internet privately without exposing their credit card information or other personal and sensitive information.
Privacy is also becoming increasingly necessary as more and more data privacy regulations are created around the world.
But, beyond that, ensuring that Internet traffic is private and secure is just the right thing to do.
At Cloudflare, we believe in helping to build a better Internet, and that includes protecting the privacy of Internet users.
Today, we'll be discussing two new TLS features. First, we'll discuss how you can protect your key server with keyless SSL and Cloudflare Tunnel.
And, second, we'll talk about using mutual TLS for our development platform, Workers.
My name is Catherine and I'm on the product marketing team here at Cloudflare.
I'm joined today by two guests, Dina and Tanushree.
Dina, can you start by telling us about your role here?
<v Dina Kozlov> Sure.
Hi, everyone. I'm really excited to be here. I'm Dina. I'm the product manager for the SSL, TLS team and Tanushree, tell me a bit more about what you do here at Cloudflare.
<v Tanushree Sharma> Cool.
Hey everyone, excited for another Security Week? This might be my favorite week of the year after Birthday Week.
Lots of cool new features coming out this week. I am a product manager as well at Cloudflare.
I'm on our developer platform, so I work on Workers.
<v Catherine Newcomb> Awesome.
Thank you both so much. So before we jump in, just a reminder that you can ask us questions at any time by emailing email@example.com and we'll try to answer what we can.
Okay. So before we jump into these two new awesome features, let me set the scene for why TLS is important.
As I mentioned earlier, TLS is vital in our mission to help protect user privacy on the Internet.
But beyond that, why is it important to encrypt data with TLS?
One key reason is to ensure compliance for organizations affected by GDPR and other data privacy laws.
Encryption is either implied in these regulations or specifically called out as a requirement.
So GDPR, for example, explicitly requires encryption and other regulations like HIPAA in the US, which protects patient healthcare data, imply the need for encryption by requiring organizations to implement appropriate data security measures.
Beyond privacy and compliance, implementing TLS is just good for business.
For example, websites with valid TLS certificates will rank higher in search results than websites without encryption, and visitors to a URL may also be put off by browser warnings on websites that are unencrypted, which can stifle traffic to your website.
So what is Cloudflare doing to help build a more private Internet?
For one thing, we offer free TLS certificates to all of our applications services customers, including users on our free plan, and we offer advanced configuration and customization options for our Enterprise customers as well.
We can also help you manage your certificate life cycles, which can be a huge headache to do manually.
Cloudflare also partners with SaaS providers to make encrypting their customer data data easier.
So as I mentioned, we're launching several new exciting capabilities this Security Week.
Let's talk about the first one, which is keyless SSL and Cloudflare Tunnel.
Dina, what is this new feature and why is it so important? <v Dina Kozlov> Sure.
So the TLS products that you mentioned, Universal SSL, Administrative Manager, in those cases, Cloudflare manages both the certificate and the private key.
Now, some customers, they don't want, even though Cloudflare does deploy the high security measures for keeping your private key secure, some customers don't want to keep their private keys stored on the Cloudflare infrastructure, especially if they have certain compliance regulations that they need to meet.
They sometimes need to keep it on special hardware, sometimes known as hardware security modules, HSM.
They're physical tamper proof.
They essentially deploy the highest of highest security measures.
And so some customers want to keep the private key in their own control and maintain it themselves.
And so keyless SSL was launched in 2014 to allow customers to do just that so we can continue to terminate the Cloudflare, the traffic at Cloudflare and we can continue to provide all the proxying capabilities.
But the private key actually never leaves the premise of the customer's hardware.
And so that is just keyless SSL at its core.
And so, before today, if customers wanted to set up keyless SSL on Cloudflare, they had to tell us what the location of the key server is because we need some way to go and essentially get the key to create a session ticket.
And that's how we make keyless SSL work.
But the issue with that is that the way customers would tell us where the key server is, is they would create a DNS record with the IP address of the key server's location.
And by creating a DNS record of this, it makes the key server publicly accessible so anyone on the Internet can technically make requests to that IP address.
They can launch different types of attacks, DDoS, so on.
And so because your key server holds such sensitive information, you want to keep it hidden from the rest of the world, you want to keep it as protected as possible.
And so what we decided to do was we didn't want to reinvent the wheel, but instead we wanted to use something that we already have, which is Cloudflare Tunnels.
Cloudflare Tunnels allows customers, usually it works between a Cloudflare and an origin, where you can send traffic to your origin without publicly exposing it.
In this case, you can use a Cloudflare Tunnel for the communication between Cloudflare and the key server so that actually only Cloudflare knows where the key server is, but it's invisible to the rest of the world.
And so it really adds that extra layer of security on top of this already very sensitive and secure part of your infrastructure.
<v Catherine Newcomb> That's such exciting stuff.
Thank you so much for explaining that to us, Dina. All right.
So let's discuss the second big TLS announcement, which is mutual TLS, also known as two-way TLS for our developer platform, Workers.
Tanushree, can you tell us a little bit about what Workers is and what people can use it for?
<v Tanushree Sharma> Yeah.
So. Workers is Cloudflare's development platform.
Our dev platform has two pillars.
First is the compute side of things. I kind of see this as the brains of the platform and then the storage side of things, which is where all your data is housed.
And both of these are a very powerful combination to building applications on Workers or I should say rather on our developer platform, both Workers and Storage.
Workers specifically is Cloudflare's functions as a service product.
A lot of the times customers haven't heard of Workers, but similar products out there on the market are LAMDA or Google Cloud functions.
They're very comparable, work in different ways behind the scenes, but similar concepts.
And what we're seeing is a huge shift from our customers to the serverless model.
Customers want to break up their monolithic applications that run on premise in data centers that they have to manage, the applications that run on the cloud, where they don't have to think about the hardware, they don't have to think about scaling, security, maintenance.
Lots of times customers have whole teams spun up that just do this management.
Um. With our development platform, with serverless, all of this is handled for you as a development team.
All you need to worry about is writing code for your application.
So, it simplifies a lot of the workflow that our customers have to deal with.
And it's also really cool because we as a company can leverage the Cloudflare existing network to build developer platforms off of to deploy code in milliseconds.
This is way better performance that you would see if you were a company that was trying to do this yourself.
Yeah, it's a big challenge, but we've really set ourselves up well on our development platform to be able to tackle that.
So with more of our Workers customers building complex applications on Workers, these applications need to talk to data.
They need to be able to access state. They need to be able to do things like talk to APIs that are external, talk to financial systems, things like that.
I'll also talk to their own servers.
A lot of times these customers are making the migration.
It's a multi-year process, so you may have applications that live on serverless platforms, while you may also have things that live on your own servers as well.
So making that transition and making that possible is also important. We get lots of requests to have more types of support for what you can talk to within Workers.
Before TLS support, this was mainly using TLS to talk to third parties, but there are some types of services that require and enforce MPLS connections, so we're really excited to collaborate with our SSL team on this project to bring MTLS to Workers.
<v Catherine Newcomb> It's especially important because, at Cloudflare, we believe we're a security company to start with and bringing this capability to Workers is super awesome.
Bringing it to our developer platform to affect and improve the security of both customers who are big enterprises and small, just starting out building their own startup.
So some common cases of MTLS are communicating between APIs, microservices, database connections, also another big, big space where this is used is IoT connections as well, and especially in health care and finance related fields.
I know, Catherine, you mentioned that earlier in your intro as well.
So you can imagine a scenario where you're building an application on Workers.
It needs to talk to your own APIs that that may live on your own servers and you don't want just anyone that gains the right URL gains the right credentials to be able to access these APIs.
Maybe they contain sensitive data about your customers. So MTLS is a great tool to provide lockdown security to just authorize services that are allowed to talk to your services.
So yeah, that's sort of a broad overview of Workers how we see this being used.
I'm sure there's a lot of cases where we haven't even thought of yet and our customers are kind of like three steps ahead of us.
Yeah. Awesome. That's great background.
Thanks Tanushree. Dina, anything you want to add about mutual TLS or this new addition to for Workers?
<v Dina Kozlov> Yeah.
So it's just even like taking a step back of what is MTLS. So normally when we think about TLS, it's you're going on a website and you want to make sure that the server that you're accessing is in fact the right one.
And the way that works is the server will return a TLS certificate and you can verify that the TLS certificate was in fact issued by the right domain owner by checking it against certificate authorities.
And that's the whole public PKI system. But essentially it's just usually the client making sure that they're going to the right destination.
But sometimes you also want to do it the other way around, where the server wants to make sure that only authorized clients are making connections.
So think of this as, for example, IoT devices.
You want to make sure that only authorized devices can make connections or as Tanushree mentioned, sometimes with example, for example, APIs or databases, only certain services should be making those connections and the rest of them should be dropped.
And actually to connect it back to keyles SSL and Tunnels earlier, when we make connections between the Cloudflare daemon and the key server, we also use mutual TLS between those two, and that allows the key server to ensure that connections are coming from Cloudflare.
So mutual TLS is a very powerful tool and actually for many years now we've allowed customers to do mutual TLS between Cloudflare and their origin.
There are products called Authenticated Origin Pulls, but when we first build out Authenticated Origin Pulls, it was essentially at a domain level where for all of the requests going to your origin for daemon.com, for example, we always use a client certificate when connecting to that origin.
But sometimes customers did not just want all of the origins under for all the subdomains under daemon.com to use mutual TLS.
So we've allowed customers to lock it down to per hostname mutual TLS. And so that means that for the origin for blog.daemon.com, I can use mutual TLS between Cloudflare and the origin.
Now this takes it a step even further and allows you to lock it down from a specific worker to an origin, which can be a database, for example.
And so before we launch mutual TLS for Workers, you would know that a request is coming from Cloudflare, but you wouldn't necessarily know which worker it was coming from.
And so if you're building all of your services on Workers, you have, you know, service one, two, three, four, five.
You need to know first which service is this request coming from and are they authorized to make it?
And so mutual TLS makes it really easy because on the origin side, you can check the client certificate to see which worker did this request come from.
And then you can do the logic to either drop the request or allow it to make the action or just log it and so on.
So this really adds an extra layer of security on top of Workers and really makes it easy for more and more customers to build all of their services on the Workers platform.
<v Catherine Newcomb> Thanks so much.
Yeah, I'd like to add a couple just little information about also attack types that mutual TLS can prevent.
Just to contextualize this a little bit. So this new feature, as Dina and Tanushree both mentioned, provides greater security for people and teams building on Workers, which is awesome and MTLS further secures the connection between a server and a worker, as both of you mentioned, and prevents an unauthorized worker from receiving sensitive information.
So this extra layer of protection can really do things like decrease the likelihood of on path attacks and spoofing and credential stuffing and more.
And so it's really such a great existing, or it's such a great addition to your existing suite of security features.
It's really great tool to have in your tool kit because it can help protect your server from clients that are impersonating a trusted worker.
Anything you both would like to add before we...
About like, what's coming next at Cloudflare in terms of Workers and TLS.
Maybe Dina, you can start with TLS.
<v Tanushree Sharma> I'll just circle back to the Mutual TLS.
Just to close the loop there. This is available to all Workers customers today.
Check out our developer docs to get started.
This is good for everyone, so please try it out.
Let us know any feedback that you have. We also have a pretty active developer Discord community, which is probably the best spot to reach us.
So yeah, just wanted to close the loop there and say that this is out for everyone.
<v Dina Kozlov> And you can even use either Wrangler to upload the certificate or you can use, we have an API endpoint.
So it really is whatever works for you, but let us know what you think.
But I guess I'll take it away with what's coming next. So it is in fact Security week this week.
So there's a lot going on on the TLS front since that is the core of security.
And actually, at the end of this week, we have a really exciting announcement coming about how we're making TLS certificate issuance and renewals much easier for customers.
Essentially, as the CA browser forum continues to create more and more standards that are meant to protect how certificates are issued and deployed, the strictest security policies around that issuance.
Sometimes that means that certificate issuance becomes more and more manual, especially for wild card certificates.
For example, you have to use text based domain control validation and certificate lifetimes or, yeah, lifetimes are becoming shorter and shorter from one year to 90 days.
That just means that you have to do this manual process more frequently.
So we have a really exciting announcement about how we're going to make this easier for customers that manage their DNS externally, and therefore we're making it easy for them to use Cloudflare to continue to auto renew their certificates even when traditionally there's manual action required.
And so that way they can still get all the security of the new standards, but they can also get the ease of use to make sure that they always have an active certificate on their website and they have that reliability and trust.
But Tunashree , what about you? Tell us a bit more about what's coming up on the Workers front.
<v Tanushree Sharma> Yeah.
Awesome. That's super cool. I'm excited for that announcement, Dina. Yeah, on the Workers side, continuing with the theme of being able to talk to more applications, different types of applications through Workers.
A big focus for the team is being able to unlock communication with different databases.
So we have today a solution where you can use Cloudflare Tunnel but we want to provide an out of the box solution to our customers so you can talk to your Postgres or MySQL databases natively from Workers.
And potentially also use MTLS but at a different layer there.
So that's been a big focus on the team.
We've been working with partners in the database space, working closely with them to make sure that the model that we're building out aligns with the model that they expect.
And we're really excited to get this out to customers.
So stay tuned for announcements coming up very shortly about this.
And if you have specific use cases that you'd like to share with us, again, developer Discord is a great space for that.
And then something that goes hand in hand with talking to more types of applications on Workers is actually making our network optimized to talk to these applications.
So today with Workers, when you, when you're a user and you're sending a request, a worker is created at the data center that's closest to you, which is really great for some use cases, but not so great for use cases where your worker has multiple round trips to a database where you're fetching data, you might be updating a table, you might be getting a value back, that sort of thing.
So we're also working on changing the way that we think about database connections through Workers and ways to make that faster and actually move the worker around to a location that's more optimal versus just creating it where the user is based out of.
So, really excited for those two things coming up. <v Catherine Newcomb> Yeah.
Thank you both so much for your expertise today and your insight. We hope everyone watching enjoyed learning about what's new in TLS and Workers at Cloudflare.
And before we wrap up, just make sure to check out the blog in the description.
If you'd like to learn more about the features that we discussed today.
And we're so excited that you could join us for this ride of Security Week. Definitely make sure to tune in to some of the other excellent programing we have going on this week here at Cloudflare.
We're covering everything from Zero Trust to security applications to diversity and equity.
Thanks, everyone, for tuning in and Happy Security Week.
<v Ryan Smith> We're betting on the technology for the future, not the technology for the past.
So having a broad network, having global companies now running at full enterprise scale gives us great comfort.
It's dead clear that no one is innovating in this space as fast as Cloudflare is.
<v Philippe Mermuys> With the help of Cloudflare, we were able to add an extra layer of network security controlled by Allianz, including WAF, DDoS, Cloudflare users, CDN, also allow us to keep costs under control and caching and improve speed.
<v Selena Deckelmann> Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.
<v Randy Kleinhuizen> I think one of our favorite features of Cloudflare has been the worker technology.
Our origins can go down and things will continue to operate perfectly.
I think having that kind of a safety net, you know, provided by Cloudflare goes a long ways.
<v John Turner> We were able to leverage Cloudflare to save about $250,000 within about a day.
The cost savings across the board is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our service with Cloudflare.
<v Jason Smale> It's really amazing to partner with a vendor who's not just providing a great Enterprise service, but also helping to move forward the security on the Internet.
One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.
Like Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.
<v Damian Apone> We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world class capabilities in bot management and web application firewall to protect our large public facing digital presence.
<v Stanislav Vishnevskiy> We ended up building our own fleet of proxy servers such that we could easily lose one and then it wouldn't have a massive effect.
But it was very hard to manage because we kept adding more and more machines.
As we grew with Cloudflare, we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.
Cloudflare helped us to improve the customer satisfaction.
It removed the friction with our customer engagement. It's very low maintenance and a very cost effective and are very easy to deploy and it improves the customer experience big time.
<v Thomson Reuters> And Cloudflare is amazing.
Cloudflare is such a relief. <v Speaker15> It is very easy to use.
It's first Cloudflare today plays the first level of defense for us.
<v Speaker16> Cloudflare has given us peace of mind.
<v Speaker15> They've got our backs.
Cloudflare has been fantastic. <v Speaker16> I would definitely recommend Cloudflare.
<v Speaker17> Cloudflare is providing an incredible service to the world right now.
<v Speaker18> Cloudflare has helped save lives through Project Fair Shot.
We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient and ethical manner.
Thank you. The release of Workers sites makes it super easy to deploy static applications to Cloudflare Workers.
In this example, I'll use Create React app to quickly deploy a React application to Cloudflare.
Workers. To start, I'll run npx create React app passing in the name of my project.
Here, I'll call it my React app. Once create React app has finished setting up my project.
We can go in the folder and run Wrangler init dash dash site.
This will set up some same defaults that we can use to get started deploying our React app.
Wrangler Tunnel, which we'll get to in a second, represents the configuration for my project and Workers site is the default code needed to run it on the Workers platform.
If you're interested, you can look in the Workers site folder to understand how it works, but for now we'll just use the default configuration.
For now, I'll open up Wrangler Toml and paste in a couple configuration keys.
I'll need my Cloudflare account id to indicate to Wrangler where I actually want to deploy my application.
So in the Cloudflare UI I'll go to my account, go to Workers and on the sidebar I'll scroll down and find my account ID here and copy it to my clipboard.
Back in my Wrangler dot toml I'll paste in my account ID and bucket is the location that my project will be built out to.
With Create React app. This is the build folder. Once I've set those up, I'll save the file and run npm build, create React app will build my project in just a couple of seconds and once it's done, I'm ready to deploy my project to Cloudflare Workers.
I'll run Wrangler publish, which will take my project, build it and upload all of the static assets to Workers Cave as well as the necessary script to serve those assets from cave to my users.
Opening up my new project in the browser, you can see that my React app is available at my workers.dev domain and with a couple of minutes and just a brief amount of config, we've deployed an application that's automatically cached on Cloudflare servers so it stays super fast.
If you're interested in learning more about Workers sites, make sure to check out our docs where we've added a new tutorial to go along with this video as well as an entire new Workers site section to help you learn how to deploy other applications to Cloudflare.
Workers. <v Speaker17> Qe2's customers love our ability to innovate quickly and deliver what was traditionally very static old school banking applications into more modern technologies and integrations in the marketplace.
<v Jordan Hager> Our customers are banks, credit unions and fintech clients really focus on providing end to end solutions for the account holders throughout the course of their financial lives.
<v Speaker17> Our availability is super important to our customers here at QE2.
Even one minute of downtime can have an economic impact.
So we specifically chose Cloudflare for their Magic Transit solution because it offered a way for us to displace legacy vendors in the layer three and layer four space, but also extend layer seven services to some of our cloud native products and more traditional infrastructure.
<v Speaker 20> I think one of the things that separates Magic Transit from some of the legacy solutions that we had leveraged in the past is the ability to manage policy from a single place.
<v Speaker17> What I love about Cloudflare for Q2 is it allows us to get ten times the coverage as we previously could with legacy technologies.
<v Ryan Smith> I think one of the many benefits of Cloudflare is just how quickly the solution allows us to scale and deliver solutions across multiple platforms.
<v Speaker17> My favorite thing about Cloudflare is that they keep developing solutions and products.
They keep providing solutions. They keep investing in technology. They keep making the Internet safe.
Security has always been looked at as a friction point, but I feel like with Cloudflare, it doesn't need to be.
You can deliver innovation quickly, but also have those those innovative solutions be secure.