Data Protection everywhere, application security, and an iPhone exploit to avoid
Welcome to our weekly review of stories from our blog and other sources, covering a range of topics from product announcements, tools and features to disruptions on the Internet. João Tomé is joined by our CTO, John Graham-Cumming.
In this week's program, we're back with episode #36. We start with our most recent announcement: Cloudflare One for Data Protection — our unified suite to protect data everywhere across the web, SaaS, and private applications.
There's also a lot to unpack in terms of new tools and insights from our platform for general Internet insights, Cloudflare Radar. We also showcase how Meter, a provider of Internet infrastructure, is leveraging the Tenant API integration for DNS filtering to help their clients enforce acceptable Internet use policies. Additionally, we draw conclusions from our Application Security report for Q2 2023.
Furthermore, there are some Google.com domain trends, considering that Google was officially founded 25 years ago, on September 4, 1998. Plus, an important warning: if you have an iPhone, update it. Researchers have discovered an actively exploited zero-click vulnerability that can put iPhone users at risk.
You can check the mentioned blog posts:
Hello, everyone, and welcome to This Week in Net. It's the September the 8th, 2023 edition.
We're back already in September with a few blog posts to go over, including about data protection.
I'm João Tomé, based in Lisbon, and with me I have, as usual, our CTO, John Graham-Cumming.
Hello, John, how are you? Hello, I'm fine, thank you.
We did a bit of a stop, a summer stop, and we're back now, so a lot of blog posts to go over.
And there's a rainy Lisbon now expecting us. It is a bit rainy, yeah.
Although I saw the weather forecast, it looked like it might warm up again, so I'm hoping for that.
Me too. It's still summer here, at least, so let's hope the good weather comes back again.
And you have a specific jacket, a very specific jacket on you, right?
I just thought I'd put this on, although I think it might be a little bit warm for today.
This is the Cloudflare Inventor jacket. I don't know if you can see that.
It says Inventor on it, and it's people who've had patents approved at Cloudflare get one of these as a gift.
So I thought I'd put it on today, but I actually think I might take it off in a minute before I start getting too hot.
So we'll see how long I can go. Let's see how it plays out. Cloudflare has a lot of patents.
Actually, I have that in my pipeline for one of these next possible segments for us to discuss more in detail.
But Cloudflare has a lot of patents, and you have your name in the few, right?
I think so, yes. Obviously, there's lots of people, and to be honest with you, I'd have to go back and look at how many there are, in fact.
But yeah, lots of people in Cloudflare coming up with lots of very interesting ideas.
It's part of the innovation part of the company too, right?
I mean, it's part of protecting our special algorithms and things like that, and it's also part of a defensive strategy because, of course, lots of other companies use patents as well.
So we have to protect ourselves against somebody else patenting something that we're doing.
So it's part of what we do, and I think there's some pretty cool things we've come up with.
Let's go over that in a few weeks, possibly.
We had a bunch of blog posts while we were out, an applications report, a lot of things, but one of the most recent, actually, it's related to Cloudflare 1 for data protection.
So our unified suite to protect data everywhere across web, SaaS, and private applications.
What is this all about?
Why don't we bring it up on screen so we can all see what it looks like? So, yeah, absolutely.
I mean, I think, first of all, data protection sounds like something exceedingly boring.
True, and more and more is needed in most countries because regulation is just around the corner.
For example, this is GDPR in Europe, and of course, GDPR is about data protection, but there are others.
I mean, the number of countries, I couldn't even list how many countries are introducing laws or have laws about data protection, and I think this is very much the future of things that are on the Internet is taking into account these laws.
And our data protection suite really unifies everything we have in all of our products around Zero Trust, email, SaaS, all this kind of stuff, and so that the data that's in there can be protected, and in particular, be protected against theft, to a certain extent, protected from employees misusing it with AI tools, because that's a worry right now, and protecting the proliferation of that data in cloud environments.
I mean, it's just the amount of data that gets moved around.
And so, this is just announcing the Cloud for One Data Protection Suite, and I think that this will be a very big deal for companies that work across countries, across regions, because they're having to deal with a vast number of different laws, and also worry about how they keep their data safe, and also how they comply.
And so, I think this is a big part of that. And in particular, I mean, one of the worries is that if you have a breach of some sort, then you are going to have to report that in all sorts of countries and all sorts of states around the world.
So, first of all, keeping your data safe, and if you do have a problem, knowing what to do is all part of the game.
Exactly. There's a bunch of references here in terms of regulation, but also in terms of companies use different providers of cloud for different purposes.
So many. Exactly. So, having an integrated perspective on what all of those situations have is important, in a sense.
Right? Yes, absolutely right. Absolutely right. So, I mean, I think that we'll see, for me, the future of the Internet is actually about data protection and privacy going forward.
And so, I think that products like this are very, very important.
We have a few use cases in this blog post. So, for people to visualize a bit on what some of the challenges, modern challenges, could be related to this topic.
So, I think it's worth exploring. May that be the regulations that we were discussing, data exposure, visibility, and also those AI tools that are now being used generally.
And there's some risks there, too. Yes. Yes. Yes, absolutely. Absolutely.
The blog post is pretty much complete in terms of giving the larger scope of things that companies should worry about and what this data protection unified structure gives them.
Yep. Yep. And there's also the how to get started, always important for people to understand.
Yeah. Yeah. Exactly. Also related to Cloudflare 1 for data protection, we have what's next for this data protection suite, because things are evolving.
And we're also discussing on what are the capabilities we're also thinking for next, right?
Absolutely. Absolutely. So, you know, lots of stuff coming.
I mean, we think about that Zero Trust, SASE, WebGateway, CASB, all that stuff, solution is growing and growing and growing.
We're innovating very fast there.
There's some details here in this specific blog post in terms of capabilities, even those that were shipped since 2022 Q4.
For those who are in this area, sometimes there's a lot of names, a lot of different things.
The main thing, the main takeaway is how to be safe and have some ease of mind without thinking too much on the different providers, different perspectives.
I mean, this is an area where there's a lot of change and a lot to learn. And so, yeah, hopefully our blog posts and our websites, the Zero Trust roadmap, et cetera, really help explain what all this stuff means and how we can help.
One of the things that is mentioned here in the next 30 days, we'll introduce a risk score based on user behavior and activities that have been detected across Cloudflare 1 services.
This also takes leverage of our global network, right? Absolutely. I mean, so much stuff at Cloudflare takes advantage of our global network, right?
We have this large network which allows us to detect attacks, novel attacks, apply machine learning to it, look at traffic patterns, look at where performance is bad, you know, all this stuff benefits from having such a large network.
Exactly. We have a few more things from the past couple of weeks that we weren't here to discuss.
Where should we go next? We have Cloudflare Radar's overview of new tools or insights.
You did that one, right? Cloudflare Radar's 2023 overview of new tools and insights.
Why don't you tell us about that? Sure. In a nutshell, it's all about our tool that is like a newspaper of insights of the Internet for people to browse.
We have discussed that in our segment here on This Week in Net for a few times, actually.
And this year, so far, we have launched different things. Some of those are really interesting.
Internet quality section, we already talked about that, where people can take a look on bandwidth and latency by continent, by country, by ESN.
They have here, for example, a world map where they can see the different perspectives.
For example, you can see Portugal is well placed for download speed or loaded latency, always important, which countries are well placed here on connection quality.
So there's a lot to explore, for example, in Internet quality.
That was one of the major ones. But there's also trending domains. We discussed that here.
That's new, this part, where what's trending today, what's trending this week.
And more URL scanner tool, where people can browse through some of the websites, try to see what type of technology they use.
Are they malicious or not?
Things like that. And of course, the routing section, which is more recent, actually, from late July.
And it gives all about BGP route leaks, hijacks, things that are important for the Internet and for those who work in network, for example.
So there's a lot of exploration here in terms of new additions to Cloudflare radar.
What you can do with these new sections. So that's mostly it. We also have some general Internet insights from 2023, like the one year of war in Ukraine, back from February.
We could see cyber attacks, we could see how the Internet was resilient in Ukraine during this more than one year now, or specific ISPs outages, or Eastern and Passover Ramadan Internet trends.
So our global network, as we were discussing before, gives us a very complete perspective, including how the coronation of King Charles III affected Internet traffic.
So there's a lot here to unpack, in a sense, as an overview of what we've been discussing on radar, including our reports, application, DDoS, Internet disruptions reports.
So this is mostly a sum up so far of the year. Yeah, thank you for writing it.
Gives us quite a sum up. It was slightly sobering when you said a year of the war in Ukraine was in February.
And of course, now we're in September.
I mean, unfortunately, I guess we're going to end up doing two years of the war in Ukraine, the way things are going.
So it'll be quite shocking. So yeah.
True. And that actually has some startling perspectives on Ukraine. And startling perspectives on Ukraine was on the news this week, for other reasons, actually all the reasons, but it was on the news this week.
And we also have this new capability in terms of exploration, which is a data picker, always relevant for people to browse.
One of my favorite new features. It's quite an amazing feature, because for me, it allows you to go back in time, which is quite important.
You can go back in time to a specific, like if you want to know what happened during a specific event, you can pick that week and have a look and say, wait a minute, what happened in that particular time in a particular country?
It's become. Yeah, actually, you made me think, well, why don't we do this live?
The Pope was in Lisbon for a week, wasn't he?
It was. In August, early August. I said the beginning of August, right?
It was that first week in August. I think you probably said, was there a Pope effect?
It looks like it actually. Yeah, it was at the August, Saturday, the 5th.
Clearly the traffic was higher than usual. I think he'd left at that point, right?
No, no. The event ended on Sunday, August the 6th. So he was still here.
Okay. So everyone was Instagramming their pictures of the Pope or looking for information about the events or whatever at that point.
He was in Fatima that day, actually.
Maybe we can attribute that to the presence of the Pope. Maybe. Always interesting to go back in time and see events for sure.
So that's Cloudflare Radar for you.
But we also had different aspects like Cloudflare's tenant platform in action, Meter deploys DNS filtering at scale, for example.
Should we go there, over there?
Go on then, let's do it. So I mean, this is one of those third parties talking about a company that uses Meter, uses the Cloudflare tenant API, which allows you to set up DNS filtering.
And so Meter itself is an infrastructure company for Internet stuff.
And it's just a blog post about how you can use our API, how a third party can use our API to set up DNS filtering for their customers.
So yeah, an interesting example of a customer using it and using it for their world.
In this case, it's a customer related to the Internet infrastructure provider, and it's leveraging the tenant API integration, like you were saying, for DNS filtering.
So they do it for businesses and also shared workplaces, offices, stuff like that.
And so they want to be able to configure the filtering for those locations.
And they're using our tenant API to do that. And they can specifically block what they need to block, like enforce acceptable Internet use policies.
There are security risks in some of those.
So it gives them that ability, in a sense. It does.
And I am now officially too hot in this jacket, which would be great for a cooler location.
So the jacket's coming off. We're going to get down to some serious business now.
Don't forget your microphone. I'll get my microphone. We're doing it live right now.
Okay, ready? All right. The next one is start your favorite websites in the dashboard.
Yeah. You know, for anyone who's got a lot of websites, domains on Cloudflare, I mean, you could end up with a long list of them.
And so this is just, hey, favorites.
I mean, just like starring things in any other tool you have out there.
A simple little feature, but one of those ones that for people who have a lot of domains and websites, they can go in and star them.
So mark your favorites and get to them more quickly when you're working in the dashboard.
True. And it's one of those little things.
I think this was requested by customers, and they really enjoyed it. I could see some feedback in terms of Cloudflare community and on Twitter that it's one of those little things that makes a difference for people that uses a lot of domains.
Well, yeah. I mean, if you have a lot of domains, this is little productivity things that really can help.
Make sure. We also have an application security report from late August.
We didn't win over it before. A lot of trends relates to Q2 at 2023.
So we're doing this quarterly, right?
So this is now, I think, the third time we've done application security.
So application security is looking at like HTTP level, like what's happening with people trying to connect to applications, what are bots doing, what are APIs doing, stuff like that.
So you just sort of see the trends that are happening.
And it changed. This graph is interesting. So we talk about mitigated requests.
That's a HTTP request that comes to Cloudflare, and we do something to it because we think it's bad.
So it could be we just block it. It could be that we use one of our turnstile things to check to see if it's a bot.
So this is what mitigated is.
It could be the WAF blocked it or something like that. So you see the sort of...
Or DDoS also. At the HTTP level. Yes. Yes. That's right. And so you see this kind of something like 6% of things get mitigated.
And of that, about three quarters are outright blocked.
So it depends. But of course, it depends on what the customer configures.
And actually, if you look at this next section, customer configured rules are now the biggest contributor to a mitigated traffic.
So what's interesting is we provide a WAF, DDoS, and all that kind of stuff.
But customers are writing their own because we've provided this very rich language for writing rules.
And now it's showing that that's become the overwhelming majority of requests are being mitigated by customer rules.
And WAF managed rules mitigation reached as much as 1.5 billion a day during the quarter, which is a lot.
Yeah, that's right.
There's also the DDoS mitigation, like we were discussing, always popular and important.
Also, yeah, there's a lot here to unpack and even to understand in terms of what are the types of sources that are used.
And also geolocation blocks, right?
This is something that is increasing in a sense. Yes, unfortunately, this is a thing that happens.
And we see this stuff across the world, people deciding to block particular locations.
I mean, you certainly see it in terms of GDPR.
Now, you would have experienced this, no doubt. You sometimes try and read a U.S.
publication, and the U .S. publication just says, you're from Europe, we don't deal with you.
True. Newspapers do that a lot. Newspapers do it quite a lot.
Yes, yes, yes. And more recently, threads from Instagram because of other purposes, like they are not available in Europe.
And apparently, there were people using VPNs, and they blocked that, for example.
And also, old CSV, so vulnerabilities.
Yes. I mean, one of the things about Internet security is that there's a lot of focus on the exciting, new, scary, and in fact, yesterday, I mean, Apple basically put out a 16.6.1 iOS release because of a very serious security vulnerability where someone could send you an iMessage, which you didn't even need to click on, and it could get control of your phone.
And there's a lot of focus on that kind of thing, and I hope people have upgraded.
But on the other hand, when you think about what's actually on the Internet in general, a lot of old stuff is going around, like SQL injection and trying to do directory traversals and find files, trying to insert files into a system and then execute them.
I mean, all this stuff carries on continuously, which is why people need WAFs and things like that.
CSVs are also here 1%. And we had a blog post actually recently in August related to that here, it is mentioned in terms of how the CISOs, the US security organization agency, they put out the exploited vulnerabilities of 2022, and we go over those top vulnerabilities.
Who can forget log4j just before Christmas? True. That was a popular, not in a good sense.
Unpopular in my opinion, because we were running around fixing it.
Yes, that was the thing. And of course, scanning for log4j vulnerabilities will be here forever.
It will never go away because people will look for systems that are vulnerable forever and ever and ever.
It's also present in Microsoft Exchange too, for example. There's a few there.
Yeah, but bot traffic insights also mentioned here. A lot of the Internet is automated.
So that's also here present. On average, more than 10% of non-verified bot traffic is mitigated, which is actually more than normal HTTP traffic, right?
Yeah, that's right.
There's a lot to explore here for those who like this type of things.
Also, API traffic, APIs are more relevant than ever. And we can see here, why is that in a sense?
I think the thing is, APIs are what's running the Internet in terms of applications.
And so naturally, hackers are going to go after them.
And now it's what, 65%? It's coming from browsers. The Cloudflare dashboard is actually the front end talking to an API on the backend.
So no surprises here. There's a lot of this traffic and the bots are going after them.
And there's these HTTP anomalies are the most common attack vector on API endpoints.
And of course, SQL injection is the next one.
So good perspectives in terms of having a... It gives us actually a perspective on the Internet, of the 2023 Internet, right?
Yes, it does.
And we're going to continue to put these out quarterly. So you'll be able to get a sense for what is happening in application security, but there'll be exciting new things, and there'll be a lot of things that have been around forever.
We still have time to go over some of the things we missed in this past two weeks, introducing the 2023 Internets.
So these are the class of around 40 interns we had this summer. And they, in a sense, it explains what they were doing, in a sense, what they learned.
It's quite interesting to see how much they can do at Cloudflare.
Yeah, I actually think that's a good point.
So I think that the thing that's interesting here is if you're interested in interning at Cloudflare, read this because you will get a sense for what actually do.
And what I would say is, our interns build and ship actual things.
And there were recent blog posts written by interns about the stuff they shipped during their internship.
And this doesn't just apply in engineering as well, but also you see in product management, you also see in other departments where people actually do real work, right?
So I would say that if you want to get a good experience at Cloudflare with an internship, we can really give it to you.
And so this particular blog post gives you a good sense for what people have been doing and what their internship experience was like.
Exactly. And you can sign up here if you want to learn more about being an intern at Cloudflare.
I also wrote an August reading list about online security and 2023 attacks landscape edition.
It goes over all of our blog posts from the year in terms of what Ukraine again mentioned, in terms of security and attacks and all that, a lot to impact too.
Yeah, that was a good reading list. And this was already disclosed.
And there was also elevate load balancing with private IPs and Cloudflare tunnels, a secure path to efficient traffic distribution.
This was already today, Friday.
Yeah, that's right. That was just the other day. Yep. And so lots of interesting stuff to read about if you're looking for things and lots more coming, right?
Because September is Cloudflare's birthday month and birthday week, which is the OG innovation week at Cloudflare is towards the end of the month, around September 27th.
And so there will be a lot of interesting announcements around then.
Expect lots more of the things Cloudflare does. So looking forward to that week.
And we'll have a very busy this week in net, probably actually have to do a double edition or something that week.
A full hour, possibly.
Yeah, it's always busy that week. It starts this year and on September 25th, I believe, because of the calendar perspective, it's on Monday, September 25th.
Yeah, it will be a busy week for sure. So stay tuned for that for sure.
Before we go, I also have a small curiosity here related to the fact that Google was officially founded 25 years ago.
It was on September the 4th, 1998. And what we have here, in a sense, is something that is on Cloudflare radar.
It's related to our domains ranking.
We already talked a bit about that. We have this top 100 domains.
And in this case, you could see like Worldwide. Google's number one and Google APIs is number two.
And G-Static. And G-Static. Google one, right.
And Google Video. It is. Double click, which is also Google, right. It is ads from Google, true.
Yeah. A lot of things related to Google. And I took a look and there's 80% of locations where Google.com is number one in our list.
And if we consider Google APIs, just Google APIs, it's like 87%.
So it's pretty much a very worldwide perspective.
On the negative side, not negative, but we could see also where Google is not number one, is places where Facebook is number one.
Like Cook Island, Faroe Islands, or Myanmar, French Polynesia, or Sudan, or Sea, or Chad.
Or in this case, QQ in China, or Microsoft.com in Fiji, or Nauru. And TikTok, CDN.
This is their domain for CDN. In Afghanistan, Ethiopia, Iraq, Libya, Somalia.
So there's a few other countries definitely where Google is not number one.
That also tells us something in a sense. Yes. You know, it's interesting, obviously in China, because Google isn't present in China.
And Tencent with QQ is there, right.
QQ does, if you don't know, it does instant messaging and has a sort of web portal, a bit like Yahoo back in the day, news and all this kind of stuff, and search.
It's interesting to see that. It's interesting to see in some of the smaller locations that things like Facebook and TikTok are so popular, which, you know, obviously people are, you know, using those apps a great deal.
And I guess everybody in the Comoros is just chatting on WhatsApp, which is great.
True. And on Facebook, there's reports, especially in Africa and some countries, Facebook is like the Internet for them.
They mostly use Facebook. And this also gives us that perspective a bit.
So that's interesting. So that's it for this week. So see you next week, John.
I will see you next week. And hopefully it'll be sunny in Lisbon. Hopefully it'll be sunny in Lisbon.
We're back to normal behavior. So, all right. See you, John.
See you. Bye-bye. Bye-bye.