Nine years of protecting civil society online, HTTP/3 usage trends, and a bit of computing history

Hello, and welcome to This Week in Net, everyone. It's the June 9th, 2023 edition. I'm João Tomé, based in Lisbon, and with me I have, as usual, our CDO, John Graham -Cumming.

Hello, John, how are you? Hello, I'm fine, thank you. Hello from a little bit rainy Lisbon.

A bit unusual, right? Rainy Lisbon. Yeah, it wasn't raining in June.

True, it's not usual, but it is. It's the Oscar storm that is here now. There we go.

And this was a week before we go into some of our own announcements where we could possibly visualize a little bit of at least what Apple thinks is the future of computing, in a sense.

So, in one year's time, we can do this segment, possibly, with something like this.

Maybe we can put the headsets on and do this kind of stuff.

Exactly. That's the Apple Vision Pro Vision for 2024. That's it. Because the device they presented this week is for 2024.

What do you think about that new possibility, given that Apple doesn't present new computing devices a lot of times?

So, what do you think? Well, it's a bit hard for me to answer this question, because when it was rumored that Apple was going to bring out the Apple Watch, I was a real naysayer about smartwatches.

I was like, I'm never going to have one.

It's a stupid idea. And the reason was I never wore a watch before that.

And you see this? This is an Apple Watch. And I'm completely addicted to the thing.

So, asking me a technology prediction, I know I'm the CTO, but asking me the technology predictions thing is a bit hard, because I obviously made a terrible mistake about Apple Watch.

I absolutely love this thing, particularly for the fitness side of stuff.

And I do have VR headsets. I have a MetaQuest and a Quest 2 and play games on it.

And that's one of the things that Apple didn't talk about, was gaming on the headset.

They really talked about this idea. Slightly, yeah.

There's something there. But it was really about this idea of spatial computing, right?

Like you're going to have this, you know, not your phone in front of your screen, but you've got to put this thing on, you're going to see these screens and interact in a way like that.

With your hands, right? Like minority report type of thing.

Well, the Quest 2 does hand tracking as well. But don't you need like a device for that?

You can use the controllers, but there's also some amount of hand tracking.

But yeah, clearly Apple has loaded this thing up with technology.

I thought the other thing was interesting. So, I've used the Magic Leap as well.

And the Magic Leap has an external power pack. And obviously, Apple has decided to do that, presumably to reduce the weight on your head.

Because one of the problems with the Quest and the Quest 2 is it's quite heavy, and you have this thing attached to your head all the time.

It becomes very tiring. So, it'll be interesting to see how heavy the Vision Pro is actually in use.

So, you know, we'll see.

It's obviously very expensive. They put a huge number of pixels in each eye, so they get the clarity.

Because what they want to do is, I think, they really seem to position it around augmented reality, right?

So, you've got this mixed reality thing going on where you're looking at your room, and within it, there are digitally created things.

And I thought that was kind of interesting. It looked, I mean, the resolution looked incredible compared to, say, the Magic Leap.

But we'll see. It's obviously very expensive as well. And so, you know, the other one I've tried is HoloLens.

HoloLens also very much that sort of augmented reality kind of stuff.

I mean, I think there's something interesting in that mixed reality, augmented reality, whatever you want to call it.

I think it's a perfect mix, to be honest.

But this is augmented reality lookalike, in a sense. Because you have the augmented reality experience, but it's always a screen.

It's not, like, transparent.

It's always a screen, yes. It's all cameras. Yeah. The HoloLens, you're looking through, and the Magic Leap as well, right?

You look through, and it's projected on.

And so, you're actually seeing the real world, where this is more like the Quest, where you've got screens in front of your eyes.

It'll be interesting to see, I mean, how much it takes off.

I'm very curious. Obviously, it's very expensive, right?

$3 ,500 for whatever the introductory model is, compared to the Quest, which is, like, sort of $500.

It's a big difference. I heard that they're thinking the Vision, so this is the Vision Pro, there will be a Vision.

This is what analysts say, a Vision model later next year, or possibly the following year, that will be like $1 ,500, something like that.

But let's see. It's a technology still not right now available, so it will be a year, at least for Europe.

So, let's see what it plays out. I mean, I'm definitely looking forward to trying it out.

As I say, I own two Quests, I've tried HTC things, Magic Leap, HoloLens, HoloLens 2, all these kind of things, even Google Glass, actually, which is obviously a little bit different, which is the ultimate way to look like a nerd, if you want to do that.

In fact, one of the worst photographs of me is me wearing a Google Glass thing like that, and I just never want to see that picture again.

That's interesting, because Apple didn't show one image of the Apple Vision Pro outside, like in the external environment.

The most similar to that was an airplane, like inside an airplane.

So, it's for the inside use, apparently. Maybe.

Wasn't there a kid's party or something? Inside a house. I think it's inside a house, yeah.

Let's see how it plays out. This week, we have a few blog posts.

One that is already normal at this part of the year, in June, about Project Galileo, nine years now.

Can you guide us through a little bit of how Project Galileo came about?

And it's nine years now, so it has been relevant for so many over this year.

It's amazing that it's nine years. I mean, Galileo was a thing that was created, obviously, now nine years ago, to give Cloudflare service to vulnerable groups, artistic groups, humanitarian organizations, voices of political dissent.

We make our services available to folks who are recommended to us by third-party groups.

So, we don't actually decide on who goes in Galileo. What happens is civil society organizations, ACLU, Committee to Project Journalists, and others will recommend to us websites, blogs, people online that need protecting, and we'll provide our services to them.

So, we provide the DDoS mitigation, stuff that really enables them to stay online.

It's really grown tremendously.

I mean, this is obviously nine years, and there's a very large number of organizations that are part of it, helping keep the Internet online.

Look at this, 2,271 organizations in 111 countries are being given Cloudflare as protection through Project Galileo.

So, it's a tremendous way, and obviously, if someone is watching this who is vulnerable on the Internet, and their voice is getting stopped because of political dissent or something, this is a way to get protection and go through one of our partners, and then things can get set up.

So, Galileo is one project.

The other project is Athenian. Athenian is about protecting elections, protecting information about elections, where can I go vote, all that sort of thing.

Very, very important, too, to keep free election information out there.

I think perhaps the interesting thing in our blog post of nine years is just how much Galileo has grown.

I mean, it started out with a very small number of protected blogs, and news organizations, and things like that.

Here we are nine years in, and you can see, actually, I mean, obviously, one thing that's happening is around wars around the world.

Obviously, getting information about what's happening has become very, very important.

So, making those tools available, and you can see that in here.

We deal with a staggering number of attacks, 20 billion attacks against projects protected by Project Galileo, just constantly.

Here we are in Pride Month, lots of attacks on LGBTQ organizations, civil society.

Obviously, within Ukraine, organizations that are providing emergency response, disaster relief.

I mean, you see with the breaching of the dam, there's obviously a disaster relief component to that, and making sure those organizations are able to communicate and stay online.

So, lots of different things are covered by Galileo, and here we are nine years in.

Unbelievable that it's nine years in, but here we are.

To me, it's always surprising how many organizations, and these are NGOs, and I was a journalist.

So, for me, journalist websites are also really important, especially in some countries where free journalism is like banned, or in a sense, attacked.

Yeah, very, very threatened.

There's a lot of countries where this is a big problem, because those attacks, and sometimes are just DDoS attacks and things like that, give problems to sites to be available.

Those sites aren't available because of all of those attacks.

Some journalists are not experts on Internet, or have money to pay for their independent projects.

So, this allows them to have their websites up and available.

Really important, I think. And you mentioned the war in Ukraine, and there was a blog post related to the war in Ukraine one year ago.

Actually, we focus on that, how important it was at that time.

For example, people were leaving the country.

There was a lot of organizations helping people leaving the country.

Those organizations were under attack, in some cases, cyber attacks in this case.

The Internet is always a stage for cyber wars, in a sense. Well, it's a stage for all of humanity, right?

So, we're always using it. And so, you see everything.

And so, you obviously see this kind of cyber attacks happening against organizations that others want to knock offline, or dislike for some reason, or think are politically unacceptable.

And there's also, in this blog post, some mentioned some case studies where organizations were able to share their experiences with us, which is great in terms of protection.

All sorts of organizations here.

So, if you want to learn a little bit more about this, you have also this case study part.

These case studies, yeah, absolutely. Actually, there was a report on Radar related to Galileo.

So, what types of organizations were attacked?

Just for those who want to go there, it's here also. Yeah. Now, if you don't know what Cloudflare Radar is, it's something that Joao works on a lot.

We're in a big team.

Radar.Cloudflare.com is where you can get all sorts of information about what's happening on the Internet.

And you get reports like this one, this one about the ninth anniversary of Galileo.

But you also get up-to-date information about what's happening in a particular country, or a particular network, and what attacks are happening.

So, if you want to know something about your country, or a country you're interested in, or your ISP, or what's happening with Internet protocols, or attacks, it's all in Radar.

True. Where should we go next?

Let's see. Why don't we just talk a little bit about Waiting Room while we're here?

This is really for Waiting Room customers. But just to tell you people about what Waiting Room is, if you have ever tried to buy tickets for the Olympics, or a popular show, or something like that, you may well have ended up in a virtual queue where you're told, don't close your browser window, don't open another browser window, your number blah, blah, blah in the queue, or your wait time.

Waiting Room is a product that provides exactly that kind of service. It's built on top of Cloudflow Workers, allows us to queue up your visitors and release them to you automatically, so that your website doesn't become overloaded, so that people get fair access.

Very popular, it was actually used through a project we call Project FairShot, which was a bit like Galileo, it was a free project from Cloudflow, and that was to help people get their COVID-19 vaccines.

FairShot was something that we did so that they could use this product for free.

But obviously, this product is used for all sorts of commercial applications.

And this particular blog post is just about, we've added a bunch of analytics so that people who are running one of these queues can understand what's happening with the number of visitors they're getting, how long their visitors are waiting in the queue, all that kind of stuff.

So just a big improvement, I think really reflects just how popular Waiting Room has become, and how often you get these crunches of people turning up at websites, and here we are.

So if you're using Waiting Room, then you can find a lot more on this blog post about how to get analytics.

And if you do have this kind of queuing problem where you have some popular thing, well, we can help.

And I think this has been on the news, these types of Waiting Rooms recently, because people, after the pandemic, started to be more wanting to go outside, wanting to go to concerts.

There was a lot of discussion, even in Portugal, but I think most countries where when a popular artist goes to a country, ticket websites sometimes got crowded.

And these types of Waiting Rooms are really important to organize and to give the users a good experience, like size won't go down.

Exactly, size won't go down, you get fair access, you get in the queue. And I'm British, so queuing is culturally massively important.

So this product has a special place in my heart.

Getting in the queue and not jumping the queue, super culturally important.

Organized queues, right? Organized, it's not even just organized, it's what we do.

Makes sense. And this case is really useful, to be honest.

Because in some of these cases, there are thousands of people trying to get a ticket, to get something.

And these queues help there. Absolutely. So that was a bit of a product update this week.

And then we had another sort of deep dive type thing, which is this HTTP3 one here.

Exactly. And this is an important protocol in terms of the Internet, of course, mostly for end users, right?

Well, I mean, yes, what's happening is HTTP3 is the latest version of HTTP, which we all use for browsing the web, and for actually many other things, right?

So apps might be using it to talk to APIs.

It's become one of those general purpose protocols for communicating with servers to do something.

And we looked a year ago when HTTP3 was published, they published the actual RFCs, it was formally defined.

We looked at how it evolved and who was using it.

So this is a one year update. This is what's happened over time.

And I think if you look at it, I think you make a good point, which is that for end users, like you and me and everybody else who's using the Internet, HTTP3 is probably what your browser is using to talk to any website that supports HTTP3, and probably getting a performance boost from it.

But interestingly, like search bots and social bots and stuff like that, they're still using the old protocols.

So you can see that it's primarily for us end users and not necessarily for the behind the scenes kind of activity that's going on.

So this gives you an update, explains to you a little bit about what HTTP3 is all about.

It's really a big jump because HTTP2, so HTTP 1.1 and before, and HTTP2 all sat on top of TCP.

And TCP being like, it's been around forever, it's one of the most important underlying protocols on the Internet.

And then it added on security using TLS, which some people still call SSL, which is the thing we all use for HTTPS.

And- Just a note, we have an episode about TCP, like two episodes before, if people want to go over- You did, you're right.

You're right. And so, there were some issues with that, which is that TCP in particular suffers from this thing called head of line blocking, which is that if you try to do many things over a single TCP connection, if a packet gets lost, everybody has to wait.

And so, this actually causes a problem for HTTP2 because HTTP2 tries to do many things simultaneously, like requesting a webpage and all the images and all the CSS and stuff like that.

So HTTP3 does away with all of that. It uses QUIC as the underlying protocol, which is using UDP, which has its own security built into it.

And so, this is quite a big change, actually.

And you can see that it's somewhere around 30%, I think, of connections we're seeing or requests we're seeing over HTTP3 right now.

So, HTTP2 still dominates. And you can then dig down in all the statistics here about where and when the weekends and all this kind of stuff.

So, it's interesting to see that the protocol is getting rolled out, but it's going to take, I think, some time for HTTP3 to really dominate.

Yeah, there's a lot of trends here, variations throughout the year.

You just skipped over one, which is kind of interesting.

It's the mitigations chart. So, this is the one about bad traffic that we're dropping by protocol.

And it's interesting to see that HTTP3 right now is mostly good traffic, right?

And so, it's the case that mostly what's coming over HTTP is good.

HTTP3 is good because it's actually coming from you and me using web browsers and we're not hacking anything.

And most of the bots and the attack tools are still using the older versions.

That will change over time, of course.

But right now, that's where we are. Also, social, right? Social still uses mostly...

Uses old protocols. Yeah. The crawlers. There's not a big incentive for them to change, right?

I mean, I suppose at some point, they'll want to know what the performance difference is for the crawlers, for the search engines and stuff like that.

But no, right now, I don't think there's a big difference. And you can see by browser version, mobile versus desktop, etc.

So, if you're interested in HTTP3 and where it's gone, this is the blog post for you.

Exactly. A lot of trends and charts to explore. This is a part of the Internet, of the evolving Internet.

So, it's always interesting to explore. Check out Radar's adoption and usage section.

You can follow this along for the rest of the year, even when we're not writing blog posts.

Exactly. And now, by the way, I can promote that we have...

The scope is even larger than before. Now, you can look at the last 12 months.

It wasn't possible before. So, you can explore protocols like IPv6 or TLS or also HTTP, like you were saying, HTTP, yes and no.

That HTTP chart is pretty fascinating, which is that secure connections almost completely dominate.

We've gone to a point where we all use secure connections. Except we can see what it looks like with bots, but yeah.

Where should we go next? Well, I think we've got one left, haven't we?

Cloudflare Area 1. So, Cloudflare Area 1 is our email protection product, which we use and lots of our customers use.

Email comes in through it.

We get rid of the phishing. We get rid of the business email compromise, all that kind of stuff.

And one thing that's important for our customers is the certifications.

We had SOC 2, Type 2 for the rest of Cloudflare. We didn't have it for Area 1.

Now, we do. So, if you are using it and you need to know about that, you can go to our Trust Hub.

Our Trust Hub will tell you what certifications we have.

And you'll be able to figure out, hopefully, that Cloudflare is on top of the security of these products.

And this is just one of the ways in which I think it tends to be important for large companies to be assured of this.

They often have requirements around this.

So, congrats to the Area 1 team for having got SOC 2, Type 2 sorted out.

In this case, it's all about sensitive information, this SOC 2, Type 2.

It has access to it, how we control it. Yes, all that kind of stuff.

And there's a bunch of criteria for it. So, yeah. And customers can use it using the Cloudflare dashboard in this case.

Yeah. They can find it in the dashboard.

They can find it in the Trust Hub. All these places you can figure out all the certifications that Cloudflare has.

Exactly. A lot of certifications. Yeah.

I still have time for a fun fact this week. And I was looking at these types of fun facts.

This one pops out. It's 190 years since Ada Lovelace met Charles Babbage.

This is something you know quite well. It was June the 5th, 1833.

And Ada Lovelace, for those who don't know, is credited as the world's first computer program.

And Charles Babbage, and you know this well, is the inventor of the analytical engine, a machine designed to be a general purpose computer.

Designed, but never fulfilled. Yeah. Although the whole Ada Lovelace is the first programmer thing is a bit of a strange claim, because clearly Babbage, who was building the computer, also thought about programs for it.

The reason people use that term is that there's a famous exchange of letters between Lovelace and Babbage about a program in which they're discussing a program about computing things called Bernoulli numbers.

And Lovelace points out that he's made some mistakes in how they're going to write the program.

So I actually think she's the first debugger.

I think she's, if we're going to claim anything, because clearly she and Babbage collaborated on programs.

But she's also really very responsible for us knowing quite a lot about what Babbage did, because she famously helped write this paper that Babbage had, which describes the analytical engine based on lectures that Babbage did in Europe.

And she added her own notes at the end.

So she deeply understood how this thing works. And in fact, really is Babbage is the only person that really truly collaborated with Babbage and understood what he was up to.

So yeah. Whether she was the first programmer or not, okay.

But she was super important. And I think there's no diminishing her by saying that Babbage probably wrote some programs too.

Exactly. And this is a long time ago, 190 years.

Things have evolved. Do you want to give an update?

Because you have this project, your personal project, in terms of building the analytical engine that Babbage created.

Yeah. Foolishly, more than 10 years ago, I created this project called Plan 28 to try and build one of Babbage's, build the analytical engine because Babbage never completed it.

And that project has taken a long time.

You say it's my project, the people working on it, I'm not really working on it.

I'm just sort of trying to provide encouragement. Well, what's finally being done is a transcription.

This is the latest update, a transcription of the work that, well, at least we've been through scans of everything that Babbage left behind.

The problem is what Babbage left behind was thousands and thousands of pages of notes.

Not well thought out, this is what you should build, but literally here are all of my thoughts about how you might build one of these machines.

I changed my mind today. Here's a sketch of something. Thousands and thousands of pages.

And so we, and I say we, I mean, a couple of folks have gone through all of these thousands of pages and built themselves a big sort of index.

So you can figure out where Babbage mentions within this text something.

Where does he mention addition? Where does he mention optimization of the memory and stuff like this?

By the way, it's all mechanical, right? So we're at the point where figuring out how to communicate some of this stuff to the outside world, because it's an enormous work.

The really important step in the project was figure out, could we actually build one of these machines?

And the answer is yes.

And the reason that was important was although Babbage left behind all of these notes, he never completed one set of plans.

And you would end up trying to take bits from one machine and another machine and try and build something coherent.

And we don't want to invent something. We want to build something that Babbage wanders into the room that goes to Babbage and says, oh, you built it.

And as he was a slightly difficult individual probably says, why the hell did you build that version?

I've got a much better idea, you know, that stuff. But so we are at that point.

So we know that there is a machine that can build where we're sure it's Turing complete.

So it could run a new program. So, you know, maybe the ghost of Lovelace can turn up and actually type in that program or punch card it in because it's punch cards.

So we're getting there slowly, but it's going to be a while before you see a physical machine.

The good news is in 10 years, since I started this and more than that, the state of the computing we have has increased enormously and we can now simulate this thing.

So I think the next step will be simulation. True.

And I've been to the science museum in London and there's a machine there you can see it's like a work of art.

It's like a machine that is a work of art because it's quite beautiful and quite big.

They have more than one there. The machine that exists is a thing called the difference engine, which is a calculator.

It does a set of repeated set of calculations, which is very useful, but it's not programmable in the same way as the analytical engine, but it was built.

And actually one of the people involved in plan 28 actually was the person who built it.

And so we know that from a mechanical perspective, Babbage's designs were not nonsense.

The machine really works and really does what it says.

And it includes a printer. I don't know if you've seen the printer.

The printer is actually kind of amazing because it takes the output of this big mechanical thing and prints it.

On paper, small paper.

Actually does it on paper and also makes a, it presses into material so that you can actually make a lead plate to actually then make copies.

Because the goal was that the output of this machine would be log tables, trigonometric tables necessary for navigation.

So you would print the results, which would be a hundred percent accurate because no humans made a mistake.

And you could literally take the, you know, this piece of lead and then use that for your printing press to actually print copies.

So, I mean, incredible piece of work. True. I invite everyone to learn more about that.

This was great, John. A little bit of history at the end.

See you next week. Yeah. See you next week. Bye. That's the wrap. Bye -bye.

Before we go, it's time for our Around The Net short segment.

This week, we're going to travel to Costa Rica, where the RightsCon Summit is happening.

That's a human rights in the digital age summit.

Here's from Patrick Day from our policy and trust team.

He's usually based in Washington, D.C., but this week, he's in Costa Rica.

Hey, everyone.

My name is Patrick Day. I'm part of the Impact Team here at Cloudflare.

This week, we are at RightsCon in Costa Rica. Thanks for having us on the show.

I'm a big fan. Why are we here? So this is the largest tech and human rights conference in the world.

It brings together governments with civil society from countries all over the world with tech companies and non-governmental organizations to talk about all the things that are important to the future of the Internet.

So if you think about what human rights means for the Internet, it's a lot of the things that we care about at Cloudflare in terms of a single, connected, free and open Internet, how data privacy is manifesting all over the world, how governments in authoritative countries are using the Internet to stifle freedom of expression and speech, and often how they're pressuring companies to be involved in those processes.

So whether it's Cloudflare or companies like Google or Facebook or Microsoft, it's really important for us to be here to hear from advocates directly on the ground what they're experiencing in all these countries, in addition to making connections with folks in the U.S.

government and the U.N.

and other places where a lot of these decisions about the future Internet are being made.

So this week, three members of our team have been here.

We've had a lot of meetings. We've attended a lot of really cool working group sessions.

We had a booth set up for Project Galileo, which if you're not familiar, it's our free program to help journalists and civil society organizations around the world get access to free services at Cloudflare.

One of the really cool things about being here this week is, you know, we've tracked sort of our membership in Galileo over the last couple of years, which we're really proud of, and it's growing at an incredible rate, but we felt like there are certain geographies where we're underrepresented.

So one of the coolest parts about being here in Costa Rica is all the NGOs and journalists that we've met from Latin America that are really interested in Galileo, that have heard of Cloudflare and need these type of protection services.

So just to give you a flavor of sort of what the conference has been like and what these working group sessions are like, I've done two so far this morning.

One was with civil society activists and journalists in Russia and Belarus.

The other one was on how to keep the Internet open through censorship in the Asia -Pacific region.

So a really cool thing that happened right as I was walking out of the Russian-Belarus meeting, which included a number of our peers in the industry.

One of the activists from Belarus who represents a ton of independent journalists in the country walked up to me and said something like, you know, it must be really nice to work for Cloudflare because everybody loves you.

And so it's been a really great week. We've had a lot of really positive feedback on Galileo and Cloudflare in general and the types of services we provide.

It's been really cool and I look forward to sharing more information with everyone when we get back.

So thanks, Joao.

Thanks, everyone. Okay, the most interesting thing I'm working on, I think, Margaret, it's not applause for me.

We're doing our first global network initiative or GNI self-assessment of all of our of Cloudflare's internal human rights practices.

So that's documenting the way that we build products and how we build in consideration of how they might affect real people in the world in terms of freedom of expression and privacy.

It's also about how we interact with governments and how we respond to requests for information about customers or just safety processes.

What's my favorite blog post? If you haven't read Matthew's blog post from the first Impact Week, where he talks about his meeting with the Committee to Protect Journalists, which was the beginning of Project Galileo and almost everything we do in the Impact Space, I highly recommend checking out.

It was really cool.

I had never heard that story before and it's a cool part of the beginning of Cloudflare.