This Week in Net: Zero Trust speed, security and the quantum state of a TCP port

Hello and welcome to This Week in Net, everyone. It's the March 24th, 2023 edition.

I'm João Tomé, based in Lisbon, and with me I have, as usual, our CTO, John Graham-Cumming.

Hello, John, how are you? Hello, good afternoon. Good afternoon, morning, good evening, wherever you are.

We just had a Security Week last week.

After we did our segment on Friday, there were also a few other blog posts that we put out there, and also on Monday, a wrap-up blog post.

We didn't discuss last week that we should highlight this week there, in terms of Security Week.

Well, I mean, that wrap-up blog post gives you kind of a sense of what we did during the week.

I mean, I think there were something like 34 blog posts last week, lots of stuff about Zero Trust, lots of stuff about machine learning, threat intelligence being opened up.

We got to Friday, basically, and I think we hadn't talked about the Cloudflare, how fast we are as a Zero Trust proxy.

In terms of Cloudflare access, right?

Yeah, exactly. So, I mean, I think the real message is, I mean, obviously, it's faster as a Zero Trust proxy, is that you've also got the real power of Cloudflare's network.

And I always go back to something that we did a long time ago, which is 1.1.1.1.

And that public DNS resolver was overnight the fastest DNS resolver in the world.

And the reason for that was that it used our network.

I mean, as smart as the people who worked on 1.1.1.1, the fact that we had this giant network was pretty incredible.

And the same thing is true here of Zero Trust.

And so when we rolled out Cloudflare access, I mean, we've got this incredible speed boost, right?

It's just incredible how fast it is. And we've now tested it against Netscope and Zscaler.

You can really see how the power of the network works.

Exactly. Cloudflare access does all that 75% faster than Netscope and 50% faster than Zscaler.

High percentages. For those who don't know, what does Cloudflare access mean?

Well, it's a way of getting access to corporate applications.

So if you are just as you and I do every day, we log into various SaaS applications for our daily business.

And Cloudflare access sits in front of those applications and enforces the authentication and enforces various security controls like, what country am I in?

Or am I using my real laptop? And have I used a hardware key, which is really important for us.

And obviously, since it sits in front of those applications, it's very important that it's fast.

And we've shown that it is very, very fast.

And we're also showing that Cloudflare is very, very fast.

We regularly report on how fast we are as a proxy in general around the different networks in the world.

And there's actually a great map at the end showing the progress since the last time we did this.

Exactly. Usually, those maps show progress.

And we do not every quarter, but at least after a few months, we updated some of these trends.

In this case, it was when we did developer week, I think it was in the summer 2022.

And the plan is, we do it every innovation week, we update these graphs, we have this all automated.

And then also, we look at these graphs to try and figure out, where have we gone?

Where are we no longer number one?

For example, it's quite interesting. For example, if you look at Europe, I mean, in Spain, we were not number one last time.

And now we are, the UK similarly.

And in Italy, and Sweden. But also, if you notice that this time around, we were not number one in Algeria, which we were last time.

So we'll also be looking into optimizing and figuring out how we optimize because we want to be the fastest in terms of most networks around the world.

Exactly. And it's a good perspective to have.

If you track these types of things, you're always trying to be the best one in each and every country and region.

So it's a good way to keep you in check.

Absolutely. I mean, part of Cloudflare's promise is that our network is everywhere.

And we're going to be fast and available wherever you are or wherever your customers or your employees are.

Exactly. Makes sense. A few trends here to explore for sure.

And you were mentioning before the blog post from Monday that puts everything into perspective in terms of Security Week.

So we also have this wrap up blog post that you mentioned before, where we put everything together.

And you were mentioning the 34 new tools and integrations that were announced in one week, which is a lot, of course.

So it organizes things in terms of what types of tools, what type of integrations were announced.

There's a lot. So it's a way to browse.

This is a good way, I think, of browsing it. You can look down this list and figure out if there's something in particular or particularly interesting.

Yeah, you see like the forward detection thing we announced or machine learning things that we announced.

It's kind of all in there and you can take a look and figure out which ones you want to click through to.

And there's our little video at the end there.

Yeah, exactly. There it is. Last week, we didn't highlight a lot of Cloudflare fraud detection, which is a new thing.

People can sign up. So it's early access.

Yes. Yeah. It's not early access. We're developing it right now. Oh, so it's already...

It's being developed and we want people to come and work with us in terms of features and functionality that they want to have.

So sign up if you want to be part of helping us develop that.

Exactly. And there's the link for sign up.

Where should we go next? We had a great deep dive from Jakub called the quantum state of a TCP port.

Why not start there? So this is nothing like the Security Week stuff pretty much.

This is a very deep dive into Linux networking. And in particular, so you really want to be a programmer and you really want to be interested in the Sockets interface and the Linux kernel.

But this blog post is actually asking the question here, which is, when can two TCP Sockets share a local address?

And it's kind of interesting to think about when can they share an address and what are the different scenarios?

And so Jakub's done this as kind of a quiz. So if you're interested in some ways testing your own knowledge of TCP Sockets or even trying to guess what the answer is, because it's not obvious, this blog is set up as a quiz that will take you through the sample code examples that would explain to you exactly what you, well, hopefully explain to you all the ways in which TCP Sockets can be used.

It's kind of unusual because in some senses, the Sockets API, the BSD Sockets API seems pretty simple.

There's certain things you could do with that.

There's a lot of subtlety, especially because of all the options that are available.

So this is definitely one for the nerds and hopefully you'll enjoy figuring this stuff out.

For those who don't understand a lot about TCP boards, why something like this is relevant in terms of stating all of these questions, scenarios?

Well, because we care about things like this a lot because, you know, your computer right now, right, which is you and I talking to each other in Zoom, there are a bunch of TCP connections are open, perhaps in your computer or websites and things like that.

But it's a relatively small number. And there's a limited space of connections available, or it looks like there is because those connections have to have a port number and a port number is a limited in range.

And there's an IP address associated with it. So there's a limited amount of potentially connections between a machine and two machines and a machine and end machines, right?

Because of the need for there to be some unique way of identifying the connection and the way the connections get identified is some combination of IP addresses and ports.

And on your machine, it doesn't matter very much.

But when you're using the kind of servers we're using, where we're making a huge number of connections all over the place and things are getting reused and connections are coming up and down, understanding the subtleties of when you might run out and not be able to actually create a connection or a socket, or understanding, you know, what the different combinations are, because one of the things that happens is, you know, we will run through sockets very, very rapidly.

And there are other odd things that might happen where we might want to get a socket, but not know quite where we're going to connect to yet or what port number.

So these things come up when you're running something at our scale. So, you know, if you're interested in running, you know, the sort of challenges, and we've written about this a lot in the past, this kind of stuff, because these challenges of managing huge numbers of sockets at our scale is really a big deal and really something we have to think about.

We've done all sorts of things to deal with sockets.

And yeah, there's like stuff to do with using BPFs, many, many fascinating things.

So yeah, if you're into Linux, click on the Linux tag there, and you're going to see a lot of stuff around how we use and modify the Linux kernel.

Yeah, it's definitely something worth reading if you're dealing with all of these things in your job.

So a geeky blog post for sure. Where should we go next?

We also have a few announcements this week in terms of author workers, TLS certifications.

Yeah, where should we go next? So let's do use the language of your choice of pages functions via WebAssembly.

So, you know, that was already this Friday.

Yes, that was this Friday. And, you know, WASM, big topic.

So one of the things that you see, so we have, so if you're not familiar with our platform, we have Cloudflare Workers, which allows you to write code in JavaScript, TypeScript, or anything that targets WebAssembly.

And we have a thing called Cloudflare Pages.

And Cloudflare Pages is where you do static website hosting, right?

So you put some website up there through us. And there's also a thing called Pages Functions, which means the pages aren't static.

There's actually some functionality in them because you want them to be dynamic or something like that.

So the thing is we previously could do that with JavaScript.

You add some JavaScript in and we would run it for you because it's a bit like WebAssembly, a bit like workers.

But we've added now the ability to use WebAssembly as well within Pages Functions.

So you can go off and write in the language you like, Rust or Go or C or whatever, target it down to WASM and have it as part of your static dynamic website that's on Cloudflare Pages.

And this, so it's available now, and this shows you how to do it.

It's relatively simple.

You just actually compile to WASM and then import the module. And there's a nice little demo here, which is of the earth rotating and then calculating the distance between two points on earth by clicking on it.

And the way in which this works is the main page is running locally.

The clicks are being sent back to the server so you can see we're in Lisbon, you're in Lisbon, it's geolocated you.

And if you click somewhere else on the earth, you will get a distance.

There you go, in kilometers.

And that actual calculation was done in WebAssembly. So it actually went to the server.

On the server, it actually hit a WASM program, which was originally written in Rust, which did the number of kilometer calculation.

And then the result was sent back to your web browser.

So it's just an example. Here's the actual Rust code that did this, I think called the Havasine formula, which is a standard formula for calculating the distance between two points on the earth as an idealized globe, which isn't quite because there's a chunk missing.

But it gives you an idea of how to how that was generated.

So yeah, now you can use WASM within those in those pages functions.

It seems a very simple code. So it seems like a not very difficult thing to do, right?

Yes, yes, it's not very complicated. So, you know, I think it's a good addition if you want to use the language.

And of course, this example could all have been done in JavaScript, right?

I mean, it's not very complicated to do Havasine formula, there's floats in JavaScript, and you could do it.

But it gives you an example of how you can mix and match the languages you want to use.

Yeah, so it's just opening the platform a little bit more in terms of possibilities that people can use, if they're accustomed to do something.

Absolutely, because people want to write in the language they like, right? Exactly.

And I really love the globe example, interactive and all. Yeah, it's fun, isn't it?

It is fun. Even just to see the distance between points on earth, it's quite fun.

So very simple, but useful example. Where should we go next?

Well, let's go Node.js compatibility.

And so we announced that we were going to have Node.js compatibility in Cloud Platform Worker some time ago, because we wanted to make it easy for people to not have to import things and use what's called a polyfill to actually create what they want within Cloud Platform Workers.

And so we've started implementing Node.js core APIs. And so there's a bunch of them being announced today.

And so this is just Bob Post is saying, many, many things you're familiar with in Node.js are now available in Cloud Platform Workers.

So this is opening up to more people. So this is also a part in terms of workers and possibilities for developers.

In a sense, yep, yep, yep.

Use the familiar APIs that you have before. People seem to be particularly excited about buffer.

So why? You tell me I'm not a Node.js expert. So I don't know why buffer is so exciting for people.

But that's great. So a lot of things to experiment for sure, in the workers area.

And what is this out now auto renew TLS certificates.

So, you know, a long time ago, we announced a thing called universal SSL, where we generate an TLS certificate, SSL, TLS, same, same thing, really.

And we generate those for our customers. However, there are customers who want to have their party certificates on us.

And so it can be quite complicated to keep those things up to date.

And one of the things you have to do when you want to get a TLS certificate is prove that you have the right to do it, prove that you control the domain name, because you're getting fundamentally a TLS certificate for a domain name.

And so, you know, you don't want it to be the case that, you know, I could go out and get a certificate for Santander.pt, right, the bank here, unless I was Santander.

So this thing called DCV delegation, what DCV is a way of saying I approve that you, that I own the domain.

And there's very different ways of doing DNS and things like that.

What we've done here is we've, you're able to delegate to basically the DCV part so that you can say, okay, you're using this certificate, you're using with the Cloudflare.

And nevertheless, I want to be able to do this, I want to be able to prove that I have the right to do this.

And so we've set this up to make it trivial, basically.

So somebody's not, if you scroll down, actually, there's a little example in here.

So you can basically, we will help you automatically renew certificates by adding the appropriate records.

And so we will fix this for you automatically. So you literally copy in these two things, these special custom host names, and then it's delegated.

And that means that you really don't have to have any problems using those certificates with us.

So there you go. It's done. It's done in a sense. Anything we can do to make TLS certificate management easier, we will because it is complicated.

And it's important to have, right? So there's those two things, being complicated, but also important to have.

Yep. In a sense. We still have a few time, some time.

I'm curious in terms of, there was security week, a few, a lot of days of things that we presented.

Journalists were curious about things, developers were curious about other things, customers, all that.

What's your sum up in terms of things that surprised you in a sense, in terms of feedback, in terms of expectations, in terms of things we announced during the week?

Well, I think we sort of briefly touched on this last week, but I mean, the big thing for me in security week was, I mean, obviously there are 34 announcements, so there's all sorts of stuff in there.

And I really liked the stuff about DMARC and there's a bunch of how that was built on Cloudflare Workers, just showing yet again, another thing you can build on Cloudflare Workers, Cloudflare is building on Cloudflare, right?

But I think the one thing that came through really clearly was the amount of machine learning that was going on.

There was just a tremendous amount. I mean, there's always been some, but it's really become the case that Cloudflare has a lot of machine learning now.

And that was very noticeable in the different sorts of announcements.

And even actually some of them using some of the underlying kind of techniques that are underlying things like GPT, which we're applying because we're looking for security threats.

We're looking for anomalies. We're looking for bad domain name registrations, looking for DNS tunneling.

We're looking for all these things.

And so there's a lot of machine learning happening. And I think one of the great powers of the Cloudflare network is that it's essentially a giant sensor network, everybody, everywhere in the world, and which allows us to see threats, new domain names, strange activity, and use that to actually block stuff before it goes anywhere and actually share that intelligence between our customers.

And that's, I think, really came through in this security week.

So this is how much of that there is that's going on.

So yeah, that for me was probably one of the big things.

And the other thing is Zero Trust, right? I mean, Cloudflare has been, you might think of Cloudflare as a company is a CDN or a DDoS provider or WAF, or has the workers platform, but there's really this whole other area, which is zero trust, which is protecting employees and protecting companies when people are using their applications, or they themselves are going out onto the web.

And that's just an exploding area for us.

And a lot of announcements were made during the week. So I think Zero Trust and machine learning were the two great things.

There's one particular announcement, kind of a favorite of mine, which is around post quantum cryptography.

So I'm old enough, and I think you are too, to have lived through the year 2000 problem.

I don't know about you, but I was the Y2K coordinator in my company, which meant I had to go through and figure out for all the software we used, and back then this was mostly desktop and server software, was it Y2K compatible?

And for those who are young enough not to know what the Y2K problem is, it was that computers were keeping dates, the year, as two digits.

And when we got to 1999, it was going to flip over and become zero, zero, or do other things.

And that would make strange things happen with date calculations, where you're trying to do, you subtract one year from another and suddenly it becomes negative, or maybe it becomes some very large number and overflows, all sorts of things could go wrong.

And there were incredible predictions of calamities were going to happen on the midnight.

The world was going to fall apart. Planes were going to fall out of the sky.

And in fact, what happened was, even before actually the year 2000, some software that had to do calculations in the future started having bugs.

So if you had a 30 year mortgage and you took it out, suddenly it might be like, wait a minute, the calculations are going wrong.

So a great effort was made by people in the industry to go through and figure out, is my software vulnerable to this problem?

Is it going to have a problem? How do we fix it? And we did that.

And by the way, we're going to have to do something similar in 2038 because the Unix timestamp is going to 32 bit timestamps going to overflow, but we'll get there.

We'll get there. Anyway, the announcement during the week was the one about post-quantum cryptography.

So we need to prepare for a sort of Y2K PQC or post-quantum cryptography, which is at some point, there's going to be a quantum computer that's viable enough to break the encryption we have today.

And so we need to not wait for that to happen.

We need to fix it before it happens a little bit like we did with Y2K.

Unfortunately, we don't have a date like we did with Y2K. Might be in five years, might be in 20.

We're not quite sure. We don't know which country will do it.

We don't know which country will do it. And we don't know whether those countries will even announce it.

Because it may be done in a secret agency somewhere.

So we need to prepare for that. There's been a long process. Cloudflare has been deeply involved in testing and open sourcing post-quantum cryptography algorithms and implementations.

NIST has standardized them. So now we're in a position where it's like, oh yes, we can actually upgrade things to post-quantum.

Well, guess what?

Some companies have jumped on the bandwagon and been like, we're going to post-quantumify you for a very, very large amount of money, which also happened with Y2K too.

And we think that's stupid. And we think that's actually bad for the Internet.

We think it's bad for people. And I think the answer is we should give that cryptography away for free.

So we've done lots of open sourcing of implementations, but we're also going to upgrade all of our use of cryptography to be post-quantum.

So that means all connections to Cloudflare, all connections from Cloudflare, all connections inside Cloudflare, connections with Warp, with Tunnel, all this stuff will be post-quantum.

So that is all happening.

And we announced that we're going make it free and we're going to make it free forever.

So it's going to be whatever plan you're on, post-quantum won't be a paid add-on, it'll just be included.

So if you're a free customer, it's included.

If you're an enterprise customer, it's included. So it's there, it's like the basis.

It's just part of what we do. Yeah. Of the network. And I think it was really relevant.

We don't know how relevant it is right now, but to your point, the quantum computers will crack previous data.

So quantum computers from the future could have access to previous data from the past in a sense.

So having things ready now is important, right?

That's one of the actually kind of odd things, right?

Which is that if there's somebody out there recording Internet traffic today, so an intelligence agency in some country, that once a post -quantum computer comes along, for many algorithms, they will be able to go back and decrypt all that stuff.

So one of the other motivations for doing it now is to prevent that from being a possibility that private communications become non-private in the future.

Exactly. It's a big future problem, but could have an impact in the past.

And it's really wonderful that we're putting in all of our network available for everyone, for sure.

Last thoughts, John, before we go. Actually, do you have any year 2000 story of something that happened that didn't work well?

Because work well in general, there was not chaos, but some things, some problems I think at the time, right?

I mean, there were, I seem to remember there were a few ATM machines in Italy didn't work at midnight.

And I remember that actually at midnight, people were SMSing each other right back in the day.

We survived. Or calling each other.

And lots of phone networks didn't work. But that had nothing to do with Y2K. They were just overloaded.

It was just everyone was, it's the millennium. My God, we survived.

It's a new millennium. Exactly. So I don't think there were any, you know, really big problems with Y2K.

And if you visit my website, there's actually a Y2K related joke on my website, which, funnily enough, somebody wrote into me and I had to make it now link to the Wikipedia page about Y2K, because they didn't understand because they were too young and I'm getting too old.

Oh, well, but that's a good one.

So jgc.org. Yeah. For those hearing. Yes. In the in the copyright at the bottom, there's a Y2K joke in there.

For those to find out. This was great, John.

Thank you so much. See you next week. See you next week. Bye. Bye.

Before we go, let's travel to the Netherlands to meet Bas Westverbaan.

He's a research engineer from the research team here at Kluivert.

And he's also, of course, a mathematician with interest in quantum computing and cryptography.

He wrote a blog post actually last week that John mentioned in our conversation related to post-quantum and the Kluivert approach in terms of giving it away.

But before we hear from Bas, I want to leave one suggestion.

This week we didn't have any suggestions, so let me leave one.

It's a book. It's called Life 3.0 or 3.0, if you want, written by physicist and cosmologist Max Tegmark.

And what I like about him is that we've been discussing this past week, this past month, more than ever, AI, special large language models like chat GPT or being AI or now bars from Google.

So it's around.

It's having an impact. Just a week ago, OpenAI launched GPT-4, so a more advanced model there.

And there's now plugins that people can use, third parties can use and explore.

So a lot to explore, new tools are coming. Given that, I think this book gives, explores the potential implications and possibilities of AI becoming advanced enough to surpass human intelligence.

And what I like about it is that it considers very different scenarios, more positive or more negative, negative of AI having a deeper role in terms of being more intelligent than humans.

So some of those are really wonderful scenarios, others, not that much.

So more scary, but good scenarios to explore at this time. So now let's go to the Netherlands to hear from Bas.

Good morning. I'm Bas Estaban, a research engineer at a research team here in the Netherlands.

I'm really proud that as a company last week, we committed to bringing the latest cryptography secure against the text of quantum computers for free forever to all our customers.

I'm really proud to work at a company that sees privacy as a baseline, not something you have to pay extra for.

A bit about me, I'm an effort cook and a boulderer and an identical twin.