Cloudflare


Cloudflare, Inc. is an American web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services. Cloudflare's services sit between a website's visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites. Cloudflare's headquarters are in San Francisco, California, with additional offices in Lisbon, London, Singapore, Sydney, Munich, San Jose, Champaign, Illinois, Austin, Seattle, New York City and Washington, D.C.
Cloudflare has faced several controversies over its unwillingness to monitor content distributed via its network—a stance it has defended based on the principle of free speech. Cloudflare stated that it will "continue to abide by the law" and "serve all customers", further explaining "our proper role is not that of Internet censor". These controversies have involved Cloudflare's policy of content neutrality and subsequent usage of its services by numerous contentious websites, including The Daily Stormer and 8chan, an imageboard which has been linked to multiple mass shootings in the United States and the Christchurch mosque shootings in New Zealand. In 2017, Cloudflare decided to cease providing services to The Daily Stormer. In August 2019, Cloudflare stopped services for 8chan following a mass shooting in El Paso stating that 8chan is "refusing to moderate their hate-filled community".
In 2014, Cloudflare introduced an effort called Project Galileo in response to cyberattacks against vulnerable online targets, such as artists, activists, journalists, and human rights groups. Project Galileo provides such groups with free services to protect their websites. In 2019, Cloudflare announced that 600 users and organizations were participating in the project.

History

Cloudflare was created in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn, who had previously worked on Project Honey Pot. Cloudflare was launched at the September 2010 TechCrunch Disrupt conference. It received media attention in June 2011 for providing security services to the website of LulzSec, a black hat hacking group.
In June 2012, Cloudflare partnered with various web hosts, including HostPapa, to implement its "Railgun" technology: a web protocol intended to improve performance.
In February 2014, Cloudflare mitigated what was at the time the largest ever recorded DDoS attack, which peaked at 400 Gigabits per second against an undisclosed customer. In November 2014, Cloudflare reported another massive DDoS attack with independent media sites being targeted at 500 Gbit/s.
, Cloudflare provides DNS services to 12 million websites, adding approximately 20,000 new customers every day. According to W3Techs, Cloudflare is the most popular reverse proxy service, used by 11.6% of the top 10 million websites.

Funding rounds

In November 2009, Cloudflare raised $2.1 million in a Series A round from Pelion Venture Partners and Venrock. In July 2011, Cloudflare raised $20 million in a Series B round from New Enterprise Associates, Pelion Venture Partners, Venrock. In December 2012, Cloudflare raised $50 million in a Series C round from New Enterprise Associates, Pelion Venture Partners, Venrock, Union Square Ventures, and Greenspring Associates. In December 2014, Cloudflare raised $110 million in a Series D round led by Fidelity Investments, with participation from CapitalG, Microsoft, Qualcomm, and Baidu. In March 2019, Cloudflare raised $150 million in a Series E round led by Franklin Templeton Investments, with participation from New Enterprise Associates, Union Square Ventures, Venrock, Pelion Venture Partners, Greenspring Associates, CapitalG, Microsoft, Baidu, Qualcomm and Fidelity.
On August 15, 2019, Cloudflare submitted its S-1 filing for IPO on the New York Stock Exchange under the stock ticker NET. It opened for public trading on September 13, 2019, priced at $15 per share.

Acquisitions

In February 2014, Cloudflare acquired StopTheHacker, which offers malware detection, automatic malware removal, and reputation and blacklist monitoring.
In December 2016, Cloudflare acquired Eager, with the view of upgrading Cloudflare's Apps platform to allow for drag-and-drop installation of third-party apps onto Cloudflare-enabled sites.
In late 2017, Cloudflare acquired Neumob, a mobile VPN startup.
On January 7, 2020, Cloudflare acquired S2 Systems, a company which has developed a patented browser isolation technology. Cloudflare implemented this technology into their Cloudflare for Teams service.

Services

DDoS protection

Cloudflare offers an "I'm Under Attack" mode for customers experiencing cyberattacks. Cloudflare claims this can mitigate advanced Layer 7 attacks by presenting a JavaScript computational challenge which must be completed by a user's browser before the user can access a website.
In March 2013, Cloudflare defended The Spamhaus Project from a DDoS attack that exceeded 300 Gbit/s. Akamai's chief architect stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet". Cloudflare has also reportedly absorbed attacks that have peaked over 400Gbit/s from an NTP Reflection attack.

Web application firewall

Cloudflare allows customers on paid plans to utilize a web application firewall service. By default, the firewall has the OWASP ModSecurity Core Rule Set alongside Cloudflare's own ruleset and rulesets for popular web applications.

Authoritative DNS

Cloudflare offers free authoritative domain name system service for all clients, which is powered by an anycast network. SolveDNS have found Cloudflare to consistently have one of the fastest DNS lookup speeds worldwide, with a reported lookup speed of 5.6ms in July 2019.

Public DNS resolver

On April 1, 2018, Cloudflare announced a 'privacy-first' consumer DNS service, at IP addresses 1.1.1.1 and 1.0.0.1. Alternatively, the service can be accessed via IPv6 at 2606:4700:4700::1111 and 2606:4700:4700::1001.
On August 16, 2018, Cloudflare announced 1.1.1.1 can be used on Android Pie's Private DNS feature using "1dot1dot1dot1.cloudflare-dns.com" hostname.
On November 11, 2018, Cloudflare announced a mobile version of their 1.1.1.1 service for iOS and Android.

Reverse proxy

A key functionality of Cloudflare is that they act as a reverse proxy for web traffic. Cloudflare supports new web protocols, including SPDY and HTTP/2. In addition to this, Cloudflare offers support for HTTP/2 Server Push. Cloudflare also supports proxying WebSockets.

Content delivery network

Cloudflare's network has the highest number of connections to Internet exchange points of any network worldwide. Cloudflare caches content to its edge locations to act as a content delivery network ; all requests are then reverse proxied through Cloudflare with cached content served directly from Cloudflare.

Project Galileo

In 2014, Cloudflare introduced an effort called Project Galileo in response to cyberattacks against vulnerable online targets, such as artists, activists, journalists, and human rights groups. Project Galileo provides such groups with free services to protect their websites. Cloudflare has remained fairly secretive about the project, in part to avoid drawing further attention to organizations that might be targeted. In 2019, Cloudflare announced that 600 users and organizations were participating in the project.
Project Galileo has been compared to Alphabet's Project Shield, a different service providing protection to vulnerable humanitarian and free-speech groups. In contrast to Project Shield, Project Galileo does not create its own guidelines for eligible users, but rather outsources the selection to 28 non-profit organizations, any of which can accept users into the program.

Athenian Project

Cloudflare created the Athenian Project to ensure that state and local government election websites receive their highest level of protection and reliability for free, so that their constituents always have access to election information and voter registration.

Domain registrar

In 2019, Cloudflare announced a new domain registrar service that promised to offer low-cost wholesale pricing and easy ways to enable DNSSEC.

Access

In 2018, Cloudflare announced a new zero trust authentication service that offers a way for companies to secure networks without the overhead of a VPN. The service is free for up to 5 users and then is $3 per user per month. The service allows administrators to authenticate clients with a one time pin, Facebook, Github, Google, Yandex, Azure Active Directory, , G Suite, Okta, OneLogin, OIDC Provider, or SAML authentication.

WARP

On April 1, 2019, Cloudflare announced a new freemium Virtual Private Network service named WARP. The service would initially be available through the 1.1.1.1 mobile apps with a desktop app available later.
On September 25, 2019, Cloudflare released WARP to the public.
Currently as a freemium service, WARP has two plans WARP and WARP+. WARP Plus is faster than WARP and uses Cloudflare’s Argo Smart Routing to achieve a higher speed than WARP. WARP is free while WARP+ starts at $4.99 per month or €3.99 per month in Europe.

Network time services

On June 21, 2019, Cloudflare announced that users would be able to sync their computer's time securely with Cloudflare's Network Time Protocol service. Cloudflare's time service will allow users to connect to their NTP server that supports Network Time Security, enabling users to obtain time in an authenticated manner.
On October 31, 2019 Cloudflare further announced that they release their NTS implementation, cfnts, as open source software and invited the internet community to contribute to its future development.

Cloudflare TV

On June 8, 2020, Cloudflare announced a 24x7 live television stream, oriented towards technology conferences and globally available on the Cloudflare network.

CAPTCHA

Cloudlare started using hCaptcha for their anti-DDOS service.

Controversy

Cloudflare has come under pressure on multiple occasions due to its policies on free speech and for refusing to cease technical support of websites such as LulzSec, The Daily Stormer, and 8chan. Some have argued Cloudflare's services allow access to content which spreads hate and has led to harm and deaths. However Cloudflare, as an Internet infrastructure provider, has broad legal immunity from the content produced by its users.
In 2011, Cloudflare provided DoS protection for the hacker group LulzSec. This garnered significant positive media attention at the time, as Cloudflare was a young and relatively unknown company.
Cloudflare provided DNS routing and DoS protection for the white supremacist and neo-Nazi website, The Daily Stormer. In 2017 Cloudflare stopped providing their services to The Daily Stormer after an announcement on the controversial website asserted that the "upper-echelons" of Cloudflare were "secretly supporters of their ideology". Previously Cloudflare had refused to take any action regarding The Daily Stormer, despite widespread public pressure. The removal was addressed in a blog post in which Cloudflare emphasized their dedication towards freedom of speech. As a self-described "free speech absolutist", Cloudflare's CEO Matthew Prince vowed never to succumb to external pressure again and sought to create a "political umbrella" for the future. Prince further addressed the dangers of large companies deciding what is allowed to stay online, a concern that is shared by a number of civil liberties groups and privacy experts. The Electronic Frontier Foundation, a U.S. digital rights group, said that services such as Cloudflare "should not be adjudicating what speech is acceptable", adding that "when illegal activity, like inciting violence or defamation, occurs, the proper channel to deal with it is the legal system." After terminating service for The Daily Stormer, Cloudflare sought to create an alliance of free speech organizations so the company could stand up to pressure in the future. A number of organizations, including The Electronic Frontier Foundation, joined a Cloudflare project called Project Galileo to support their free speech stance.
According to The Huffington Post, Cloudflare provides services to "at least 7 terrorist groups", as designated by the United States Department of State. According to the article, Cloudflare provides services to the Taliban, Hamas, the al-Quds Brigades, and other terrorist groups, have been aware since at least 2012, and have taken no action. According to Cloudflare's CEO, no law enforcement agency has asked the company to discontinue these services.
In 2019, Cloudflare was criticized for providing services to the discussion and imageboard 8chan, which allows users to post and discuss any content with minimal interference from site administrators. The message board has been linked to mass shootings in the United States and the Christchurch mosque shootings in New Zealand. In addition, a number of news organizations including The Washington Post and The Daily Dot have reported the existence of child pornography and child sexual abuse discussion boards. A Cloudflare representative has been quoted by the BBC saying that the platform "does not host the referenced websites, cannot block websites, and is not in the business of hiding companies that host illegal content". In an August 3 interview with The Guardian, immediately following the 2019 El Paso shooting, CEO Matthew Prince defended Cloudflare's support of 8chan, saying:
Two days later, Cloudflare announced that they were terminating support for 8chan due to the consistent use of the site for terror purposes. In the announcement, CEO Matthew Prince said that he believed Cloudflare's refusal to provide services to 8chan would not permanently take the site offline, and compared the decision to the previous events with The Daily Stormer:
8chan later moved to BitMitigate, though BitMitigate's decision to host the website resulted in their primary cloud infrastructure provider Voxility terminating services with the company.
In April 2020, Cloudflare launched the DNS service "1.1.1.1 for Families", aimed at blocking malware and preventing children from seeing adult content. The service was criticized for denying access to LGBT resources and sex education websites. Cloudflare CEO Matthew Prince promised an immediate fix.

Content neutrality

Cloudflare has been vocal about their stance on freedom of speech, with CEO Matthew Prince stating:
Cloudflare services have been used by Rescator, a carding website that sells stolen payment card data.
Two of the top three online chat forums belonging to the Islamic State of Iraq and the Levant are guarded by Cloudflare. According to Prince, U.S. law enforcement has not asked Cloudflare to discontinue the service, and they have not chosen to do so themselves.
In November 2015, hacktivist group Anonymous discouraged the use of Cloudflare's services following the ISIL attacks in Paris and the renewed accusation that Cloudflare aids terrorists. Cloudflare responded by calling the group "15-year-old kids in Guy Fawkes masks", and saying that whenever such concerns are raised they consult anti-terrorism experts and abide by the law.
Breaking with its long-standing policy of total content neutrality, Cloudflare ceased providing services to the neo-Nazi, white supremacist, and Holocaust denial commentary and message board website The Daily Stormer on August 16, 2017, in the aftermath of the fatal vehicular attack at the Charlottesville rally four days earlier. This dropped the website's protection against DDoS attacks, and soon thereafter attackers took down the website. Prince stated, "I woke up this morning in a bad mood and decided to kick them off the internet," and said that the tipping point in the decision was that "the team behind Daily Stormer made the claim that we were secretly supporters of their ideology." Andrew Anglin, editor for The Daily Stormer, denied that his team made such a claim. The move to disconnect The Daily Stormer from Cloudflare services was criticized as dangerous by Prince himself and the Electronic Frontier Foundation.
In August 2019, Cloudflare terminated services to 8chan, an American imageboard, after the perpetrator of the 2019 El Paso shooting allegedly used the website to upload his manifesto.
In late 2019, Cloudflare was again criticized for providing services to the anti-black website Chimpmania. Hundreds of thousands signed a petition on Change.org urging Prince to terminate services to Chimpmania. The petition was created by the parents of a biracial baby who was born with gastroschisis and who was mocked as a “mulatto monkey baby” by site users, and whose pictures were posted on the site. Over the ten years the site has been active, numerous other petitions have also been leveled against it, none of which were successful.

Awards and recognition

The hacker group UGNazi attacked Cloudflare partially by exploiting flaws in Google's authentication systems in June 2012, gaining administrative access to Cloudflare and using it to deface 4chan. Cloudflare published in full the details of the hack. Following this, Google publicly announced they had patched the flaw in the Google Enterprise App account recovery process which had allowed the hackers to bypass two-step verification.
From September 2016 until February 2017, a major Cloudflare bug leaked sensitive data, including passwords and authentication tokens, from customer websites by sending extra data in response to web requests. The leaks resulted from a buffer overflow which occurred, according to analysis by Cloudflare, on approximately 1 in every 3,300,000 HTTP requests.

Privacy

Cloudflare publishes a transparency report on a semi-annual basis to show how often law enforcement agencies request data about its clients.
In May 2017, ProPublica reported that Cloudflare as a matter of policy relays the names and email addresses of persons complaining about hate sites to the sites in question, which has led to the complainants being harassed. Cloudflare's general counsel defended the company's policies by saying it is "base constitutional law that people can face their accusers". In response to the report, Cloudflare updated their abuse reporting process to provide greater control over who is notified of the complaining party.

Spam and phishing problems

Cloudflare is cited in reports by The Spamhaus Project, an international spam tracking organization, due to high numbers of cybercriminal botnet operations 'hosted' on Cloudflare services.
An October 2015 report found that Cloudflare provisioned 40% of SSL certificates used by phishing sites with deceptive domain names resembling those of banks and payment processors.

Outages

Cloudflare suffered a major outage on July 2, 2019, which rendered more than 12 million websites unreachable for 27 minutes. The affected websites responded with a blank 502 error page. Cloudflare published internal investigation results in which the cause of the outage was pinpointed to a faulty regular expression.
A similar outage occurred on July 17, 2020, causing a similar effect and impacting the same amount of sites.