I just finished listening to a rather interesting podcast episode with Cloudflare's "Chief Cryptographer" Nick Sullivan and wanted to recommend it to people who are interested in any of the mentioned topics.
Especially so, because Cloudflare is arguably one of the most controversial companies involved in running the Internet, as they're not just serving a considerable amount of Web traffic via their CDN, but also a considerable amount of DNS traffic via their public 1.1.1.1
service. Both come with a lot of responsibility, even more so in combination, due to a large amout of trust being centralized in a single corporate entity.
The topics discussed in the episode (citing from the podcast's summary):
- Nick’s background as a cryptographer and previous position at Apple
- The Internet’s infrastructure and trust model
- How Cloudflare is experimenting with IPFS
- The challenges to hosting static websites with IPFS
- Cloudflare’s Onion routing service (Tor) and the benefits to users
- The Roughtime protocol and encrypted SNI
- Cloudflare’s contribution to open-source cryptography libraries
- The vulnerabilities of DNS and Cloudflare’s free private DNS service (1.1.1.1)
Interesting tidbits
On IPFS
Probably the most exciting news, which I somehow missed or forgot about, is that Cloudflare have launched a public IPFS HTTP gateway called Distributed Web Gateway during their Crypto Week a few months ago.
This is great, because not only are Cloudflare nodes around the world now relaying IPFS data to other IPFS nodes, in addition to serving cached content via their gateway. But also because IPFS is a content-addressable storage system. Which means, a client can actually verify themselves, that the content which was delivered by the CDN is exactly what was promised, based on the hash/URL of the resource requested.
This eliminates one of the main trust issues with CDN delivery: ensuring content integrity from source to end user. And in this case, the source is not even a server, but a completely decentralized peer-to-peer network. Win-win-win in my book.
On Tor
According to Nick, most incoming traffic to CDNs from Tor is actually attack traffic, due to the fact that it's impossible to trace back (unless you're the NSA for all we know). So for the longest time you actually had to fill in CAPTCHA's for Cloudflare-cached sites when browsing via Tor.
However, also during Crypto Week, Cloudflare introduced an onion routing service, which in combination with some smart HTTP/2 usage, and implemented in coordination with the Tor developers, solves the problem for anyone using Tor Browser 8.0+. As Cloudflare are actually hosting all of their CDN content directly in the Tor network with this change (enabled by default for all customers), Tor users now don't even have to go through Tor exit nodes in order to retrieve that content.
On decentralized DNS in 1.1.1.1
When asked about Namecoin, Nick's answer was rather surprising to me:
We've talked to the Namecoin folks, we've talked to the folks at Ethereum [...] Right now we're mostly investing in how we can make the IPFS gateway better. [...] But down the line, you shouldn't be surprised to see any one of those pop up.
On the 1.1.1.1 IP address
Cloudflare didn't actually buy the 1.1.1.1 address (or rather the space it's in). APNIC is lending it to them for free, because nobody else wants to have that much dummy traffic coming to their network. ¯\_(ツ)_/¯