

Celebrating CloudFlare's 4th Birthday - jgrahamc
https://blog.cloudflare.com/celebrating-cloudflares-4th-birthday/

======
scaz
First letter of each paragraph = "SSL TLS FREE".

~~~
yetanotherHNacc
How on Earth do people spot things like this? <_<

~~~
espadrine
The clue was in the text.

> Finally, for people who like puzzles we've left a clue to our announcement
> right here on this page. With a little lateral thinking you may be able to
> figure it out.

~~~
yetanotherHNacc
Well dang, that is a very good clue.

------
throwaway2048
Wonder why DDOSes have been getting worse lately? DDOS groups are putting
their sites behind Cloudflare so they cannot be DDOSed off the internet by
rival groups, thus their "services" become a lot more accessible, and they
have grown bolder.

This is a grave conflict of interest for Cloudflare, they have no incentive to
stop them, after all, it generates more business for Cloudflare.

This absolutely needs to be addressed.

[http://krebsonsecurity.com/2013/05/ddos-services-
advertise-o...](http://krebsonsecurity.com/2013/05/ddos-services-advertise-
openly-take-paypal/)

~~~
yetanotherHNacc
It is because many DDoS websites sitting behind Cloudflare are FBI run. See
titaniumstresser[0] as an example. One of their sub-domain's IP address is
allocated to the FBI[1]. Seems like the longest lasting sites peddling stolen
info, child pornography, or malicious services are all run by feds.

Hostname: direct.titaniumstresser.net IP Address: 153.31.25.12 Organization:
FBI Criminal Justice Information Systems

[0] [http://titaniumstresser.net/](http://titaniumstresser.net/)

[1]
[http://direct.titaniumstresser.net.ipaddress.com/](http://direct.titaniumstresser.net.ipaddress.com/)

~~~
slipstream-
LOL, that's just so someone (of a rival group) who tries to get their real IP
address (to ddos them), finds that subdomain, and doesn't look closely, and
goes to ddos the FBI.

~~~
meowface
Correct.

Many automated scripts script kiddies use to DDoS will do a basic check for
subdomains like "direct.domain.com" and "direct-connect.domain.com" if the
target domain is behind Cloudflare, and the scripts are naive and immediately
assume that's the server's real IP.

Setting it to the IP of a site they dislike is also a popular choice.

------
anon1385
CloudFlare is the biggest MITM attack in the history of the internet. Why are
we putting this much power in the hands of a few US citizens, who are legally
obliged to record all that unencrypted data passing through their servers?

~~~
zuck9
Most sites which are not on HTTPS now are static sites like blogs etc. Google
recently announced HTTPS will be determining SERP so many webmasters are going
to use it anyway even with a MITM.

~~~
tokenizerrr
> Google recently announced HTTPS will be determining SERP

Seriously? So now I have to buy into the corrupt CA system in order to rank
well in searches? :/

~~~
spindritf
It's supposed to be a minor ranking signal for now.

[http://googleonlinesecurity.blogspot.com/2014/08/https-as-
ra...](http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-
signal_6.html)

------
aytekin
CloudFlare has solved the DDos problem for us. Because we constantly fight
with phishers, before we switched to CloudFlare, we would get hit by massive
DDos attacks at least once a year, and that would result in downtime and in
getting kicked out of a dedicated server provider or being asked high fees to
put us on on a dedicated network. After moving to CloudFlare, we are not even
aware of it if we get hit by a DDos.

We are very thankful to CloudFlare! Happy birthday!

------
iancarroll
Going to be interesting how they've solved this - my guess is an intermediary
cert they've obtained. Must be pretty recent though, as it's not in my
intermediary database[0].

GlobalSign also has an unlimited SSL cert offering, but it doesn't come with
SANs (they could have arranged something though).

0: [https://github.com/iangcarroll/ca-
intermediaries](https://github.com/iangcarroll/ca-intermediaries)

~~~
innocenat
They offers SSL with CloudFlare-issued cert for non-free plan already. I
assume they use the old method of obtaining cert. Also, I think at their scale
they can get special plan from CA.

~~~
iancarroll
They pay GlobalSign _roughly_ $4000 (most are 3 yrs in length, that's for all
three), which is only used to power SSL for about twenty domains (this
obviously varies but it's what I've seen before, and it should be able to
support 50 or 100 total domains).

Free SSL would not be practical with their old method.

~~~
innocenat
No offence, but considering that their Pro plan which include SSL starts at
$20 for first, and $5 for the rest per account. At 50*$20 it's only $1000.
That doesn't sound right.

~~~
iancarroll
It's a yearly fee! :)

Also updated my comment with a better estimate of the pricing (we've talked w/
GlobalSign about this before actually)

------
arikrak
It's great that they're finally coming out with free SSL for everyone. They
planned to come out with it in early 2014 but ran into a number of technical
issues.

[http://www.theverge.com/2013/12/17/5217800/cloudflare-
pledge...](http://www.theverge.com/2013/12/17/5217800/cloudflare-pledges-to-
double-ssl-usage-on-the-web-in-2014)

------
lazyant
Hoping for the automatic DNS fail-over feature to be implemented soon

------
LukeB_UK
It's also Google's birthday today.

~~~
zuck9
I think they celebrate on 1st April.

