
CloudFlare acquires CryptoSeal (YC S11) - rdl
http://www.securitycurrent.com/en/writers/richard-stiennon/cloudflare-acquires-cryptoseal
======
meowface
Relating to the excellent amount of funding Cloudflare has been getting...

How exactly does Cloudflare afford to be a reverse proxy for millions of
domains, at absolutely no charge? Are there some economies of scale I'm
missing here? Obviously they make a good amount of revenue from their premium
plans, but I suspect the vast, vast majority of all their users are on the
free tier.

They're nearly an ISP at this point, so from a very naive outsider's
perspective it sounds like they would be bleeding money from this approach.

~~~
cpa
Since SSL is only available on their paid plans, any websites with "serious"
features (user login, payment) will have to migrate to such a plan. Obviously,
you can serve your assets from cloudflare from a different domain than one you
use for html but you're not supposed to do that and you're mixing crypted and
unencrypted data, which is usually bad.

~~~
rdl
SSL is actually going to be free by the end of 2014 for everyone. That's one
of the projects I'm working on now, although it pre-dates my joining
CloudFlare. That, and a few other less-public projects which are also
launching this year, were some of my main motivation for selling to CloudFlare
-- it's a huge network, and the founders and the rest of the team are
genuinely committed to doing things which make the Internet better (and then
make money in the process).

[http://www.theverge.com/2013/12/17/5217800/cloudflare-
pledge...](http://www.theverge.com/2013/12/17/5217800/cloudflare-pledges-to-
double-ssl-usage-on-the-web-in-2014)

~~~
dmix
Offering free 'flexible' SSL is really good for the internet but using SNI SSL
certs for multiple businesses the way Cloudflare does has somewhat of a
security risk. Cloudflare shares certs for multiple domains at a time. One of
my domains was shared with 10 other sites when I check on
[https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/). If one
domain gets their SSL cert compromised (by whatever means), it's safe to
assume the other 10 will be as well.

This is a (mostly minor) security risk worth considering these days when not
only are CAs semi-centralized but so are the certificates.

~~~
giovannibajo1
You're misrepresenting what happens. Cloudflare is not using SNI: it is simply
creating a certificate with multiple domains in it; contrary to popular
belief, SSL certificates can be valid for multiple disjoint domains through a
field called SAN (subject alternate names). So a single certificate served by
a single IP on a SSL terminator can be valid for multiple domains, without
having to use SNI. They probably have some custom agreement with their CA
(GlobalSign) for the economic part and for the fully-automatic provisioning
based on their control of the nameserver (instead of the usual link sent to
root@domain).

Another company doing the same is Google; they have a single certificate valid
for all their properties (youtube, google.*, etc.), so that they can have a
network in which SSL terminators are totally disjoint from the websites they
proxy for.

As for the security, the certificates' private keys are fully handled by
Cloudflare, and website owners don't get access to them. The security of a
website sharing the same certificate of your website is immaterial for your
security. You just need to worry that Cloudflare is not hacked, but that's
part of the deal once you start using it anyway, it doesn't get specifically
worse if you activate SSL.

I don't know if the TLS standard has some limit on the number of SAN, but
there is a technical limit, because the certificate gets bigger and bigger
(and thus connections slower and slower). Cloudflare probably has some per-
certificate limit (e.g.: 100 domains) after which they simply begin creating a
new certificate on a new IP.

I'm instead curious on how they plan to make SSL free for everybody by the end
of the year. Possibly through SNI, but I'm not sure; I would say the CA cost
outweighs the IP cost, but I'm not sure how the numbers for those services
work out at CloudFlare scale.

~~~
eastdakota
There's no technical limit on the number of SANs. However, as you speculated,
there is a practical limit. Our tests show that after about 40 SANs you start
to get a performance impact. So that limits the number of domains per cert to
~20 (since we include 2 SANs per domain, root.com & *.root.com).

Answer to the free question: SNI + IPv6. Hopefully one more reason for people
to adopt IPv6. And limited IPv4 space is a much bigger factor for us than the
CA cost.

~~~
giovannibajo1
Will we still be able to pay a moderate fee (like today) and skip SNI?

------
mkal_tsr
> We can’t begin to express how grateful we are for your support throughout
> this journey.

Looks like
[http://ourincrediblejourney.tumblr.com/](http://ourincrediblejourney.tumblr.com/)
may need an update

~~~
rdl
Indeed. That was intentional :)

~~~
davepeck
Congrats, all. May all our journeys be this incredible.

------
xkarga00
Post on the CloudFlare blog

[http://blog.cloudflare.com/cloudflare-acquires-
cryptoseal](http://blog.cloudflare.com/cloudflare-acquires-cryptoseal)

------
jcr
Congrats Ryan!

I know you might not be able to talk about it much, but the article states
"re-introduce a CloudFlare VPN service later in 2015" but I'm wondering, "Why
late 2015?"

~~~
rdl
It was supposed to say "in 2015".

1) There are a bunch of other more-interesting and more-critical projects
coming up. There is cool stuff still to be done in the VPN space, but the
basics are out there now.

2) CloudFlare is already a huge network; it only makes sense to do something
like a VPN if/when we can do it really well.

~~~
jcr
I'm sure that together you'll do VPN _really_ well.

Now you have me looking forward to the CloudFlare blog post where they
describe the custom/customized hardware they've put together for the VPN
nodes. That will be some interesting reading...

------
jws
_…this acquisition is as much about acquiring the security chops of Ryan
Lackey as it is about getting into the VPN business._

 _CryptoSeal customers have been notified that the service is being shut down.
For now. Both Lackey and Prince told securitycurrent that they would like to
re-introduce a CloudFlare VPN service later in 2015._

~~~
rdl
The CryptoSeal VPN service for consumers got shut down in the fall of 2013 and
all the users were migrated off in 2013.

The business managed VPN service was super easy to migrate; we had dedicated
infrastructure for customers, so it's just a matter of transitioning that to a
different ownership agreement in the same colo cage; the customers were
notified in advance and are fine with everything.

------
dmix
Congrats Ryan.

This part made me curious:

> it is about getting into the VPN business.

If I remember correctly, CryptoSeal for consumers was shut down after concerns
about the security/privacy of VPNs in general. Is Cloudflare in a better
position to offer a secure VPN in the US? Maybe they have some better lawyers
or infrastructure?

~~~
rdl
Actually yes on all of those points. CloudFlare has a pretty amazing general
counsel, Ken Carter, who in addition to being a great lawyer was in a colo
racking and stacking servers. He also is the point person for Project Galileo,
where CloudFlare offers free service to important free speech organizations.
It's also very well resourced financially.

CloudFlare has some pretty amazing infrastructure, which they've blogged about
-- great peering, lots of POPs, etc.

I was working on "how to do VPNs securely post-Snowden and post-Lavabit" after
shutting down the consumer VPN service, which is both a technical and legal
problem; we can definitely do it at CloudFlare.

------
Ayaz
Is this truly only an acquihire, or are they really looking into getting into
the VPN business?

------
brandonb
Congratulations Ryan!

~~~
declan
Ryan, congrats as well! Looking forward to reading your post about how the
sale happened, etc.

------
fearless
Why do you think CryptoSeal failed? What are some lessons learned from running
a YC startup for the past 3 years? It would be very interesting to see a
postmortem.

~~~
rdl
I wouldn't say it failed -- we never got Internet-scale customerbase, but
honestly the goal was "do awesome security stuff" more so than "become
Facebook".

I'm actually writing the post for Saturday; CloudFlare has a bunch of stuff
going on this week so I've been pretty busy on top of getting some odds and
ends resolved for this announcement.

