The need for speed (and security): Cloudflare has developed a new DNS service for PCs and phones

reasonablePrivacy · Jun 6, 2018

mood said: ↑

Cloudflare experiments with hidden Tor services
Matt Prince sets a daemon to work with the onions
June 6, 2018
https://www.theregister.co.uk/2018/06/06/cloudflare_experiments_with_hidden_tor_services/
Click to expand...

Wow, great!

mirimir · Jun 7, 2018

Wow. That is just so cool!

There is potential for great evil with services like Cloudflare. But I get that they are real "do no evil" people.

Dragon1952 · Jul 27, 2018

https://www.dnsperf.com/#!dns-resolvers

__Nikopol · Jul 27, 2018

A symbiotic relationship is the most basic thing on earth.

Yea. It could be evil or not. Like literally anything.

guest · Sep 18, 2018

Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites
September 18, 2018
https://techcrunch.com/2018/09/18/cloudflare-dnssec-one-click-securing-internet/

With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.

Cloudflare now wants to do the hard work in setting those crucial DS records, a necessary component in setting up DNSSEC, for customers on a supported registrar. Traditionally, setting a DS record has been notoriously difficult, often because the registrars themselves can be problematic.

Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate. The more companies that adoption the technology will help end users be less vulnerable to DNS attacks on the internet.
Click to expand...

Cloudflare blog:
Expanding DNSSEC Adoption
September 18, 2018
https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/

This week we are announcing our full support for CDS and CDNSKEY from RFC 8078. Put plainly: this will allow for setting up of DNSSEC without requiring the user to login to their registrar to upload a DS record. Cloudflare customers on supported registries will be able to enable DNSSEC with the click of one button in the Cloudflare dashboard. [...]
Click to expand...

guest · Sep 20, 2018

Cloudflare Ends CAPTCHAs for TOR Users While Blocking Bad Actors
September 20, 2018
https://www.bleepingcomputer.com/ne...chas-for-tor-users-while-blocking-bad-actors/

Cloudflare announces today its own onion service, which should make anonymous access easier to websites in its network, and reduce the malicious traffic aimed at them.

Using the Tor browser to visit websites anonymously can be pretty frustrating for the regular user, who has to prove their human condition by solving CAPTCHA riddles that are difficult on the eyes.
Cloudflare onion service
Users visiting websites in the Cloudflare network that are accessed through Tor Browser 8.0 and above can enjoy improved security and performance without having to pick crosswalks, street signs, store fronts, cars, buses or whatnot in CAPTCHAs.

The onion services does not offer Cloudflare more visibility, since all connections run through Tor network and the company does not control any entry, relay or exit node; so no new traffic is introduced.

Onion Routing is currently available to all Cloudflare customers for free, and it is enabled by default under the Cryto tab of the dashboard.
Click to expand...

Cloudflare blog:
Introducing the Cloudflare Onion Service
September 20, 2018
https://blog.cloudflare.com/cloudflare-onion-service/

guest · Sep 24, 2018

Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotation
September 24, 2018
https://www.bleepingcomputer.com/ne...-by-encrypting-the-sni-during-tls-negotation/

Cloudflare announces today support for encrypted Server Name Indication, a mechanism that makes it more difficult to track user's browsing.

This initial conversation in the TLS negotiation process happens in the clear, exposed to every node along the way, allowing an observer to track users or to influence (block, slow down) the connection to websites it does not sympathize.
Enter Encrypted Server Name Indication
An encrypted SNI (ESNI) eliminates the risk of exposing the destination name. The ESNI specification is currently available as an experimental design, with a proposed draft set to expire on March 22. It is an extension to the TLS protocol version 1.3 and above, where there is support for delivering the website certificate through the encrypted part of the TLS handshake.

The company says that ESNI is enabled for all websites. Since the specification is not in its final stage of development, it is not widely available in client applications.
Click to expand...

summerheat · Sep 25, 2018

Cloudflare has announced that they started supporting Encrypted SNI. This is great news as that means that SNI no longer leaks the sites you're browsing to your ISP or other parties listening - provided that DoT or DoH is used.

More details here. A Firefox Nightly that will support ESNI is expected to be available this week. Other DNS providers will certainly support ESNI before long, too.

EDIT: Oops - @mood was a bit faster

142395 · Sep 26, 2018

mood said: ↑

Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotation
September 24, 2018
https://www.bleepingcomputer.com/ne...-by-encrypting-the-sni-during-tls-negotation/
Click to expand...

Note, as mentioned in articles (they've published 2 articles), it's only applicable to TLS1.3 & makes sense only when you've already encrypted DNS. As to destination IP problem, I believe their coming solution will be using gateway.

Minimalist · Sep 28, 2018

Cloudflare gets into registrar business with wholesale domains and free privacy

Cloudflare, the content delivery network and website security provider, has increasingly been pushing into businesses that intersect with its core missions. Earlier this year, the company rolled out a new, free DNS service to help Internet users evade censorship (including an encrypted DNS service to evade surveillance of domain address queries). Now, the company has announced a barrage of new services to celebrate its eighth "birthday"—and one of them is an at-cost domain registrar.
Click to expand...

https://arstechnica.com/information...ness-with-wholesale-domains-and-free-privacy/

guest · Nov 11, 2018

Cloudflare launches Android and iOS apps for its 1.1.1.1 service
Company makes it easy for mobile users to hide their DNS traffic from nosy ISPs
November 11, 2018
https://www.zdnet.com/article/cloudflare-launches-android-and-ios-apps-for-its-1-1-1-1-service/

Cloudflare launched today official mobile apps for its 1.1.1.1 privacy-first DNS resolver service. Mobile apps for Android and iOS are now available on their respective app stores.

With today's Android and iOS apps, Cloudflare has made switching to 1.1.1.1 as your phone's primary DNS server as easy as pushing a button.
The official 1.1.1.1 mobile apps have been launched today on Google's Play Store and Apple's App Store after a private beta versions were launched and successfully tested since last month.
Click to expand...

Stefan Froberg · Nov 11, 2018

Encrypted DNS, onion service, Encrypted SNI, whois privacy for free....
Dang, Cloudflare seems okay

WildByDesign · Nov 11, 2018

I was checking out Cloudflare's "Browsing Experience Security Check", particularly learning more about their Encrypted SNI.
Link: https://www.cloudflare.com/ssl/encrypted-sni/

NiteRanger · Nov 11, 2018

summerheat said: ↑

Cloudflare has announced that they started supporting Encrypted SNI. This is great news as that means that SNI no longer leaks the sites you're browsing to your ISP or other parties listening - provided that DoT or DoH is used.

More details here. A Firefox Nightly that will support ESNI is expected to be available this week. Other DNS providers will certainly support ESNI before long, too.

EDIT: Oops - @mood was a bit faster
Click to expand...

I tested below using FF for android set to DoH but SNI is NOT encrypted. So is it supported on android?

https://www.cloudflare.com/ssl/encrypted-sni/

summerheat · Nov 14, 2018

NiteRanger said: ↑

I tested below using FF for android set to DoH but SNI is NOT encrypted. So is it supported on android?

https://www.cloudflare.com/ssl/encrypted-sni/
Click to expand...

You probably missed that my post was referring to Firefox Nightly.

ronjor · Mar 12, 2019

Software firm Cloudflare raises $150 million

March 12, 2019 Reporting by Supantha Mukherjee in Bengaluru; Editing by Shinjini Ganguli
The San Francisco, California-based company had been looking to go public in the first half of this year that could value it at more than $3.5 billion, Reuters had earlier reported citing sources.
Click to expand...

guest · Mar 18, 2019

New HTTPS Interception Tools Available from Cloudflare
March 18, 2019
https://www.bleepingcomputer.com/ne...interception-tools-available-from-cloudflare/

Cloudfare announced the introduction of two new tools, an open source library for HTTPS interception detection named MITMEngine and a dashboard which displays statistics metrics about TLS connections being intercepted as observed by Cloudflare on its network called MALCOLM.

According to the company, HTTPS interception can occur when devices come with an installed root certificate which might allow a third party to decrypt and inspect Internet traffic or when "an origin server provides its TLS private key to a third party (like a reverse proxy) that does TLS termination."
The company also introduced the MALCOLM dashboard, a publicly accessible tool designed to display "HTTPS interception statistics collected by MITMengine (Monster-In-The-Middle engine), Cloudflare's HTTPS interception detector."
Click to expand...

Rasheed187 · Mar 20, 2019

mood said: ↑

New HTTPS Interception Tools Available from Cloudflare
March 18, 2019
https://www.bleepingcomputer.com/ne...interception-tools-available-from-cloudflare/
Click to expand...

I don't understand, what exactly do these tools do? Can they tell you if apps on your system (like AV) are trying to sniff HTTPS traffic?

guest · Aug 22, 2019

mood said: ↑

New HTTPS Interception Tools Available from Cloudflare
March 18, 2019
https://www.bleepingcomputer.com/ne...interception-tools-available-from-cloudflare/
Click to expand...

HTTPS everywhere? Cloudflare planning improvements to middlebox detection utility
Researchers aiming to make MITMEngine more accurate and flexible
August 22, 2019
https://portswigger.net/daily-swig/...g-improvements-to-middlebox-detection-utility

Cloudflare is working on numerous improvements to MITMEngine, an open source utility that’s designed to detect HTTPS interception, a tell-tale sign of potentially suspicious activity.

At Black Hat USA earlier this month, Cloudflare’s Gabriele Fisher and Luke Valenta offered a deep dive into HTTPS interception practices, in which TLS-terminating middleboxes or middleware can be used to potentially snoop on internet users, or even steal private data.
Start your MITMEngine
Cloudflare’s MITMEngine can help a server to identify suspicious or potentially vulnerable clients connecting to its network. The server can use this knowledge to notify legitimate users that their connection security might be either degraded or compromised.
Click to expand...

Nanobot · Apr 1, 2020

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

Introducing 1.1.1.1 for Families — the easiest way to add a layer of protection to your home network and protect it from malware and adult content. 1.1.1.1 for Families leverages Cloudflare's global network to ensure that it is fast and secure around the world. And it includes the same strong privacy guarantees that we committed to when we launched 1.1.1.1 two years ago. And, just like 1.1.1.1, we're providing it for free and it’s for any home anywhere in the world.
Click to expand...

Log in or Sign up

The need for speed (and security): Cloudflare has developed a new DNS service for PCs and phones

reasonablePrivacy Registered Member

mirimir Registered Member

Dragon1952 Registered Member

__Nikopol Registered Member

guest Guest

guest Guest

guest Guest

summerheat Registered Member

142395 Guest

Minimalist Registered Member

guest Guest

Stefan Froberg Registered Member

WildByDesign Registered Member

NiteRanger Registered Member

summerheat Registered Member

ronjor Global Moderator

guest Guest

Rasheed187 Registered Member

guest Guest

Nanobot Registered Member

Log in or Sign up

The need for speed (and security): Cloudflare has developed a new DNS service for PCs and phones

reasonablePrivacy Registered Member

mirimir Registered Member

Dragon1952 Registered Member

__Nikopol Registered Member

guest Guest

guest Guest

guest Guest

summerheat Registered Member

142395 Guest

Minimalist Registered Member

guest Guest

Stefan Froberg Registered Member

WildByDesign Registered Member

NiteRanger Registered Member

summerheat Registered Member

ronjor Global Moderator

guest Guest

Rasheed187 Registered Member

guest Guest

Nanobot Registered Member

Useful Searches