• 10% du trafic Internet est sécurisé par un mur de lampes à lave

    Pour générer des clés de chiffrement aléatoires, la société Cloudflare, un des plus gros DNS au monde, utilise un algorithme, une caméra et une centaine de lampes à lave aux couleurs chatoyantes.

    Cloudflare est un DNS qui gère, protège et sécurise des millions de noms de domaine de sites Web, en servant d’intermédiaire entre le fournisseur d’hébergement du site et l’utilisateur. Chaque jour, selon le site d’analyse W3tech, entre 6 et 10% des requêtes http et HTTPS transitent ainsi par les canaux sécurisés de l’entreprise. Un flux absolument colossal pour ses data centers, qui doivent impérativement être protégés contre les attaques – et plus particulièrement contre les attaques par déni de service (DDoS) – sous peine d’un nouveau scénario à la Mirai (le botnet qui a terrassé le DNS Dyn, rendant inopérant une partie de l’Internet américain pendant toute la journée du 21 octobre).

    Pour éviter ce genre de mésaventure, Cloudflare sécurise ses données en les chiffrant. Et c’est là que les lampes à lave rentrent en scène.

    Voilà donc comment fonctionne LavaRand (« rand » signifiant ici une fonction aléatoire, « random »), le système conçu par Cloudflare à partir d’un concept imaginé par la firme Silicon Graphics et dont le brevet remonte à 1996. Le mur de lampes génère des bulles de cire de manière imprévisible ; une caméra fixée dans un coin de la pièce filme le tout ; les images sont transformées en « un flux de bits aléatoires et imprévisibles », qui sont ensuite fournis au générateur pseudo-aléatoire, lequel se charge à son tour de générer d’énormes volumes de nombres à partir de cette « graine » pour chiffrer le trafic de données.

    Outre ses lampes à lave, le DNS possède d’autres systèmes physiques pour générer des clés inviolables, explique ZDNet : le bureau de Londres dispose d’un « pendule chaotique » composé de trois éléments, et celui de Singapour base son chiffrement sur une source radioactive.

  • Here’s How Web Service Cloudflare Helps Serve up Hate on the Internet That Fuels Real-Life Killings | Alternet

    The operations of such extreme sites are made possible, in part, by an otherwise very mainstream internet company — Cloudflare. Based in San Francisco, Cloudflare operates more than 100 data centers spread across the world, serving as a sort of middleman for websites — speeding up delivery of a site’s content and protecting it from several kinds of attacks. Cloudflare says that some 10 percent of web requests flow through its network, and the company’s mainstream clients range from the FBI to the dating site OKCupid.

    The widespread use of Cloudflare’s services by racist groups is not an accident. Cloudflare has said it is not in the business of censoring websites and will not deny its services to even the most offensive purveyors of hate.

    “A website is speech. It is not a bomb,” Cloudflare’s CEO Matthew Prince wrote in a 2013 blog post defending his company’s stance. “There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain.”

    In testimony Tuesday before the Senate Judiciary Committee, Chief Will D. Johnson, chair of the International Association of Chiefs of Police Human and Civil Rights Committee, highlighted the reach and threat of hate on the Internet.

    “The internet provides extremists with an unprecedented ability to spread hate and recruit followers,” he said. “Individual racists and organized hate groups now have the power to reach a global audience of millions and to communicate among like-minded individuals easily, inexpensively, and anonymously.

    “Although hate speech is offensive and hurtful, the First Amendment usually protects such expression,” Johnson said. “However, there is a growing trend to use the Internet to intimidate and harass individuals on the basis of their race, religion, sexual orientation, gender, gender identity, disability, or national origin.”

    Anglin appears quite comfortable with his arrangement with Cloudflare. It doesn’t cost him much either — just $200 a month, according to public posts on the site.

    “[A]ny complaints filed against the site go to Cloudflare, and Cloudflare then sends me an email telling me someone said I was doing something bad and that it is my responsibility to figure out if I am doing that,” he wrote in a 2015 post on his site. “Cloudflare does not regulate content, so it is meaningless.”

    Representatives from Rackspace and GoDaddy, two popular web hosts, said they try to regulate the kinds of sites on their services. For Rackspace, that means drawing the line at hosting white supremacist content or hate speech. For GoDaddy, that means not hosting the sort of abusive publication of personal information that Anglin frequently engages in.

    A former Cloudflare employee, Ryan Lackey, said in an interview that while he doesn’t condone a lot of what Auernheimer does, he did on occasion give technical advice as a friend and helped some of the Stormer’s issues get resolved.

    “I am hardcore libertarian/classical liberal about free speech — something like Daily Stormer has every right to publish, and it is better for everyone if all ideas are out on the internet to do battle in that sphere,” he said.

    Vick at the ADL agrees that Anglin has a right to publish, but said people have the right to hold to task the Internet companies that enable him.

    #idéologie_californienne #cyberlibertarianisme

  • DNSControl is a system for maintaining DNS zones. It has two parts: a domain specific language (DSL) for describing DNS zones plus software that processes the DSL and pushes the resulting zones to DNS providers such as Route53, CloudFlare, and Gandi. It can talk to Microsoft ActiveDirectory and it generates the most beautiful BIND zone files ever. It runs anywhere Go runs (Linux, macOS, Windows). The provider model is extensible, so more providers can be added.


    // define our registrar and providers
    var namecom = NewRegistrar("", "NAMEDOTCOM");
    var r53 = NewDnsProvider("r53", "ROUTE53")

    D("", namecom, DnsProvider(r53),
     A("@", ""),
     A("test", "")

  • Internet Backbone Provider Cogent Blocks Pirate Bay and other “Pirate” Sites

    Si c’est la vrai, ça n’est pas rien.

    Several Pirate Bay users from ISPs all over the world have been unable to access their favorite torrent site for more than a week. Their requests are being stopped in the Internet backbone network of Cogent Communications, which has blackholed the CloudFlare IP-address of The Pirate Bay and many other torrent and streaming sites.


    The sites in question all use CloudFlare, which assigned them the public IP-addresses and While this can be reached just fine by most people, users attempting to pass requests through Cogent’s network are unable to access them.

    The issue is not limited to a single ISP and affects a small portion of users all over the world, the United States and Europe included. According to Cogent’s own backbone routing check, it applies to the company’s entire global network.


    For now, however, we can only speculate what the reason or target is. Since so many of the sites involved are accused of facilitating copyright infringement, it seems reasonable to view that as a possible cause. However, this remains unconfirmed for now.

    #Cogent #AS174

  • CloudFlare Watch

    A website with a very critical (negative) point of view on CloudFlare’s business. (and right so).

    CloudFlare is a venture-funded startup that routes around Internet abuse by acting as a reverse proxy. They also encourage illegality by allowing hackers, DDoSers, cyberbullies, and copyright pirates to hide behind their servers. By 2015, CloudFlare was even protecting websites that recruited for ISIS.

    There IS a danger in CloudFlare getting too big. It is a breeding ground.

    PS @thibnton : Reddit is also on CloudFlare.


  • Les détails techniques sur le système « Keyless SSL [sic] » de #Cloudflare :

    Bien sûr, c’est en bonne partie de la pub (leur système n’est pas « keyless » du tout) mais c’est rigolo. Le problème est spécifique aux hébergeurs comme CloudFlare (si on héberge son site Web soi-même, on n’a pas besoin de cette technique). Un site Web sérieux est accessible en #HTTPS pour des raisons de sécurité et de vie privée. Mais cela implique que l’hébergeur connnaisse la clé privée correspondant à la clé publique qui est dans le certificat du client de l’hébergeur. Pas glop.

    La solution « Keyless SSL » consiste à séparer les opérations cryptographiques en deux. Une partie, celle qui nécessite la connaissance de la clé privée, reste sur un serveur géré par le client de Cloudflare. Une autre, la plus intense en calculs, est chez Cloudflare. Entre les deux, un protocole conçu par Cloudflare et pour lequel ils fournissent une mise en œuvre en logiciel libre.

    #TLS #cryptographie