Hacker News new | past | comments | ask | show | jobs | submit login
CloudFlare acquires CryptoSeal (YC S11) (securitycurrent.com)
58 points by rdl on June 18, 2014 | hide | past | favorite | 45 comments



Relating to the excellent amount of funding Cloudflare has been getting...

How exactly does Cloudflare afford to be a reverse proxy for millions of domains, at absolutely no charge? Are there some economies of scale I'm missing here? Obviously they make a good amount of revenue from their premium plans, but I suspect the vast, vast majority of all their users are on the free tier.

They're nearly an ISP at this point, so from a very naive outsider's perspective it sounds like they would be bleeding money from this approach.


There are huge economies of scale; bandwidth gets a LOT cheaper when you're buying it in CloudFlare-sized quantities.

Another "secret" is CloudFlare doesn't do video (which is documented all over the product). Video is huge; every other kind of traffic combined is still pretty small compared to video.


You never read their terms of service which is likely why:

* http://phoboslab.org/log/2013/02/how-much-traffic-is-too-muc...

* https://www.cloudflare.com/terms

Specifically, the Non-html caching bit.

In other words, if you are significant user of bandwidth...Cloudflare will charge you accordingly [and as you can see from the solution in the blog post, it is much cheaper to just rent a dedicated server than go through Cloudflare if you are willing to give up the CDN cache].

Cloudflare doesn't care about anyone using relatively small quantities of bandwidth because even in aggregate, they aren't costing Cloudflare enough to be a problem.

The other part is....

I doubt Cloudflare is paying "sticker price" for its bandwidth. Places like HE.net sell cheap bandwidth @ $.45/mbps. I wouldn't be surprised if Cloudflare has as good or even better rates at every POP they have.

You are probably thinking of the retail price of Amazon's bandwidth [which is like $.10 a GB. To give you an idea, at $600/mo colo with HE.net you'd have about $2,000-$3,000 worth of bandwidth at Amazon's prices depending on the usage pattern].


Since SSL is only available on their paid plans, any websites with "serious" features (user login, payment) will have to migrate to such a plan. Obviously, you can serve your assets from cloudflare from a different domain than one you use for html but you're not supposed to do that and you're mixing crypted and unencrypted data, which is usually bad.


SSL is actually going to be free by the end of 2014 for everyone. That's one of the projects I'm working on now, although it pre-dates my joining CloudFlare. That, and a few other less-public projects which are also launching this year, were some of my main motivation for selling to CloudFlare -- it's a huge network, and the founders and the rest of the team are genuinely committed to doing things which make the Internet better (and then make money in the process).

http://www.theverge.com/2013/12/17/5217800/cloudflare-pledge...


Offering free 'flexible' SSL is really good for the internet but using SNI SSL certs for multiple businesses the way Cloudflare does has somewhat of a security risk. Cloudflare shares certs for multiple domains at a time. One of my domains was shared with 10 other sites when I check on https://www.ssllabs.com/ssltest/. If one domain gets their SSL cert compromised (by whatever means), it's safe to assume the other 10 will be as well.

This is a (mostly minor) security risk worth considering these days when not only are CAs semi-centralized but so are the certificates.


You're misrepresenting what happens. Cloudflare is not using SNI: it is simply creating a certificate with multiple domains in it; contrary to popular belief, SSL certificates can be valid for multiple disjoint domains through a field called SAN (subject alternate names). So a single certificate served by a single IP on a SSL terminator can be valid for multiple domains, without having to use SNI. They probably have some custom agreement with their CA (GlobalSign) for the economic part and for the fully-automatic provisioning based on their control of the nameserver (instead of the usual link sent to root@domain).

Another company doing the same is Google; they have a single certificate valid for all their properties (youtube, google.*, etc.), so that they can have a network in which SSL terminators are totally disjoint from the websites they proxy for.

As for the security, the certificates' private keys are fully handled by Cloudflare, and website owners don't get access to them. The security of a website sharing the same certificate of your website is immaterial for your security. You just need to worry that Cloudflare is not hacked, but that's part of the deal once you start using it anyway, it doesn't get specifically worse if you activate SSL.

I don't know if the TLS standard has some limit on the number of SAN, but there is a technical limit, because the certificate gets bigger and bigger (and thus connections slower and slower). Cloudflare probably has some per-certificate limit (e.g.: 100 domains) after which they simply begin creating a new certificate on a new IP.

I'm instead curious on how they plan to make SSL free for everybody by the end of the year. Possibly through SNI, but I'm not sure; I would say the CA cost outweighs the IP cost, but I'm not sure how the numbers for those services work out at CloudFlare scale.


There's no technical limit on the number of SANs. However, as you speculated, there is a practical limit. Our tests show that after about 40 SANs you start to get a performance impact. So that limits the number of domains per cert to ~20 (since we include 2 SANs per domain, root.com & *.root.com).

Answer to the free question: SNI + IPv6. Hopefully one more reason for people to adopt IPv6. And limited IPv4 space is a much bigger factor for us than the CA cost.


Will we still be able to pay a moderate fee (like today) and skip SNI?


Obviously they make a good amount of money from their premium plans

You answered your own question.

They're nearly an ISP at this point

Not really, CloudFlare doesn't have any 'last mile' to pay for.


The thing is, it seems to me like a lot of sites that get a ton of traffic still use their free tier. There are no actual bandwidth limits at the free tier, just some missing features. They never require anyone to upgrade.

Even their higher tiers are pretty cheaply priced, including enterprise level: https://www.cloudflare.com/plans


They never require anyone to upgrade.

People upgrade to get better service (including the missing features) not because of some artificial limit (like bandwidth). If you upgrade because you want to, not because you have to, you're likely a better customer.


Personally I don't think bandwidth is an artificial limit, or that it's unreasonable to require an upgrade after a certain cap. A site with 100,000 daily visitors will be able to afford at least the business tier.


Sure, but why treat a customer like a mobile phone customer who has to worry about what plan they are on to figure out how much they are spending?

It makes more sense to have flat pricing and to have feature that entice businesses to upgrade.


Wow. If I ever need a service like yours, you've got my business.


Just in case you were unaware, jgrahamc (aka John Graham Cumming) is the Platform Lead for CloudFlare.


Actually, John Roberts is Platform Lead. John Graham-Cumming's very modest title is "programmer":

http://blog.jgc.org/2012/02/programmer.html



There are no VPs, directors, etc. We tend toward functional titles: programmer, support, sales, member of technical staff.


I believe the free tier has higher* response times.

Also as far as I know once you get to something like 100Tb a month they will ask you or require you to upgrade. But thats still ridiculously high, the same would cost $12k on AWS.

*Edit: mixed higher and lower


> I believe the free tier has lower response times.

higher surely? Lower response time == faster.


The higher tiers have hard guarantees on response times and level of support you'll get.

In my experience customers do a great job of self-segregating. If you offer "enterprise" as a tier, enterprises will generally pick it, even if the listed benefits are the same as another package. In exchange, they will expect enterprise services -- billing, guaranteed response, etc. No free lunch/get what you pay for.

The only corner case is when an important person at an enterprise customer has a personal account too, or when someone is really being a scrappy startup and trying to run something huge on a personal account due to not having the resources. Usually a good salesperson can handle both of those situations.


Perhaps the vast, vast majority of their users receive very little traffic?


Yes, that's true. I use Cloudflare on many of my sites, and they're basically ghost towns.

However, to my understanding, Cloudflare never requires that a site with a certain amount of traffic must upgrade to a certain tier. I believe there are many sites with lots of traffic volume that are still on their free tier. There are no bandwidth limits or charges at any tier.


That's right. CloudFlare doesn't have traffic limits.

But if a site gets a lot of traffic it's likely a business, and businesses have additional requirements. So, the paid plans become attractive (e.g. getting the WAF protection, or better DDoS protection, or mobile optimization, or SSL) and so people upgrade.


It would be interesting to see a chart/histogram showing the breakdown of number/percentage of CloudFlare-served sites vs how much data they serve.

I'm guessing that there will be a handful of sites serving a LOT of data, and a LOT of sites serving very little data...


> We can’t begin to express how grateful we are for your support throughout this journey.

Looks like http://ourincrediblejourney.tumblr.com/ may need an update


Indeed. That was intentional :)


Congrats, all. May all our journeys be this incredible.


hehe, congrats! :-)



Congrats Ryan!

I know you might not be able to talk about it much, but the article states "re-introduce a CloudFlare VPN service later in 2015" but I'm wondering, "Why late 2015?"


It was supposed to say "in 2015".

1) There are a bunch of other more-interesting and more-critical projects coming up. There is cool stuff still to be done in the VPN space, but the basics are out there now.

2) CloudFlare is already a huge network; it only makes sense to do something like a VPN if/when we can do it really well.


I'm sure that together you'll do VPN really well.

Now you have me looking forward to the CloudFlare blog post where they describe the custom/customized hardware they've put together for the VPN nodes. That will be some interesting reading...


I read it as "later, in 2015" opposed to "in late 2015". Meaning, not now, but in the future -- sometime in 2015 possibly.


…this acquisition is as much about acquiring the security chops of Ryan Lackey as it is about getting into the VPN business.

CryptoSeal customers have been notified that the service is being shut down. For now. Both Lackey and Prince told securitycurrent that they would like to re-introduce a CloudFlare VPN service later in 2015.


The CryptoSeal VPN service for consumers got shut down in the fall of 2013 and all the users were migrated off in 2013.

The business managed VPN service was super easy to migrate; we had dedicated infrastructure for customers, so it's just a matter of transitioning that to a different ownership agreement in the same colo cage; the customers were notified in advance and are fine with everything.


Congrats Ryan.

This part made me curious:

> it is about getting into the VPN business.

If I remember correctly, CryptoSeal for consumers was shut down after concerns about the security/privacy of VPNs in general. Is Cloudflare in a better position to offer a secure VPN in the US? Maybe they have some better lawyers or infrastructure?


Actually yes on all of those points. CloudFlare has a pretty amazing general counsel, Ken Carter, who in addition to being a great lawyer was in a colo racking and stacking servers. He also is the point person for Project Galileo, where CloudFlare offers free service to important free speech organizations. It's also very well resourced financially.

CloudFlare has some pretty amazing infrastructure, which they've blogged about -- great peering, lots of POPs, etc.

I was working on "how to do VPNs securely post-Snowden and post-Lavabit" after shutting down the consumer VPN service, which is both a technical and legal problem; we can definitely do it at CloudFlare.


Is this truly only an acquihire, or are they really looking into getting into the VPN business?


Congratulations Ryan!


Ryan, congrats as well! Looking forward to reading your post about how the sale happened, etc.


Thanks!


Why do you think CryptoSeal failed? What are some lessons learned from running a YC startup for the past 3 years? It would be very interesting to see a postmortem.


I wouldn't say it failed -- we never got Internet-scale customerbase, but honestly the goal was "do awesome security stuff" more so than "become Facebook".

I'm actually writing the post for Saturday; CloudFlare has a bunch of stuff going on this week so I've been pretty busy on top of getting some odds and ends resolved for this announcement.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: