Relating to the excellent amount of funding Cloudflare has been getting...
How exactly does Cloudflare afford to be a reverse proxy for millions of domains, at absolutely no charge? Are there some economies of scale I'm missing here? Obviously they make a good amount of revenue from their premium plans, but I suspect the vast, vast majority of all their users are on the free tier.
They're nearly an ISP at this point, so from a very naive outsider's perspective it sounds like they would be bleeding money from this approach.
There are huge economies of scale; bandwidth gets a LOT cheaper when you're buying it in CloudFlare-sized quantities.
Another "secret" is CloudFlare doesn't do video (which is documented all over the product). Video is huge; every other kind of traffic combined is still pretty small compared to video.
In other words, if you are significant user of bandwidth...Cloudflare will charge you accordingly [and as you can see from the solution in the blog post, it is much cheaper to just rent a dedicated server than go through Cloudflare if you are willing to give up the CDN cache].
Cloudflare doesn't care about anyone using relatively small quantities of bandwidth because even in aggregate, they aren't costing Cloudflare enough to be a problem.
The other part is....
I doubt Cloudflare is paying "sticker price" for its bandwidth. Places like HE.net sell cheap bandwidth @ $.45/mbps. I wouldn't be surprised if Cloudflare has as good or even better rates at every POP they have.
You are probably thinking of the retail price of Amazon's bandwidth [which is like $.10 a GB. To give you an idea, at $600/mo colo with HE.net you'd have about $2,000-$3,000 worth of bandwidth at Amazon's prices depending on the usage pattern].
Since SSL is only available on their paid plans, any websites with "serious" features (user login, payment) will have to migrate to such a plan.
Obviously, you can serve your assets from cloudflare from a different domain than one you use for html but you're not supposed to do that and you're mixing crypted and unencrypted data, which is usually bad.
SSL is actually going to be free by the end of 2014 for everyone. That's one of the projects I'm working on now, although it pre-dates my joining CloudFlare. That, and a few other less-public projects which are also launching this year, were some of my main motivation for selling to CloudFlare -- it's a huge network, and the founders and the rest of the team are genuinely committed to doing things which make the Internet better (and then make money in the process).
Offering free 'flexible' SSL is really good for the internet but using SNI SSL certs for multiple businesses the way Cloudflare does has somewhat of a security risk. Cloudflare shares certs for multiple domains at a time. One of my domains was shared with 10 other sites when I check on https://www.ssllabs.com/ssltest/. If one domain gets their SSL cert compromised (by whatever means), it's safe to assume the other 10 will be as well.
This is a (mostly minor) security risk worth considering these days when not only are CAs semi-centralized but so are the certificates.
You're misrepresenting what happens. Cloudflare is not using SNI: it is simply creating a certificate with multiple domains in it; contrary to popular belief, SSL certificates can be valid for multiple disjoint domains through a field called SAN (subject alternate names). So a single certificate served by a single IP on a SSL terminator can be valid for multiple domains, without having to use SNI. They probably have some custom agreement with their CA (GlobalSign) for the economic part and for the fully-automatic provisioning based on their control of the nameserver (instead of the usual link sent to root@domain).
Another company doing the same is Google; they have a single certificate valid for all their properties (youtube, google.*, etc.), so that they can have a network in which SSL terminators are totally disjoint from the websites they proxy for.
As for the security, the certificates' private keys are fully handled by Cloudflare, and website owners don't get access to them. The security of a website sharing the same certificate of your website is immaterial for your security. You just need to worry that Cloudflare is not hacked, but that's part of the deal once you start using it anyway, it doesn't get specifically worse if you activate SSL.
I don't know if the TLS standard has some limit on the number of SAN, but there is a technical limit, because the certificate gets bigger and bigger (and thus connections slower and slower). Cloudflare probably has some per-certificate limit (e.g.: 100 domains) after which they simply begin creating a new certificate on a new IP.
I'm instead curious on how they plan to make SSL free for everybody by the end of the year. Possibly through SNI, but I'm not sure; I would say the CA cost outweighs the IP cost, but I'm not sure how the numbers for those services work out at CloudFlare scale.
There's no technical limit on the number of SANs. However, as you speculated, there is a practical limit. Our tests show that after about 40 SANs you start to get a performance impact. So that limits the number of domains per cert to ~20 (since we include 2 SANs per domain, root.com & *.root.com).
Answer to the free question: SNI + IPv6. Hopefully one more reason for people to adopt IPv6. And limited IPv4 space is a much bigger factor for us than the CA cost.
The thing is, it seems to me like a lot of sites that get a ton of traffic still use their free tier. There are no actual bandwidth limits at the free tier, just some missing features. They never require anyone to upgrade.
People upgrade to get better service (including the missing features) not because of some artificial limit (like bandwidth). If you upgrade because you want to, not because you have to, you're likely a better customer.
Personally I don't think bandwidth is an artificial limit, or that it's unreasonable to require an upgrade after a certain cap. A site with 100,000 daily visitors will be able to afford at least the business tier.
I believe the free tier has higher* response times.
Also as far as I know once you get to something like 100Tb a month they will ask you or require you to upgrade. But thats still ridiculously high, the same would cost $12k on AWS.
The higher tiers have hard guarantees on response times and level of support you'll get.
In my experience customers do a great job of self-segregating. If you offer "enterprise" as a tier, enterprises will generally pick it, even if the listed benefits are the same as another package. In exchange, they will expect enterprise services -- billing, guaranteed response, etc. No free lunch/get what you pay for.
The only corner case is when an important person at an enterprise customer has a personal account too, or when someone is really being a scrappy startup and trying to run something huge on a personal account due to not having the resources. Usually a good salesperson can handle both of those situations.
Yes, that's true. I use Cloudflare on many of my sites, and they're basically ghost towns.
However, to my understanding, Cloudflare never requires that a site with a certain amount of traffic must upgrade to a certain tier. I believe there are many sites with lots of traffic volume that are still on their free tier. There are no bandwidth limits or charges at any tier.
That's right. CloudFlare doesn't have traffic limits.
But if a site gets a lot of traffic it's likely a business, and businesses have additional requirements. So, the paid plans become attractive (e.g. getting the WAF protection, or better DDoS protection, or mobile optimization, or SSL) and so people upgrade.
How exactly does Cloudflare afford to be a reverse proxy for millions of domains, at absolutely no charge? Are there some economies of scale I'm missing here? Obviously they make a good amount of revenue from their premium plans, but I suspect the vast, vast majority of all their users are on the free tier.
They're nearly an ISP at this point, so from a very naive outsider's perspective it sounds like they would be bleeding money from this approach.