Thursday, May 03, 2012

Patching the Internet

When CloudFlare approached me about joining the company there was one thing that really stood out about the potential for their service: the ability to 'patch the Internet'.

CloudFlare sits between people's browsers and the web servers they are trying to reach.  All the traffic (DNS, HTTP, and HTTPS) passes through the CloudFlare network.  This blog post was served up (and protected and accelerated) by CloudFlare.

But as the traffic passes through CloudFlare it's possible to modify it, and that opens up huge potential for fixing Internet problems on an enormous scale.

Today, CloudFlare has rolled out a service that informs people that they've been infected by the nasty DNSChanger malware.  This makes sense for CloudFlare to do because so many of the web's users touch CloudFlare sites every month.  In this case CloudFlare is helping to protect end-users, just as it protects web sites.

And this sort of virtual patching can come anywhere in the network stack from fixing DDoS attacks, to filtering out an Apache Range vulnerability, to deleting hashing attacks, to killing SQL injections.  As new attacks arise we are able to, for our users, 'patch the Internet'.

Patching allows us to do other things like insert any service automatically across a web site (such as adding web analytics), to filter out private information (such as an email address) if the visitor might be malicious, or simply insert a message notifying visitors of, for example, an upcoming service disruption.

It also lets us do things like add SSL quickly to site, enable IPv6 even when the site is on IPv4 only and will, soon, allow us to turn on new protocols like SPDY even when the actual web site only supports HTTP.

The potential for this two way patching is very large and we've recently announced a developer program to let people build their own apps that can be installed with a single click of an On button in the CloudFlare UI.

I'd be interested in hearing from people about ideas on how best to 'patch the Internet'.  I'll personally send a signed copy of The Geek Atlas to the person with the best idea.

6 comments:

sep332 said...

An "Edit" button. You can change the content of a page and save your changes for later visits. Optionally: a history of your edits to a page, or a way to share your changes, or see that other people have edited the page, or "subscribe" to changes from certain users. Like turning the web into your private wiki.

sep332 said...

An "Edit" button. You can change the content of a page and save your changes for later visits. Optionally: a history of your edits to a page, or a way to share your changes, or see that other people have edited the page, or "subscribe" to changes from certain users. Like turning the web into your private wiki.

salty-horse said...

sep332, sounds like ShiftSpace

tz said...

I run a number of firefox extensions for security. It would be nice if I could just use a proxy to get a "clip" of a site without javascript, flash, java (some harboring malware if the site slips up). Also no images. A quick and/or mobile view that I could click-through to get the full version. I would also say adblock, but I don't normally mind ads after I know I want to really read a site.

Also handle SSL verifying certificates using a Perspectives or similar method to detect and defeat anyone who managed to register google.com at some obscure CA.

I could use any browser, but by simply setting the proxy or just going through your service insure a much higher level of security.

Also a "printer friendly" version, or export to kindle feature that would clean things up or at least make it so that I didn't get a teeny thin column of text on 20 pages of paper.

Some Day I Will Get It Right said...

Can CF act as "smart" a dependency management of sorts for at least well known JS/CSS libraries; copied from amazon kindle fire and google loader--

For example, if I have a javascript src file included in the html page,


script src="js/jquery-min.1.2.3.js"


then CF returns that directly instead of the host server --

for a more complicated dependency management, inspired by maven--


script src="js/jquery-min[1.0,).js"


this would resolve to the latest version served if available or lower version until 1.0

Some Day I Will Get It Right said...

Can CF act as "smart" a dependency management of sorts for at least well known JS/CSS libraries; copied from amazon kindle fire and google loader--

For example, if I have a javascript src file included in the html page,


script src="js/jquery-min.1.2.3.js"


then CF returns that directly instead of the host server --

for a more complicated dependency management, inspired by maven--


script src="js/jquery-min[1.0,).js"


this would resolve to the latest version served if available or lower version until 1.0