Security Service Accidentally Makes Websites 60% Faster

EastDakota writes "CloudFlare was originally conceived by the team behind the open source community. Project Honey Pot as an easy way to protect any website from hackers and spammers. The concern from the beginning was that it would add latency. It was quite a surprise when the free service launched 8 months ago and ended up speeding up websites by 60%."

slashvertisement

[Anonymous Coward]

The article about the anti-spam article looks itself to be astroturf spam.

Re:

[DWMorse]

Yo dawg, we heard you hate news about spam, so we put spam in your news so you can hate while you hate.

Re:slashvertisement

[Nursie]

Badly written too. FTFA -

"In 2007 the Department of Homeland Security reached out to Prince, essentially asking him if he had any idea what technology that he owned."

WFT?

Re:

[Anonymous Coward]

I the article and I the entire thing perfectly.

Re:

[randizzle3000]

Did you accidentally the whole thing or was it on purpose?

Re:

[Nestea_Zen]

rofl

Re:

[GameboyRMH]

Hey guys, I haves a good use of the words "unsbuzzle."* My lungs unsbuzzle the air from the earth, as I can breathe... it. Period.

*"embezzle"

Re:

[Anonymous Coward]

>WFT?

What fe thuck?

Re:slashvertisement

[JWSmythe]

    No, it's Old English. "What Fuck Thee?" Roughly meaning "I found you in the barn with a sheep and a goat. Which one were you fucking?"

Re:

[chill]

That wasn't a sheep and a goat, that was your wife and daughter.

Re:

[brusk]

That would be "What fucketh thou?"

Re:

[bipedalhominid]

WFT = Who Fucketh Thee?

Re:

[vgerclover]

Of course! It should read The Artist Formerly Known as Prince.

Re:

[Anonymous Coward]

No, now that the restriction on his name is lifted he is the Artist Formerly Known As The Artist Formerly Known As Prince.

Re:

[lee1]

The entire article is incoherent. At the point we reach this particular garbled sentence, we have no idea what Prince's relationship is with Project Honey Pot. And we never hear anything further about DHS. We don't find out how exactly CloudFlare "makes sites faster," and I have no reason to believe it does that, or anything else useful.

Speed up summary

[Anonymous Coward]

According to the article, the speed boost comes from two things: 1) CloudFlare sniffs your content and inline replaces sections of it with equivalent content all served via the same connection... so the speedup comes from only having to use a single connection to get the entire page and 2) They are a globally distributed content system with 12 global data centers, similar to Akamai but smaller in scale, allowing content to come from a location closer to the end user.

Re:

[wamatt]

I still don't understand. If my site is hosted in a rack in Colo A, and users access it, it goes out via the same pipes.

Are you talking specifically if I have 3rd party widgets embedded in your site? Because in the scenario above (Colo A), I don't see how it helps vs using a regular CDN.

Re:

[datapharmer]

It only helps versus a traditional CDN in the cost arena and versus some CDNs in that it provides protection against spam and hacking.

The service works by you pointing your nameserver records to them, then use them as a dns provider. client -> dns lookup -> cloudflare Colo A

Cloudflare acts as a reverse proxy cdn by replacing some dns records with their IPs instead of yours, so unless you tell them to not use their servers for a particular record the host is sent them, they check the hosts IP, if it

Re:

[seanadams.com]

I worked for a now defunct company called Netli that did something like this. Not caching exactly, but putting proxies on either end of the path which would optimize TCP behavior. The speedups could be quite significant especially where latencies were high (long fat pipes), because your browser normally spends a lot of time waiting for entire round trips to occur as each new connection is opened and ramped up to speed. You can also "prefetch" content because you can determine which images the client will be

Re:Custom HOSTS files can achieve the same

[datapharmer]

please mod the parent -1 ignorant. The anonymous solution is for clients, the article is about servers. You all lose your geek membership cards.

Re:

[matthewv789]

From what I've dug up, there are several sources of potential speedup:
1) Acts as a CDN (with 5 data centers - 3 US, 1 Europe, 1 Asia) to cache static files (such as images, js, css) from a location on average nearer to most visitors, plus the cache servers are fast and well-connected. I read a claim somewhere that based on total traffic going through their system, they would be the 10th busiest site on the web (unverified).
2) Filters out enough "bad" traffic, which it never sends on to the site's originatin

Slashdot corporate shill

[Anonymous Coward]

Could you at least try and hide the money you take to post ads as articles?

Re:

[MobileTatsu-NJG]

Does Slashdot even need a kickback? The comments bitching about it are giving Slashdor more content to serve ads with.

Re:

[MobileTatsu-NJG]

Uh, ya, you totally missed the point of my post. I'll make it simpler: Slashdot would develop more 'integrity' if good stories got lots of comments and link-bait got none.

Re:

[IICV]

You know, this is in part your fault. If you'd written a more interesting blog post than this and submitted it, it might have been posted instead of this article. Instead, you didn't and they posted this.

The gist of it

[Anubis IV]

They offer a security product for websites, and in the process of designing it so that it didn't add much latency, they inadvertently made it into a CDN that speeds things up. There. Now we all know what the trick is.

Re:The gist of it

[enoz]

In a strange synergy your comment is roughly 60% the size of TFS but contains 100% more information about the topic at hand.

Re:

[zonky]

How are they protecting anything if the bad people can still access the site directly if they can find it?

If it works anything like Akamai, the site DNS points to cloudflare, which then relays it all back to the origin host.

(Unless they're locking down the origin hosts to only accept requests from cloudflare networks, of course....)

Re:

[JWSmythe]

Don't forget, it's bound to mess up your logs. Connections aren't coming from the user any more, they're coming from the CDN. Good luck doing your own filtering server-side from there. If they're caching parts of it, that means you have no prayer of seeing that request. You might get a Via header for some requests, but the cached requests? There won't even be a hit back to your server.

I'd consider using them for a few things I do, but there are some problems. I don't kn

Re:

[datapharmer]

Seriously? For your own filtering use X-Forwarded-For (built in to apache) or mod_cloudflare. Logs and filtering are not an issue unless you are incompetent. Cloudflare also only caches static content such as css and images, so there is still a hit for the main request page that you can see in logs and filter against. As for security, use ssl. Sure, they have a solution for ssl too, but you can easily add a record and not run it through their system at all such as secure.website.com. If you are running your

Re:

[JWSmythe]

In the article, they said that when Amazon's cloud went down, the sites continued to serve. That means they couldn't possibly be sending any hits back to the server (since it's down and all).

It wouldn't matter at that point if you're logging X-Forwarded-For, or using SSL. Even with using SSL, that does nothing for you, if they have the key on their server to decrypt with.

I've been doing a lot of packet analysis and logging lately. At the firewall and IDS leve

Re:

[colfer]

It uses Javascript to obfuscate email addresses. That is helpful but not foolproof, contrary to the article. It stops most harvesters, at the cost of no-script users and the like. The chirpy article is less than trustworthy, so I would not assume the service is a CDN, or if it does cache that it will continue to maintain capacity. Or the speedup, if real, could be due to minifying html and serving small images in the Google News way, as inline data. The number of connections can be more important than speed

Re:

[dermoth666]

It wouldn't be if they actually had invented the CDN. They's unfortunately about 12 years late...

Data privacy out the window

[Anonymous Coward]

CloudFlare is touted for intercepting and altering HTML to and from client sites. Isn't this a Bad Thing? Passwords, PII, etc. all being captured, inspected, possibly altered, and sent along. What a lovely way to capture and control information. And it's spread across 12 datacenters (and growing) so who knows how many copies of your SSN there are across CF. But at least it allows IT admins to not have to care or think about customer data security.

Re:

[cbiltcliffe]

HTTP requests only apply to web servers. If the same service can/could in future be used for FTP, or anything else, for that matter, then "URL request" is the appropriate terminology.

Re:

[Vegemeister]

example.com -> cloudfire's CDN ssl.example.com -> example.com's authentication server.

Duh.

Economically viable?

[Max Romantschuk]

I read the article and peaked at the site. $20 a month, for what is practically a CDN?

I'm assuming they have some pretty heavy limits on the amount of traffic you can get for that amount... Bandwidth isn't free after all.

That being said this seems like a cool service for smaller sites, especially when you don't want to do everything yourself.

Re:

[muphin]

it isnt a CDN per-se its a DNS proxy that caches a static page of your site when it goes down, the data from this is insignificant than when every users loads an image.
see How can CloudFlare afford to offer a free CDN? [cloudflare.com]

Re:

[Stewie241]

Which is interesting in that the response starts with "We built our network from the ground up for a single purpose: making any
website faster and safer".

Which seems to stand in stark contrast to the premise of the article, which is that they didn't intend to make web sites faster. So which is it?

Further, I think that even if it prevents spam, it likely only delays it. In the article there is a quote that says: "“We challenged an engineer on our staff to sniff a packet of data to see if there was an

Re:

[surgen]

The smartest crawlers out there don't just regex over the source any more, they have javascript engines baked in, some even rope in the rendering engines from an opensource browser so they can get a look at the finished product.

Re:

[larry bagina]

I've found that proxies that do javascript injection tend to break things.

Re:

[Paradise Pete]

I read the article and peaked at the site...

...and it was all downhill from there.

Re:

[delinear]

Says the AC who can't even manage to post to the correct story [slashdot.org] :)

Interesting concept, but secure?

[Lazy Jones]

While they can certainly protect a site from various threats better than the average programmer (XSS etc.), the downside is that all login and personal information also goes through their site, enabling them (or a rogue government) to collect it. Also, their concept is great for launching targeted attacks at specific users, i.e. sending them tailored content like trojans (of course such attacks by rogue governments are feasible without CF, but harder). The question is: should they be trusted more than your own employees and your ISP? Right now, here in Europe, I'd say: for important stuff, no.
That said, here's an idea for a useful "app": automated A/B-testing for your site (build 2 versions of your website and let them decide who sees what, combine with Google Analytics or other stats => see which version works better for your users).

Re:

[bishopBelloc]

Just an FYI:
google already provides a tool for A/B testing with google analytics: website optimizer [google.com].

Re:

[Lazy Jones]

I know, thanks ... But it requires 2 things to be handled by your web pages which CF could do more elegantly: a) put the Analytics JS on all pages, b) decide which version (A or B) to show a visitor and why (i.e. set a cookie so he still sees the same version when he comes back and all that) and modify the Analytics code accordingly. Putting that on the CF end would mean that even inexperienced people could set up 2 versions of their web site easily and benefit from Analytics A/B testing features (think wor

"It's a feature"

[gatkinso]

Bring on the marketing creatures.

its the editors choice

[Combatso]

and its the choice of a new generation.. :drinks pepsi: