Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses Security

Cloudflare Is Taking a Shot at Email Security (wired.com) 46

Cloudflare, the internet infrastructure company, already has its fingers in a lot of customer security pots, from DDoS protection to browser isolation to a mobile VPN. Now the company is taking on a classic web foe: email. From a report: On Monday, Cloudflare is announcing a pair of email safety and security offerings that it views as a first step toward catching more targeted phishing attacks, reducing the effectiveness of address spoofing, and mitigating the fallout if a user does click a malicious link. The features, which the company will offer for free, are mainly geared toward small business and corporate customers. And they're made for use on top of any email hosting a customer already has, whether it's provided by Google's Gmail, Microsoft 365, Yahoo, or even relics like AOL. Cloudflare CEO Matthew Prince says that from its founding in 2009, the company very intentionally avoided going anywhere near the thorny problem of email. But he adds that email security issues are unrelenting, so it has become necessary.

"I think what I had assumed is that hosting providers like Google and Microsoft and Yahoo were going to solve this issue, so we weren't sure there was anything for us to do in the space," Prince says. "But what's become clear over the course of the last two years is that email security is still not a solved issue." Prince says that Cloudflare employees have been "astonished by how many targeted threats were getting through Google Workspace," the company's email provider. That's not for lack of progress by Google or the other big providers on anti-spam and anti-malware efforts, he adds. But with so many types of email threats to deal with at once, strategically crafted phishing messages still slip through. So Cloudflare decided to build additional defense tools that both the company itself as well as its customers could use.

This discussion has been archived. No new comments can be posted.

Cloudflare Is Taking a Shot at Email Security

Comments Filter:
  • Now the company is taking on a classic web foe: email.

    I didn't know that e-mail and the web were foes! I do hate getting HTML e-mails though, so maybe this is true after all.

    • I think they mean "toe" because everyone's always stubbing it.

    • by PPH ( 736903 )

      I didn't know that e-mail and the web were foes!

      They are. Particularly if people like you and I prefer text-based e-mail and clients. Instead of the HTML-based crap sent with embedded malware and dancing Javascript which Cloudflare sees as its mission to promote.

    • Now the company is taking on a classic web foe: email.

      I didn't know that e-mail and the web were foes!

      I don't know of any Web vs. Email anime, so I have my doubts.

      • I don't know of any Web vs. Email anime, so I have my doubts.

        I'd love to see Japanese e-mail guy running and screaming with colorful lines in the background, doing martial arts against Japanese web man! This idea is cracking me up.

  • What aspect(s) of email security will they attempt to address? Spam and viruses? Scams and fishing attempts? Or things more like key pair based message signing/encryption?

    • Maybe they'll throw ML at the problem. Signing and encryption doesn't really help if one of the end-points has poor security.

    • None, they want to siphon all emails though their NSA eavesdropping center as well. They already MITM a large swath of the internet's HTTPS traffic. If there isn't any other scarier company on the internet, it's cloudflare. At least I have some vague idea what google is snorting up. Cloudflare? could be any and everything. The fact that they provide a lot of their services free should be some huge red flag that some or many 3 letter agencies are behind them providing funding, and getting their cut of the da
  • No thanks (Score:5, Informative)

    by PPH ( 736903 ) on Monday September 27, 2021 @10:26AM (#61837607)

    Cloudflare is hopelessly inept at blocking phony web sites used for phishing attacks and DDoS. What they do spend a lot of time doing is putting the "Cloudflare is checking your browser" messages up whenever I run ad-blockers or turn off Javascript. Since many DDoS attacks are run in the background of your browser using an evil Javascript app, this would seem to be counterintuitive. But not so much if their primary customers are really advertisers seeking to ensure that your browser is wide open to their shit-ware.

  • Now we'd gonna have to solve captchas to get our emails - and probably let a bunch of Javascript run to "verify your email client" (read: let CloudFlare gather as much data about you as possible).

    • If you don't like the captcha's, complain to the owners of the site.

      I have CloudFlare configured on two dozen ecommerce sites. The firewall rules ensure certain parts of the website are unreachable if you aren't connecting from inside our office, such as the admin area. The actual checkout is where you might see a captcha if you hit the rate limiter. Little choice there, as if our checkout gets used for carding attempts, the credit card processor may drop us. But the front-end of the website doesn't nee
      • by PPH ( 736903 )

        But the front-end of the website doesn't need any captcha protection.

        But that's where Cloudflare does most of it's dirty work.

        If you don't like the captcha's, complain to the owners of the site.

        Those would be the owners that are collecting advertising dollars for site visits (and the subsequent pop-up ads). And who are highly motivated to make sure visitors are not running blockers or turning off Javascript.

      • If you don't like the captcha's, complain to the owners of the site.

        You mean...using email? How are you going to do that when cloudflare cucks your email provider? You won't be able to, that's how.

        Don't give cloudflare an inch [nogafam.es].
      • "If you don't like the captcha's, complain to the owners of the site."

        I don't think you can retrieve stuff that is written to /dev/null, which "feedback" forms and admin@shitmegaglobalprovider.com are routed to.

    • and probably let a bunch of Javascript run

      The reasoning for requiring JavaScript is sound. DDoS bots usually don't run JavaScript, so if you're a human being, running an actual browser, who's trying to access a site from an IP address that's in a range currently being used by DDoS bots (read: from VPN and/or Tor exit nodes), checking that you aren't one of the attacking machines by testing whether you're a JavaScript-running device is an effective first filter right there.

      The alternative would be to block your IP outright, assuming it's just anothe

      • The way things are going now, web hosting and such will be just about next to useless. With cancel culture, and "this is a free market, don't like it, tough". Except you only get one or two choices (both owned by the same people in the case of multiples), and good luck trying to roll your own servers (you are an untrusted dark web terrorist group).

        Imagine if we were back in the days of the Bell monopolies, with the added 'bonus' of having your calls dropped if you say anything that does not fit in with the

        • good luck trying to roll your own servers

          The solution is to play by a different set of rules. Here's one such attempt. [wikipedia.org]

          • "Started by someone known as Solderpunk, the protocol is now being finalized collaboratively and has currently not been submitted to the IETF for standardization."

            Somehow I don't think big internet is shitting in their underoos over this.

            Also, "Solderpunk" does not sound like a name the public would trust.

            The public will be monstered and twisted by big internet who falls in line with current political and big business narrative, and the protocol mentioned in the WP article will just be fringe the pu

            • the protocol mentioned in the WP article will just be fringe the public does not know about.

              Of course it'll be fringe, that's the point. As has always been the case in the history of humanity, those who depart from social consensus will write esoterically to spread their ideas to other similar contrarians, while simultaneously managing to avoid persecution. As for the brief moments in which all speech is allowed, they're invariably short lived, and far apart from each other. Sure, the most recent one has lasted several decades, the longest ever, but as the saying goes, everything that has a beginn

  • Project Honeypot was the right name for that spook front.
  • Cloudflare is already the largest man-in-the-middle in history. We don't need them getting in the middle of even more communications.

    CloudFlare we have a problem. [cryto.net]

    Stay away from CF [unixsheikh.com]

    The trouble with CF [torproject.org]

  • Please, just block ALL email. This would make my life so much better. Take something like the Signal protocol, release open source server and client code, increase the message size. Of course, not being able to search and scan plain text email would break the business models of some big tech companies - but yeah, F*UCK those guys anyways.

    • Yeah, it's not like people can just disable e-mail clients or just not log into servers (personal). /s

        Of course, smart companies should have an intranet only e-mail system for internal business operations, which is perfectly doable even on the "cloud" .

  • We'll see just how well they can solve email problems. Like no ever really tried before.

    The biggest issue is new accounts in places like Gmail, O365, and every single email providers there is like ConstantContact, Sendgrid, Mailchimp, etc. You can sign up for a new account on a trusted provider and successfully phish away for days at a time. Rinse, repeat, no need to ever stop. These email services need a blocklist of bad actors that they share with each other.

    • "repeat, no need to ever stop. These email services need a blocklist of bad actors that they share with each other"

      "Curses! I have been foiled by the bad actor blacklist! My spamming career is over for good!", said no mass spammer/scammer ever before or ever will.

  • can't read TFA.
    Paywalled. NOT nice

  • Just use the tech that exists. DKIM is basically enough of a technical measure. Pairing that with use of the recipient's address book in some user-accessible way will pretty much eliminate most phishing. The problem here is mainly with the design of email UIs that favor the "display name" over the email address. We should just admit that it is craziness to display any kind of sender information that doesn't come from a trusted, verified contact. I haven't answered my personal phone if the number isn't
  • Let's shit in the pot some more for the security feels.

    Idiocracy..documentary..blah, blah..and stuff.

  • Email is a 'web' foe? The Web is not the Internet.

This is clearly another case of too many mad scientists, and not enough hunchbacks.

Working...