Cloudflare Is Taking a Shot at Email Security (wired.com) 46
Cloudflare, the internet infrastructure company, already has its fingers in a lot of customer security pots, from DDoS protection to browser isolation to a mobile VPN. Now the company is taking on a classic web foe: email. From a report: On Monday, Cloudflare is announcing a pair of email safety and security offerings that it views as a first step toward catching more targeted phishing attacks, reducing the effectiveness of address spoofing, and mitigating the fallout if a user does click a malicious link. The features, which the company will offer for free, are mainly geared toward small business and corporate customers. And they're made for use on top of any email hosting a customer already has, whether it's provided by Google's Gmail, Microsoft 365, Yahoo, or even relics like AOL. Cloudflare CEO Matthew Prince says that from its founding in 2009, the company very intentionally avoided going anywhere near the thorny problem of email. But he adds that email security issues are unrelenting, so it has become necessary.
"I think what I had assumed is that hosting providers like Google and Microsoft and Yahoo were going to solve this issue, so we weren't sure there was anything for us to do in the space," Prince says. "But what's become clear over the course of the last two years is that email security is still not a solved issue." Prince says that Cloudflare employees have been "astonished by how many targeted threats were getting through Google Workspace," the company's email provider. That's not for lack of progress by Google or the other big providers on anti-spam and anti-malware efforts, he adds. But with so many types of email threats to deal with at once, strategically crafted phishing messages still slip through. So Cloudflare decided to build additional defense tools that both the company itself as well as its customers could use.
"I think what I had assumed is that hosting providers like Google and Microsoft and Yahoo were going to solve this issue, so we weren't sure there was anything for us to do in the space," Prince says. "But what's become clear over the course of the last two years is that email security is still not a solved issue." Prince says that Cloudflare employees have been "astonished by how many targeted threats were getting through Google Workspace," the company's email provider. That's not for lack of progress by Google or the other big providers on anti-spam and anti-malware efforts, he adds. But with so many types of email threats to deal with at once, strategically crafted phishing messages still slip through. So Cloudflare decided to build additional defense tools that both the company itself as well as its customers could use.
Classic web foe? (Score:2)
I didn't know that e-mail and the web were foes! I do hate getting HTML e-mails though, so maybe this is true after all.
Re: (Score:2)
I think they mean "toe" because everyone's always stubbing it.
Re: (Score:2)
I didn't know that e-mail and the web were foes!
They are. Particularly if people like you and I prefer text-based e-mail and clients. Instead of the HTML-based crap sent with embedded malware and dancing Javascript which Cloudflare sees as its mission to promote.
Re: (Score:2)
I didn't know that e-mail and the web were foes!
I don't know of any Web vs. Email anime, so I have my doubts.
Re: (Score:2)
I'd love to see Japanese e-mail guy running and screaming with colorful lines in the background, doing martial arts against Japanese web man! This idea is cracking me up.
What aspect of security though? (Score:2)
What aspect(s) of email security will they attempt to address? Spam and viruses? Scams and fishing attempts? Or things more like key pair based message signing/encryption?
Re: (Score:2)
Maybe they'll throw ML at the problem. Signing and encryption doesn't really help if one of the end-points has poor security.
Re: (Score:2)
they are just implementing SPF and DKIM
Not even that. They built a small control panel widget that automatically adds SPF, DKIM and DMARC DNS records to a domain. Basically, if they detect by a domain's MX records that it uses a well known e-mail provider, such as GMail, Outlook or the like, their control panel shows a switch that, if enabled, automatically adds those entries for the domain, the idea being that most small businesses don't add them because it's complicated and error prone. Which is indeed the case, as the first few times I did th
Re: (Score:1)
Re: (Score:1)
No thanks (Score:5, Informative)
Cloudflare is hopelessly inept at blocking phony web sites used for phishing attacks and DDoS. What they do spend a lot of time doing is putting the "Cloudflare is checking your browser" messages up whenever I run ad-blockers or turn off Javascript. Since many DDoS attacks are run in the background of your browser using an evil Javascript app, this would seem to be counterintuitive. But not so much if their primary customers are really advertisers seeking to ensure that your browser is wide open to their shit-ware.
Re: (Score:2)
Oh just fucking great (Score:2)
Now we'd gonna have to solve captchas to get our emails - and probably let a bunch of Javascript run to "verify your email client" (read: let CloudFlare gather as much data about you as possible).
Re: (Score:2)
I have CloudFlare configured on two dozen ecommerce sites. The firewall rules ensure certain parts of the website are unreachable if you aren't connecting from inside our office, such as the admin area. The actual checkout is where you might see a captcha if you hit the rate limiter. Little choice there, as if our checkout gets used for carding attempts, the credit card processor may drop us. But the front-end of the website doesn't nee
Re: (Score:2)
But the front-end of the website doesn't need any captcha protection.
But that's where Cloudflare does most of it's dirty work.
If you don't like the captcha's, complain to the owners of the site.
Those would be the owners that are collecting advertising dollars for site visits (and the subsequent pop-up ads). And who are highly motivated to make sure visitors are not running blockers or turning off Javascript.
Re: (Score:1)
You mean...using email? How are you going to do that when cloudflare cucks your email provider? You won't be able to, that's how.
Don't give cloudflare an inch [nogafam.es].
Re: Oh just fucking great (Score:2)
"If you don't like the captcha's, complain to the owners of the site."
I don't think you can retrieve stuff that is written to /dev/null, which "feedback" forms and admin@shitmegaglobalprovider.com are routed to.
Re: (Score:2)
and probably let a bunch of Javascript run
The reasoning for requiring JavaScript is sound. DDoS bots usually don't run JavaScript, so if you're a human being, running an actual browser, who's trying to access a site from an IP address that's in a range currently being used by DDoS bots (read: from VPN and/or Tor exit nodes), checking that you aren't one of the attacking machines by testing whether you're a JavaScript-running device is an effective first filter right there.
The alternative would be to block your IP outright, assuming it's just anothe
Constantly 'upping' the game (Score:2)
The way things are going now, web hosting and such will be just about next to useless. With cancel culture, and "this is a free market, don't like it, tough". Except you only get one or two choices (both owned by the same people in the case of multiples), and good luck trying to roll your own servers (you are an untrusted dark web terrorist group).
Imagine if we were back in the days of the Bell monopolies, with the added 'bonus' of having your calls dropped if you say anything that does not fit in with the
Re: (Score:2)
good luck trying to roll your own servers
The solution is to play by a different set of rules. Here's one such attempt. [wikipedia.org]
Re: Constantly 'upping' the game (Score:2)
"Started by someone known as Solderpunk, the protocol is now being finalized collaboratively and has currently not been submitted to the IETF for standardization."
Somehow I don't think big internet is shitting in their underoos over this.
Also, "Solderpunk" does not sound like a name the public would trust.
The public will be monstered and twisted by big internet who falls in line with current political and big business narrative, and the protocol mentioned in the WP article will just be fringe the pu
Re: (Score:2)
the protocol mentioned in the WP article will just be fringe the public does not know about.
Of course it'll be fringe, that's the point. As has always been the case in the history of humanity, those who depart from social consensus will write esoterically to spread their ideas to other similar contrarians, while simultaneously managing to avoid persecution. As for the brief moments in which all speech is allowed, they're invariably short lived, and far apart from each other. Sure, the most recent one has lasted several decades, the longest ever, but as the saying goes, everything that has a beginn
Fuck Cloudflare (Score:2)
Thanks but no thanks. (Score:1)
Cloudflare is already the largest man-in-the-middle in history. We don't need them getting in the middle of even more communications.
CloudFlare we have a problem. [cryto.net]
Stay away from CF [unixsheikh.com]
The trouble with CF [torproject.org]
Re: (Score:1)
Email sucks (Score:2)
Please, just block ALL email. This would make my life so much better. Take something like the Signal protocol, release open source server and client code, increase the message size. Of course, not being able to search and scan plain text email would break the business models of some big tech companies - but yeah, F*UCK those guys anyways.
Re: Email sucks (Score:2)
Yeah, it's not like people can just disable e-mail clients or just not log into servers (personal). /s
Of course, smart companies should have an intranet only e-mail system for internal business operations, which is perfectly doable even on the "cloud" .
we'll see (Score:2)
We'll see just how well they can solve email problems. Like no ever really tried before.
The biggest issue is new accounts in places like Gmail, O365, and every single email providers there is like ConstantContact, Sendgrid, Mailchimp, etc. You can sign up for a new account on a trusted provider and successfully phish away for days at a time. Rinse, repeat, no need to ever stop. These email services need a blocklist of bad actors that they share with each other.
Re: we'll see (Score:2)
The blacklist bad actors idea clearly came from the mouth of a politician or spokesman who knows just enough to realise that the CD tray is not the cup holder.
Re: (Score:2)
I suppose if your service takes signups from random character names and payment in bitcoin then you really don't care if they use your service for spamming. But Microsoft, Google, Constant Contact, and other spam providers could do more to vet their customers. When Microsoft, Google, Constant Contact, and other spam providers kick a user off of their platform, they could share the account details and tactics with other providers - and that could be helpful in having fewer bad actors using legitimate servi
Re: we'll see (Score:2)
"But Microsoft, Google, Constant Contact"
All this does is shift the spam from the big guys' servers to grandma's e-machines computer who does not know that her computer is infected and part of a bot net.
And then grandma gets slammed with the label "bad actor" and does not even know why.
Really, this is just feel good shit that solves nothing.
Re: (Score:2)
Chances are that Grandma didn't set her server up right, thus the offering from Cloudflare. Which means email from Grandma's server will already be caught as spam. If Grandma secures her shit then she won't be overtaken by bad actors.
I'm highlighting an issue with Cloudflare's approach, where they will help bad actors look legitimate. Which will make problems worse without some serious vetting of customers.
I'm also highlighting the current issue that spammers and phishers already do not bother with Grandm
Re: (Score:2)
What happens in your scenario is that Cloudflare does no better than any existing email provider. Really Cloudflare will make phishing worse because they help on-board bad actors more quickly and more correctly. If you've ever tried to report abuse to Cloudflare you know that Cloudflare makes reporting abuse as hard as humanly possible and just passes your report onto their bad actor customer.
Re: we'll see (Score:2)
So Cloudflare makes sure to waste your valuable time before your complaint gets sent to /dev/null rather than allowing you to just send it to /dev/null quickly.
Re: we'll see (Score:2)
"repeat, no need to ever stop. These email services need a blocklist of bad actors that they share with each other"
"Curses! I have been foiled by the bad actor blacklist! My spamming career is over for good!", said no mass spammer/scammer ever before or ever will.
pay walled (Score:2)
can't read TFA.
Paywalled. NOT nice
Re: pay walled (Score:2)
This really needs to stop. Seriously /. at the very minimum at least post a disclaimer of such.
No need for new "technology" (Score:2)
Oh god.. (Score:2)
Let's shit in the pot some more for the security feels.
Idiocracy..documentary..blah, blah..and stuff.
WAT? (Score:2)
Email is a 'web' foe? The Web is not the Internet.