Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Nick Sullivan: Cloudflare – The Internet’s (De)centralized Security Blanket
Episode Date: December 4, 2018We enter dozens of trust relationships ever time we interact with the Web. Browsers, ISPs, DNS providers, cloud hosting companies, all the way down to the handful of people who control certificate roo...t keys; we rely on the integrity of these intermediaries to serve reliable, and accurate information. The concentration of power by any one of these actors threatens to compromise the very foundational principles of the Web. Decentralized technologies, like Bitcoin, Ethereum, Tor, and IPFS seek to reverse this trend. We’re joined by Nick Sullivan, Chief Cryptographer at Cloudflare. Founded less than 10 years ago, the company offers content delivery services (CND), DNS, and DDoS protection to over 12 million websites. The company contributes to open source cryptography libraries, some of which are used by Etherum. They recently launched an IPFS gateway and features which allow users to have strong guarantees as to the integrity of the content. Topics covered in this episode: Nick’s background as a cryptographer and previous position at Apple The Internet’s infrastructure and trust model How Cloudflare is experimenting with IPFS The challenges to hosting static websites with IPFS Cloudflare’s Onion routing service (Tor) and the benefits to users The Roughtime protocol and encrypted SNI Cloudflare’s contribution to open-source cryptography libraries The vulnerabilities of DNS and Cloudflare’s free private DNS service (1.1.1.1) Episode links: Welcome to Crypto Week (article) Roughtime: Securing Time with Digital Signatures (article) Introducing CFSSL - CloudFlare's PKI toolkit (article) End-to-End Integrity with IPFS (article) Introducing the Cloudflare Onion Service (article) Cloudflare's Distributed Web Gateway Nick Sullivan's website Thank you to our sponsors for their support: Deploy enterprise-ready consortium blockchain networks that scale in just a few clicks. More at aka.ms/epicenter. This episode is hosted by Sébastien Couture and Sunny Aggarwal. Show notes and listening options: epicenter.tv/264
Transcript
Discussion (0)
This is Epicenter, Episode 264 with guest, Nick Sullivan.
This episode of Epicenter is brought you by Microsoft Azure.
Configure and deploy a consortium blockchain network in just a few clicks with pre-built configurations and enterprise-grade infrastructure.
Spend less time on blockchain scaffolding and more time building your application.
To learn more, visit aka.m.m.s.
Hi, welcome to Epicenter. My name is Sebastian Kutu.
And my name is Sonny. Agarwal.
Hey, Sunny. How's it going?
Going well. How about you?
Yeah, pretty good. It's been a while since we've done this to go.
Yeah, definitely.
I think Enigma was the last one.
But yeah, you've done some great episodes since I said congratulations on the coil episode.
It was terrific.
Oh, thank you.
I listened to it twice.
That's some good at once.
Yeah.
Cool.
Yeah, so today we're speaking with Nick Sullivan, and Nick Sullivan is the head of cryptography at Cloudflare.
Cloudflare is not one of your typical companies that we usually cover on the podcast.
It's more of a traditional internet company.
But they're doing some really, really interesting stuff with cryptography that I really wasn't quite aware of before recording this podcast.
Yeah.
And they're doing a lot to especially help bring a lot of decentralization technologies like Tor and IPFS and whatnot to like sort of the masses.
Like, you know, a lot of like blockchain companies are like, you know, building really cool tech, but like it's really hard to get this stuff into the hands of like everyday users.
And, you know, Cloudfair is like making a lot of this stuff a lot more accessible.
Yeah, absolutely.
I mean, I think just the fact that a company like Cloudflare is is writing the blog posts,
you know, quite like long and detailed blog posts about what is IPFS and how they're using it.
And, you know, these posts are read by, you know, probably tens of thousands of people outside of the crypto space is great for the ecosystem, I think.
And, yeah, Nick was a great, great, great host, very articulate.
And, I mean, I really have a huge fan of, like, I've always been a huge fan of, like, decentralization projects that aren't necessarily, like, blockchain focus.
And so Cloudfehr has been working a lot with Tor and IPFS, which, like, you know, really excited me.
Yeah.
So we'll hope you'll enjoy this episode with Nick. And we do have a couple of announcements.
So I think in the last episode I was on, I mentioned that I'll be at the Hyperledger Global Forum.
It is from the 12th to the 15th. I'll be there on the 12th and the 13th. And I have the discount code now.
And so if you're interested in attending, it is in Basel, Switzerland. It's in Brian's hometown and mayor's old city where he used to live.
I've never been there. So I'm excited.
it. There's a discount code for 15%. It is HGF 18 News. So HGF 18 News. You can go to the events page.
If you search for a Hyperlogic Global Forum, you'll find it. And if you can't remember this
discount code, we tweeted it a few days ago. So you can see it. Yeah, it was tweeted on the 23rd of
November so you can always go back to a Twitter feed and see it. So yeah, hopefully if you're
there, come say hi. I'd be glad to see you. And Sunny, you mentioned you were also attending some
events. Yeah. So next month, December 11th, there's a company called Dora Hacks, which has hosted a bunch
of really cool blockchain hackathons throughout the world in China and Berlin and Toronto. And so they're
actually holding their first event here in S&S.
on December 11th.
It's completely free to anyone to attend.
I'll be speaking and mentoring at this event.
So if you want to come hack with me on some cool stuff,
I definitely check it out.
It's free and just look it up on Eventbride, Dora Hacks, SF.
I got a question for you.
I've never attended a hackathon.
What would you suggest, like, for some,
I mean, I'm quite technically, like, I know how to code.
I don't code like every day anymore,
but, you know, at some point in my life,
I was like a front-end developer and I have some experience with stuff like Node.
My smart contract development skills are near zero.
But, you know, practically speaking, you know, if I'm interested in like learning how to do things,
is a hackathon a good place to sort of like just, you know, jump in both feet first?
Or is that not recommended for someone like me?
I would say that there's usually like often like two classes.
of people who attend hackathons,
that's people who are there to, like, you know,
to go win, like, they want to build a cool project
and end up with something at the end of the weekend
and, like, actually, like, you know,
or there's often people who are there just to, like, learn something.
And, you know, I've worn both hats
throughout my hackathon career, if you will.
And so, you know, so sometimes, like,
I know, I go in with a project I really want to build
and I'm like, I want to get this done in this weekend.
And so I'll do that.
But then there's sometimes where it's like, you know,
I just want to, like, learn a new,
piece of technology. And so I just like try to choose like a very, very simple product project. And
honestly, like when you at hackathons, like when you're experimenting a new technology, like anyone
who's done this before, you know that like half the time goes into just like installing the software,
which is, you know, not not fun. But yeah, definitely like, you know, look at, uh, check out like tutorials and
like, you know, I would say like spend a lot of the hackathon instead of like building the product,
first spend the first half almost like going through tutorials and then the second half if you're
feeling comfortable then start to like try to work on a project uh directly um yeah right okay so it may
be like a good uh exercise to like properly take some time and go do some tutorials around people
that can perhaps mentor you and this sort of thing so a good opportunity to learn if you're not
going to build like a proper project and one of the like you know at hackathons is often a lot of
mentors there. And I think that's honestly sometimes one of like the most underused like
amenities that hackathons offer. So definitely talk to the mentors. And then also, you know,
especially when I'm doing one of like the more learning style, I really like to not show up with
a team. And I really like to like get to the hackathon and like find new people there to work with.
It just makes it a much more fun experience in my opinion. Cool. Thanks. Thanks for the tips. I'll
I think maybe I'll look out for some hackathons to attend then.
All right. So without further ado, here's Nick Sullivan of Cloudflare.
Hi, so we're here today with Nick Sullivan, who's head of cryptography at Cloudflare. Nick,
thanks for joining us today.
Absolutely. Thanks for having me.
Yeah, we're really excited about the show. When I found out that the Cloudflare was sort of dabbling with IPFS,
it led me to do a bit more research about what you guys were doing in the area of cryptography.
and it turns out that you guys are doing a lot of really, really cool and interesting stuff.
And I'm always really fascinated when, like, companies in the more traditional web space,
you know, sort of intersect with, like, companies that were more familiar with in the
blockchain space and projects and companies, like, in the sense of IPFS.
And so that's why I was really really happy to have you on.
So let's maybe start off by talking a bit about your background and, you know, how you got involved in
cryptography and how you landed it as a head of cryptography at Cloudflare?
Sure.
Well, I have always been interested in math and mathematics and solving problems and puzzles
and cryptography in general.
So when I went to school in Canada at University of Waterloo, I did a pure math degree
and was really kind of enthralled by the abstract notion of, you know, taking, understanding
the mathematical world.
understanding how objects fit together, how prime numbers worked, how you could take something
like as simple as, you know, two and three and five and seven, and you have these sort of
infinite number of interesting problems and challenges to go through to discover this.
And after I did a master's degree in cryptography, I got into the computer security world
and worked for a little bit at Symantec. I wrote some documents.
basically on the internet security in general.
They have this thing called the internet security threat report
that kind of helped analyze what's going on online.
So my kind of two passions were the internet
and understanding what people are doing
in this really kind of an amazing interconnected network
that we all enjoy as the internet and cryptography,
which is the science of secret information.
And so after leaving Semantic,
I joined Apple, where I worked on a lot of some sort of secret cryptography-related efforts for about six years or so.
And eventually I learned about this company called Cloudflare, which was a very young startup at the time, but was doing some really interesting things.
For example, they had withstood what was at the time the largest distributed denial of service in history.
And so a lot of what Cloudflare was doing was really interesting to me because they were offering a free service to help accelerate the web as well as protect it from threats.
And they're kind of kind of at the center of everything that was going on online.
So when I joined Cryptography, I was the first kind of security engineering focused person at the company.
and I've been here for about five and a half years growing the team.
The company has grown tremendously since then.
We're now a big startup, if you will.
Still a private company.
So I started the cryptography team at Cloudflare in order to use this really interesting tool,
which is cryptography, encryption, hash functions,
all this sort of really cool math science that lets you protect information online as well as
provide properties like integrity and non-repudiation.
And I started building a team to help take cryptography and apply it to some of the bigger
problems that Cloudflare was facing and to basically spearhead new research in this area.
And so this is what I've been doing ever since.
So when you were in college studying or university, as us Canadians say, and studying
cryptography in Waterloo and getting into your career, did you have any idea that like
cryptography would become such an important thing like today? I mean, just if you think of
blockchains, it's such a central, it plays such a central role in the functioning of that
technology and also just generally the web. Did you do think that's, you think that's
this was something that would become so massively important for the world?
Well, it was very hard to see what happened, right?
It's hard to predict what happened.
Like, for example, my thesis was on elliptic curve cryptography,
which at the time was barely, barely ever used for anything in production.
It was sort of you could use SSL for your website, right?
You'd have encryption for your website, but everything that people were using was based on Diffy-Helman,
and RSA, which were the two standard algorithms developed in the 70s, and elliptic curves were
this kind of new thing. And now this is actually the fundamental glue that holds together Bitcoin,
as well as Ethereum, and it's also the most fundamental cryptography for protecting information
online when you're browsing the internet. So it was very hard to see at the time that, you know,
this interest of mine would become one of the key technologies to,
enable technology in the 21st century.
Could you, like, give us a little bit of a brief lowdown on, like, what Cloudflare is overall?
You know, it's like, you know, it's not a traditional blockchain company.
So some of our listeners, I'm sure I've, like, heard of Cloudflare, but maybe I don't know quite
exactly what they do.
And, you know, it's a relatively young company, actually, right?
Like, I think only nine years.
And, like, somehow it's grown to become this, like, almost like, centerpiece, like,
very integral part of the entire web infrastructure.
So could you tell us a little bit about what are the different kind of things CloudFer is working on and whatnot?
Sure, yes.
Well, Cloudflare is a Internet security and performance company.
The mission of Cloudflare is to help build a better internet.
And that's really what we're trying to do is folks who operate websites and who operate web services
and who offer services online, whether you're sort of a small,
the smallest sort of individual hosting your own blog to a very large corporation, a large
enterprise that has massive sets of customers and, you know, very, very high requirements.
What Claflor does is just help make your site or your property faster, more secure, more
available, and to give you insights. So the way that Cloudflare does this is using, I guess,
the two main traditional protocols on the internet, HTTP or HTTPS, the encrypted version, and DNS.
So Cloudflare has data centers distributed all around the world over 150.
I don't have the exact number now, but in basically every continent except for Antarctica.
And so the way it works is if you sign up for Cloudflare, rather than visitors to your site going directly to your site,
which could have to travel across the entire world, which,
due to speed of light considerations can actually, you know, slow things down, you connect to
the nearest Coughflare location. And if we have, if you have sort of static content on your site,
we can serve it directly from there. So we can also apply rules. So rules to protect against
different types of attacks. So if you think of people doing SQL injections or cross-side
scripting attacks or all these sort of web security things, by being able to inspect the traffic,
we can block these attacks. And the part that's closer to my responsibilities is that we also
can provide encryption. So in the early days of the web and some of the more challenging things
that a web administrator has to do is set up encryption and encryption security for your website.
So to move from HTTP to HTTPS, you have to buy a certificate or get a certificate issued
and manage the configuration and do these sort of things.
things that are a little tricky. And Cloudflare makes that kind of dead simple and handles it
on your behalf. So Cloudflare as a service has grown tremendously. And one of the reasons for that
is that we offer a free service. So there's over 11 million domains or so that use Cloudflare's
free service, which is probably why so many people have heard of it. And so yeah, you can sign up for
Cloudflare and get denial of service protection. So if someone's trying to knock you off the internet,
we'll sit in front, right?
And we can see the bad traffic and we can kind of keep you online while other people are trying to take you off.
And so it's great because having all of these different customers gives us a visibility into what's really happening on the internet.
And we take what we see from the general set of customers.
And if you see an attack against one customer, you can use it to protect other people.
So it's a real center of the internet kind of thing where things go through us and we learn about it and we help make the internet better.
And we're not only involved in just providing this service.
We're also, we really care about making the internet scale going forward and to make the internet better.
So we're involved in standards, for example, TLS 1.3, which is the recent encryption standard for,
for websites. We were closely involved with that. And my team, we do a lot of research on the
cryptography side to see what new ways we can change things so that in the future, using the
internet is safer, more secure, faster than it is today. Are you using your own dark fiber
between data centers? No, we use the internet, which is why we rely on strong encryption
so much. So every one of Cloudflare's data centers is independent and I guess you could say technically
decentralized, although administratively centralized. And we communicate over the internet,
over different interconnections with different networks. So Claflare is actually the most connected
network on the internet. We have more peering sessions with other networks than anybody else online.
Yes, we use CloudFare on a website, and we use the paid service, and I also use it on some other websites, like the free service.
And I kind of see Cloudflare as this, like, nice blanket of security, but that also provides, like, a bunch of optimizations.
Like, it serves your CSS and your JavaScript super fast and your HTML.
And it has these, like, built-in, you know, like this built-in fortress that you can call upon at will if you're, if you're being attacked that, you know, sort of like come into.
action, like if certain rules are being, are being triggered. So, yeah, it's a, it's a really
great service. And like, no wonder that a lot of people are using it. And it does show up in a lot
of places on the internet. I mean, you very often see cloud flare landing pages and like CAPTCHA
landing pages quite a bit online. So we'll come back for the CAPTCHA thing a bit later.
But in September, you and some colleagues of yours wrote a series of blog posts and we'll link to
these in the show notes. And I strongly encourage anybody listening to this to check out these blog posts
because they're really terrific. So it's called Crypto Week. So welcome to Crypto Week,
in which you describe all the different things that Cloudflare is doing with crypto, but like
sort of innovative stuff, right? So like with IPFS, with a rest of Tor, like DNSSEC. And reading
these blog posts, I was like, these are great primers for anybody that's really looking to understand
fundamentally how this stuff works. Like, how does a DNA, like, how does your HTTP request
function? Like, when you call a website, like, what, who are the different parties at play here?
Where are the trust points? You know, where are the vulnerabilities? And how is Cloudflare
doing it better? So I thought these, these posts were really terrific. But in this post,
you mentioned, so the trust relationships that one has to engage in when using the internet.
So whether that's like visiting a website or, you know, chatting online or like using social media.
What are your thoughts about how we trust the internet sort of at a broad scale?
Do you think most people have a good understanding of where the trust points are on the internet?
And if and if not, how can companies like Cloudflare like help make that better?
Yeah.
So I would say in general, people don't understand the trust relationships online.
You enter in a website and you go to that website and it comes to you.
You enter in a host name or a URL and it goes through.
You click on a link or open an app and you just get content.
But there's a lot of interesting things that go on behind the scenes.
And a lot of these have to do with trust and trusting and actually the implicit trust
that is built into the technology that you're using to browse the internet.
to show you what you expect and to make sure that what you're getting is something that you're
intending to get. And so there are a lot of parties that are involved in this. And some of the
very obvious ones are registrars. So a registrar is a company that you use to buy a domain name.
And so if you buy Google.com or my site.com, then you have a registrar.
And you kind of work with this registrar to make sure that your website is advertised.
And your web registrar is connected to a DNS provider.
And so when you type in Cloudflare.com into your browser behind the scenes,
you have to know what IP addresses Cloudflare.com is on.
So there's this entire system called DNS, which is a name system, which is managed by a lot of different entities around.
It's sort of one of the first decentralized systems or, I guess, hierarchical systems out there.
So you have to look at where who.com is, and then dot com tells you who example.com is.
And then you talk to example.com, and then it'll tell you what IP address you actually use to connect to example.com.
So from just a names to numbers perspective, the internet is based on IP addresses, your numbers.
DNS is kind of the phone book that goes from your name to a number.
Other pieces that you have to have to trust involved when you're doing encrypted connections.
So if you're going to an HTTP version of a site, that site has a cryptographic key.
and this is embedded into a certificate.
And so they present you a certificate and you do this sort of handshake and then you have a secure channel.
And so one of the things that your browser has to do is know how to trust which certificates,
correspond to which websites.
And this is another system, another sort of system of different organizations that make up something called the public key infrastructure.
And so your browser trusts a bunch of certificate authorities who are the only ones,
that are allowed to mint certificates for different post names.
And so the system has been around since the 90s,
and there's been some problems with it over time.
Certificate authorities have been compromised,
and that's put a lot of people at risk.
Certificates themselves need to have an expiration period,
or else certificates from the 1990s using old cryptography that's been broken
would still be valid.
So there's a lot of challenges with, with,
trusting this. And we don't even need, we can't even go into this even more, but,
but even at the lower layers of the internet, IP addresses, the internet is a set of,
you know, hundreds of thousands of interconnected networks that have to actually exchange data.
So when you, when you're one network and you say, hey, this IP address 2.2.2 or 1, 234 belongs to me.
then, well, you need to be authority.
You need to actually trust that when someone says,
yeah, you know, send that traffic to me that it actually belongs to you.
So there's multiple different layers,
and the intro blog post really goes into this in depth.
And so as a general user, all of this is happening behind the scenes.
And you really have to trust it.
There's, you know, there's the very minimal thing.
that you have in browsers, which is that padlock, which does imply some things.
It implies that the certificate that you're getting is valid for the site,
and this is the site that you're trying to go to.
But there's a lot of threats out there.
And there's a lot of ways that people try to manipulate this and hijack this and, you know,
steal people's traffic.
But generally, this is not a well-understood thing by the public.
So companies like Cloudflare are investing in various technologies.
that, you know, help simplify this for folks, like help make it so that if we are
connecting with other entities around, around the internet, that we can trust them. And
we have to agree on protocols to do this and define these protocols and implement them and
get everyone to kind of agree on standards. And so that's, that's one of the, that's one of
the interesting organizational challenges and interorganizational challenges that we have to deal
with right now. But luckily, for our security and for people's privacy online, is that there
are a lot of organizations who do care about this and who, you know, are impacted when malicious
things happen. So companies like Cloudflare and others are working to help improve the
situation. If you've listened to previous episodes with Marley Gray and Matt Kernar, you know that
Microsoft is committed to providing enterprise grade tools and infrastructure for blockchain developers.
Well, the Azure blockchain workbench is perfect for organizations building consortium networks.
Take the Ethereum Proof Authority template, for example.
It's ideal for permission networks where consensus participants are known and reputable.
Ethereum on Azure has on-chain network governance that leverages Parody's extensible proof-of-aithority client.
Each consortium member has the power to govern the network or delegate their consensus participants to a trusted operator.
And Parody's WebAssembly support allows developers to write smart contracts in familiar languages like C, C++, and
Rust. Azure Blockchain Workbench was created on the same principles that drive all production
services in Azure, so you know you're relying on secure, redundant infrastructure that can scale.
And with built-in services like authenticated APIs, off-chain databases, and secure key management
services, you can scaffold your infrastructure in just a few hours. To learn more about Azure
Blockchain Workbench and how Microsoft is advancing blockchain usability and enterprise,
check out AKA.m.s slash epicenter and start building today. We'd like to thank Microsoft Azure
for their supportive epicenter.
A lot of these authorities that you mentioned, like, you know, for example, the certificate
authorities or, you know, you mentioned DNS as like a hierarchical system.
Where do these, where did these authorities come from, like, sort of who decided them?
And, like, you know, was it just happened to be like, all the companies who were around,
like, back in the 80s?
Like, they just happened to, like, be grandfathered in?
Or how does that process work?
Well, yeah, the internet has evolved over the years in various different ways.
And, you know, original, like, we can go into like the origins of the internet as a DARPA project.
And the switch to TCPIP in the 80s and the evolution of the DNS.
But it's really sort of happened organically over time.
And then some organizational bodies have been put in place to help guide this.
And so, for example, Internet protocols, there's a volunteer group,
called the Internet Engineering Task Force, the IETF.
So if you've heard about RFCs, when people say, oh, RFC, whatever, whatever, this is a certain
protocol.
Like DNS is a set of RFCs.
That's what the IETF does.
There's IANA, which is an organization that is associated with managing names and numbers, and they
have lots of processes around that.
There's ICANN, there's the set of regional registries.
So there's the entire IP space, North America has a group called Aaron,
and they distribute up the IPs to different organizations by different bids.
So these are often organizations that are a mix of profit, non-profit,
but generally have a mandate to be good stewards for the Internet
and to make sure that this technology that we all rely on is something that is available for everyone.
the world that enables kind of equal access and that, you know, continues to to grow in terms of
having both commercial and non-commercial uses.
So one thing I find interesting is often when people are talking about like cryptography slash
blockchain things, there seems to often be like three somewhat independent goals that often get
like correlated together, but I think actually should often be thought of as somewhat
independent. And I think the three here, what I see is like privacy, security, and like
decentralization. And the third one, decentralization is just like very vague kind of concept
that came up in the last few years along with the blockchain space. And so, you know,
reading through your blog post on the Welcome to Crypto Week, you talk about like, you know,
a lot of the stuff about like the immutability that IPFS provide, which kind of goes along with
security. You talk about the privacy that Tor provides.
but not too much talk about like decentralization.
And so, you know, would that be a fair characteristic to say that like when you guys are
approaching this like cryptography on the internet, you guys are really much more focused,
almost like you're willing to accept this like these like authorities and centralization
that exists on the internet, but are trying to focus primarily on improve and almost,
you know, like kind of becoming one of the central authorities on the internet, but really
trying to focus on pushing the security and privacy side of things.
Would that be like a fair characterization?
Well, I would say that Cloudflare is trying to serve its customers.
And Cloudflare's customers are not only websites and web services that use Cloudflare,
but you think of the users of the Internet as a whole.
And if the Internet becomes more functional and if people are happier online
and are more likely to do business online, then it leads to the growth of the entire industry.
So security is one of the very, very, very most important things for the company.
If you get hacked or somebody steals data from your website or someone tries to mess around with your users, this is going to impact trust.
And it's going to impact the bottom line for a bunch of businesses.
And same with privacy.
If you think of how people are really waking up to privacy online and what you share and what the motivations of organizations that are based on monetizing individuals' actions online have done,
and how that's grown, I think it's another really big, really big, salient thing to humans.
So security and privacy, I think, are things that human beings understand and relate to
and businesses understand.
Decentralization is, it's more of a more of a second order goal, right?
I mean, if you don't have decentralization, you have these, if you have, if you have sort of
fully centralized systems, you have these really, really, really.
inherent risks to your system. So if you sort of think back to the mid-20th century, the telephone
system in the United States, there was a, Bell had this massive monopoly over the way that
communications, telecommunications happened. And that led to a lot of really fascinating and
amazing innovations. You think of the transistor, a lot of radio communications, and all the
sorts of amazing things they created and they actually did connect everybody online. But
until Bell was broken up, we didn't have this ability for all of these internet companies to
kind of come out of nowhere and be able to compete with each other. So you have centralization
and I guess if you think in the corporate terms monopolies are ways to build wealth and
and make something really good, but it also leads to the ability, the tendency to kind of abuse
the abuse power. And having a diversity of participants, a diversity of views and a diversity of
components in a system, and I guess decentralization is one component of that is, I guess,
a result of having a lot of different participants is something that actually really helps
innovation, helps competition, and helps things grow.
So it's less relevant to individual customers and people, but it is a second order goal.
And it is something that we think about as well.
And when talking about the cloud computing space and how people are running services,
we do worry about companies that are kind of massive central points of lock-in, right?
I mean, if you think of the AWS Reinvent conference is going on this year,
it's the largest trade conference in United States.
And that's a company that, you know, wants everybody to put all of their computing workloads onto a single company.
And there's a lot of lock-in associated with that.
So I think from a cryptography perspective, decentralization is important.
But I think also from a business perspective, having a lot of different options is important for a healthy ecosystem.
Yeah, there's a thing that,
you might be familiar with with the Zucco's triangle,
Zucco, Wilcox-Hurin, the founder of Zecash,
and Zucco's triangle is like you have security,
decentralization, and human readable names.
And I think there's a lot of overlap with this question here
where I think, like, I think user experience also plays a big role
or should be considered in, like, how we build systems.
And so if you have a system that's like secure and easy to use,
but where you don't have this robustness which is meant to be brought on by the centralization,
then really, you know, you might have to choose between two of those three points on the triangle.
I don't know if someone will actually solve that, but it seems difficult.
Yeah, it is difficult.
And there are tradeoffs that you can make in any one of these little corners.
And finding the right ones are fighting the right tradeoffs are hard to do.
But considering where we are as a status quo, there's always improvements to be made to try to, you know, square Zucos Triangle, if you all.
Yeah. So let's move on to the core topic today. We want to bring you on to discuss, and that's IPFS.
So within this Crypto Week series of blockposts, there was two blockposts about IPFS, one that sort of explained what IPFS is,
for the average person who doesn't necessarily know about IPFS.
And another post that described this experiment was based on this concept of end-to-end integrity.
So could you describe, like, why is Cloudflare experimenting well yet with IPFS?
And what are you guys doing here?
Yeah.
So I think one of the important things that Cloudflare is trying to do is to, well, as I mentioned, make the internet better.
But one of the aspects of this is connecting users of the web to some of these new networks that have values and have properties that the current web doesn't have.
And IPFS is one of them.
As a content addressed network, every piece of content has a hash as a specific unique fingerprint associated with it.
And unlike the web where you look things up by names with IPFS, you can look things up via.
a fingerprint of what they are.
And so the traditional web is not necessarily immutable.
You have different things that can happen.
You have a lot of very dynamic web pages,
and you have services like Cloudflare
that can see and detect things going wrong
and sort of modify and optimize things on the fly,
which is great.
But with IPFS, there are certain use cases
that people have for this,
where they just want things to absolutely be guaranteed that you're getting exactly what you were sent.
And if you think of things like package managers or image sharing or things like this,
where you have something that's static that's never going to change, then IPFS makes a lot of sense.
So the IPFS gateway, though, is I guess the first of what we're calling the distributed web gateway,
which is a way to access IPFS as a network through HTTP.
And so people have web browsers.
People don't necessarily, on, I guess, the broadest sense,
there's a lot of experts and people who are interested in the space
who are really keen on these decentralized networks who run nodes
and are happy to do these sort of things.
But the general populace has a web browser and they know how to.
to use a web browser.
And so what this gateway does is allows people with web browsers to, you know,
connect directly to IPFS.
Because IPFS is static, CloudFlare is a really, really great service for that because we
can do caching.
We can keep copies of data really close to people.
We can distribute data all around the world.
And so you mentioned the experiment that we did, which is a browser plugin for end-to-end
integrity. I guess one of the purists' complaint about having a gateway to something like IPFS is that
as a question is, you know, what if the gateway changes the value? I mean, the value of or changes the
content and the value of IPFS is in the fact that it's content addressed. So if you build a
website, it's guaranteed to be the same for every single person who sees it. There's no censorship. There's
nothing like that. It's just you publish one thing once and then it becomes, you know,
they're in the universe forever. And this is why it's called the interplanetary file system or one of
the reasons is that, you know, publish something once, it's available at all times. And if you have a
gateway, HTTP is, as I mentioned, it's not really based on this Entente Integrity concept.
But with an IPFS gateway, you can put the hash as, as,
part of the URL. And with this extension, you actually can validate that that hash in the URL
matches the hash that you expect. And the way that it's actually chained into, way that it's
actually chained together is with DNS. So if you have a have a website, you can say, in the typical
sense, you have, here's my host name, and it gives you an IP address, and that gives you
the address. So this is, this is about routing. With our IPFS.
experiment, you have, this is the host name, this is the hash that represents the content on this
website. And so what the browser extension does is it just valid, make sure that, you know,
what you're seeing on the site matches exactly what was published in the DNS. And it's kind of
ties in with our other efforts of the week, especially DNS sec, which is just signatures in the
DNS itself. So if you trust the DNS and you've trust the DNS central authority,
then this is a way to, you know, put IPFS into an existing system to help kind of validate the integrity from within the browser.
How has, like, the adoption been of this Cloudflare, like, IPFS, you know, you can almost consider like IPFS as a CDN of sorts, like a content delivery network.
And so have you seen that, like, Cloudflare's offering has, like, help increase?
the adoption. Because, you know, I actually tried to put my website onto IPFS. It's been a while,
actually, it's probably over a year now. So the technology is probably a little bit more immature.
And, you know, I had quite a hard time doing so. And so, like, you know, you guys have built a lot of
the tooling to make this easier and stuff. How has been, like, the public reception and stuff
to this? Yeah, I think people are really excited about the IPFS gateway. And they're really excited
because of the possibilities that it unlocks.
And the content hosting side on IPFS, I agree, it's relatively immature.
So if you want to host something on IPFS, you can, you know, host it from your local laptop
or you can use one of these services.
That's a pinning, pinning service.
But yeah, the publishing side of it, I think, needs some development.
but actually integrating the access side is where the gateway really shines.
So we've seen all sorts of different customers or websites or properties that really believe
in decentralization and believe in having a source of truth for their data that is distributed
beyond their own data centers.
This is actually good for things like disaster recovery.
and they need a way to bootstrap their app
or they need a way to bootstrap their application.
And like the fundamental belief is that,
you know, we want to build this in a distributed way,
but we don't necessarily, you know,
one of the drawbacks of IPFS as it is,
is it's relatively slow to actually get content.
And so having this gateway is a way to speed things up.
You get all the benefits of Cloudflare,
in front of this network that you have integrity protection and you have decentralization.
So it's been coming up.
We've definitely seen a lot more adoption since we launched this several months ago.
And not just from the distributed application space, but also from more traditional
companies as well that have an interest in decentralization.
So if I could just sort of rephrase what what you guys are doing here because there's different components I think that need to be separated out.
So the first is an IPFS gateway.
And there are tons of IPFS gateways out there.
And I think most of our listeners are probably familiar with them.
So there are these websites that you go to this URL.
So example dash gateway.com, I think is one of them.
You go to this website.
You pop in a, you just add the IPFS hash to the URL.
URL and it serves, like this gateway is in the back end connected to an IPFS node and it is serving
to you the content on the IPFS network. And the vulnerability here is that, you know, perhaps
this website is sort of doing a man in the middle type of attack where it's serving you
another piece of content than the one that you initially requested. And you have really no way
of doing, knowing that unless like you, you know, do like an MB5 or like verify the hash of the
content once you've downloaded it that it verifies that it matches with the hash of the address.
Yeah, that's right. What you guys are doing is like a step beyond that. You're actually putting
one of those gateways in the Cloudflare sort of wrapper. So all the IPFS, all the content on
IPFS is now available super fast in one of these 150 data centers that you mentioned earlier.
Yeah, that's right. So that's the Cloudflare IPFS gateway is.
Yeah, it's like you take any typical gateway and then you cloud-flarify it.
Okay.
So that's great because all of a sudden you have this really fast content network,
this content delivery network that's serving up IPFS content.
It's kind of similar, I guess, like it reminds me of this project we had a few weeks ago
called Blocks Route versus like content delivery networks for blockchains.
But yeah, it's sort of similar to that.
But then the issue with that is that if you're using it and maybe you trust example
gateway.com because some nice crypto person's hosting it or I don't know someone you may meet at a
conference is hosting it you might trust that person. The issue here is that people might not trust
Cloudflare or at least Cloudflare would like to prove that the content that they're delivering
to you is actually the content that you're requested. So what you build here is a browser plugin
that checks the IPFS network and make sure that that content matches the hat.
that you requested?
Well, more specifically, it checks that the hat,
if you're using the Cloudflare gateway as, you know,
Cloudflare dash IPFS.com slash your hash value.
It checks the value of the content against that hash.
The really, really cool part that I didn't actually go into detail, but.
So just, sorry, so it checks the value of the content against the hash.
So it does this in the browser.
There's no like, right.
It doesn't sort of like go and do an IPFS request.
you know, a parallel request to verify, it checks the hash and it does sort of the
hacking algorithm internally and verifies that it matches. It's kind of like doing an MD5
verification. It's like MD5, but better hash function.
Of course. Yeah. MD5 is a little breakable right now. But the other really cool thing that
you can do with Cloudflare's Gateway is bring your own host name. So rather than have
Cloudflare dash IPFS.com
slash whatever, you can just have
my website.com
and you just say
my website.com is on IPFS.
Here's the hash of the root file
of my website.
Okay, so this is the third thing I want to talk about.
So there's the gateway,
there's the verification tool,
but then what wraps this together is saying,
okay, now as a Cloudflare user,
as someone who has a website
hosting on Cloudflare,
like Epicenter, for instance.
But you can set this thing up on your website
or in your Cloudflare account.
It tells Cloudflare index my,
like you guys are running an IPFS node
and it creates basically a copy of your website
and all the web pages on your website,
static content on this IPFS node
that is now available to the entire IPFS ecosystem.
Yeah.
It's sort of like that.
It's more that you have to put your content onto IPFS some way.
And if someone tries to access your website through Cloudflare, we will fetch it from IPFS.
So Cloudflare as a service doesn't host content.
And this is sort of a very important key part of what Cloudflare does is we cache content.
And so we need a place that's sort of some root of source of truth.
And so if you're going to use this service, you can run a local note on your computer and say, I'm going to host from here.
And we will grab it from there. We'll keep a copy around as long as we can and serve it from Cloudflare's cache.
Alternatively, you could pay a service to keep a copy of your content on IPFS, and that's the host.
And then Cloudflare just goes on to IPFS, fetches your content, puts it around the world, and anybody who wants it can get it through us.
Does that make sense?
Yeah, yeah, that makes sense.
We're not actually hosting things on IPFS.
Although if you fetch something through IPFS,
our node will have a copy of it.
So it actually helps improve the duplication of content in an IPFS,
which is really important because if there's only one copy of your content in the IPFS network,
then if that copy goes offline, then the content's no longer available.
And so essentially what you guys have done is, you know, allowed, for that third part of this, like, project, you kind of allowed IPFS to almost integrate well with the existing DNS system, right?
So I can now, like, I can have my website accessible, my IPFS hosted website accessible through, like, my own personal, like, domain name, but still going through cloud flares, like, CDN.
Yeah, that's right.
And because we are so good at issuing certificates and kind of managing that, then you also get, get encryption for that website.
So sort of automatically.
How do you like see like the future of like IPFAS?
Do you see like it being like sort of a complementary service to like HAT or protocol to HETP or more it's more competitive?
Do you see like, you know, maybe websites will be served over HETP, but like certain assets on the website are over.
IPFS, how do you see this like amalgamation of these two protocols going forward?
It's an interesting question because nobody really knows. The hope is that, you know,
IPFS provides a specific niche in a specific property that HTTP doesn't and that the expectation
would be that they would both kind of live in parallel. You can't necessarily do a lot of dynamic
stuff with IPFS, but the integrity protection that it has and the actual
distributed nature of the hosting, I think makes it useful for specific applications.
So I think you'll find applications that are mostly HTTP, applications that are mostly IPFS,
and applications that are sort of a mix of the two.
And it really depends on how well browsers and other technologies adopt this.
So if you have like a mobile app that has native IPFS support or a mobile
SDK that comes out with native IPFS support, then maybe it'll become more popular in apps that
would need this. But yeah, I tend to see them as complementary. They both have their advantages
and disadvantages. Yeah, I was speaking with Juan Benet at Web 3. I kind of bumped into him and
asking him about this very thing. And from his perspective, I mean, like browser support is at least
partly possible.
So I guess like
Chromium is supporting it now
and like their dev versions
and maybe Firefox will support it soon
or can't remember exactly,
but you know,
browser support is coming
and I was actually quite surprised
to see how fast that had come.
I mean, when we had him on,
I guess it was episode 100,
well, 163 weeks ago or something like that.
I thought this was like years
to get integrated in the browsers,
but it seems like it's moving much fast.
faster than. Yeah, my understanding is that the path that they're taking is first exposing IPFS as a first
order protocol. So you have HTTP colon slash, slash whatever. You could have IPFS colon slash whatever.
And the transition to get there is that if you have IPFS colon slash slash, you can you can register a plugin that is able to
handle that for you. And that's that's sort of the first step. And then eventually down the line,
the IPFS node will potentially be native in the browser. But right now, it's, it's all browser
extensions. So what did you learn from this? Well, I guess we learned a lot. First, that
latency is really an issue when it comes to user experience.
So if you are the first person to ever fetch something through the IPFS gateway,
then it has to go back to our node,
and then our node has to search on the internet and find it,
and then get the copy,
and then send it to the cache,
and then it can eventually take, you know,
a long time for content to show up.
And so for certain applications,
it's,
the user experience is potentially problematic.
if you don't have a lot of caching and a lot of ability to serve things immediately.
The other thing we learned is that you can build some pretty interesting,
unexpected applications, even on a platform that is essentially for static content as
IPFS is in its current incarnation.
So one of the examples that we did with the IPFS gateway is we built a searchable mirror
of Wikipedia. So you can actually link to this site that's on IPFS and you can build essentially
search type capabilities into IPFS because a search is essentially a table, which is a static file.
And then you can put JavaScript into there. So you can do some really cool interactive things
with IPFS. It's not just about serving up static images. It's a fully fledged platform. So I think
those are the two things that we learned about IPFS.
The other thing that we learned is just the interest in this area is huge.
A lot of people are really trying to figure out how to engage with and take advantage of
and, you know, have, reap the benefits of new technology and that provides new
features. Like having
having resilience to
single, to failures is a big thing.
Having integrity and
people are really
thinking about trust and
hosting websites and hosting web services
and running things online.
It's more and more important for people to
be able to trust what you're doing.
And as the infrastructure
grows, there's just so many more participants that it's hard to, hard to actually, you know,
implicitly trust everything that you're doing online. So we have to have to build these technical
measures. And there's a lot of interest in this from lots of ankles.
Cool. So one of my favorite stories actually regarding like IPFS and gateways is I was talking
to Jeremy Johnson from protocol labs. About a year ago, last DevCon.
DevCon 3, so November 2017.
And this was like right around, like, right after like the whole like,
Catalonian, Catalon referendum around independence that was going on.
And so what was happening during that process was the Spanish government.
So, you know, there were a lot of like pro referendum websites, people, like websites showing people,
like how to go vote and like, you know, just like reasons why like, you know, just general pro
websites.
and the Spanish government was like sort of censoring these and shutting a lot of them down.
And what was really cool was IPFS was actually being used to keep some of these websites up.
And so people were like hosting them on IPFS.
And I thought it was really cool because it was one of like, I don't know, I think one of the first times that like this generation of like decentralization technologies has really been used to like cause like a physical like a tangible impact on like.
current on world on world politics or whatnot.
But then there was something interesting happening where the websites were being hosted on
IPFS, but everyone was accessing them through the IPFS.io gateway.
And what the Spanish government essentially ended up started doing was actually censoring
the IPFS.
Dot I.O.
And so now people weren't, and most people weren't even aware of any other gateways.
and people didn't have the software, you know, it's not easy to install the IPFS software.
And so it just suddenly became very inaccessible to them.
And so this kind of like leads into the other, one of the other kind of centerpieces of your crypto week that you had was about Tor.
And so how do you see this like interesting relationship between IPFS and Tor?
And like what can IPFS gain by being served over Tor?
Yeah.
So I think, I think of Tor.
as in the same family
of technologies as
IPFS and a lot of these
new blockchain distributed web
type technologies because it really is
a lot of independent nodes
that work together to provide
a
property that you
wouldn't get with a
with the regular web. So with
Tor, what it does is it provides
you with routing anonymity and it
uses a layered encryption
approach to do so. And
And in terms of their tradeoffs, latency is one that they just don't really care about.
It's actually anonymity is much more important than getting things quick.
So the typical web, I mean, the unencrypted web and potentially even IPFS, if you're talking about distributing this content, it's the opposite of anonymous, right?
you're connecting directly with another person and requesting a very specific thing.
They know what you're asking and they know who you are.
But it provides integrity.
So you have one network that provides integrity and one network that provides anonymity.
Then it sort of makes sense to, if you want both, you can kind of put one on top of the other.
And what Cloudflare launched during Crypto Week was essentially a way to access the Tor network.
It's kind of like Cloudflare put an IPFS node into the IPFS network.
Cloudflare put a Tor node into the Tor network as well.
And this Tor node is used to route any traffic to any site that's on Cloudflare.
So if you connect through Cloudflare's Tor node, which is a dot-union address, we've got about 10 of them,
if you connect to any one of those and make a request for any site that's on Cloudflare, it kind of goes through.
And so the bottom of the diagram that I think you're referencing on the page shows a user going through Tor and then connecting out the Tor point through Cloudflare and then to the Cloudflare IPFS gateway and then to IPFS.
So I think if you're doing so, you're going to get a very slow connection, but it's going to be very private.
Even Cloudflare doesn't know who you are.
but you also gain, you know, the N10 integrity properties of IPFS.
So I think they're pretty cool complementary technologies if you're okay with things being
extremely slow.
I see.
So this whole like onion routing service that you guys built that week, you know, I know
I know in like the past year, especially on like hacker news and stuff, there's a lot of
people like to like blame cloud flares like especially the recapture features for
sort of like the degradation of the user experience on Tor.
I always thought that it was a bit of like an unfair blaming.
But could you explain a little bit of why this whole recapture system is like so necessary in the tour and then how your onion routing service protocol like helps resolve some of those pain points?
Yeah, absolutely.
So as I mentioned, people come to Cloudflare for security, insights, acceleration, things like this.
Security is one of the main things.
And if you talk to the average webmaster or the person running a website, they actually don't really have a very favorable opinion of Tor.
Because as an anonymity network, it's very easy to send abusive traffic through it and not have to deal with the consequences.
So a lot of the traffic that actually comes through Tor and comes through exit nodes is attack traffic.
and it hits our web application firewall,
and we say, what is this?
And sort of block it.
So the way that the Cloudflare is currently set up
and we're hoping to improve the system
is to use something called IP reputation
and IP reputation databases
to help make a determination as to how likely an HTTP request
is going to be malicious or not,
or part of a flood or not.
Is this an attack or not?
And so what we do is we use a capture to kind of prove that it's a,
to force the user coming through to, to prove that they are a human,
or at least able to solve one of these human interaction puzzles.
And sort of once they prove that they're a person, then we say,
okay, great, you can come through, do whatever you want with this website.
But where you're coming from seems to have a lot of bad requests.
And so the kind of danger level gets elevated.
And this is something that our customers expect is that they have to pay for bandwidth.
They have to pay for what it takes to administer a site and run it and deal with comment, spam, and deal with all these sort of things.
And, you know, this IP reputation is a very coarse way of lowering the amount of crap that you get, if you will, on the site.
So because of how Tor works is that there's a couple, there's a small set of computers that are called Tor exit nodes where the traffic goes into the Tor network and then exits out of those nodes into the internet.
These IPs tend to be given a pretty bad reputation because there's so much bad stuff coming from them.
So this is kind of the crux of the reason why people see so many captures while using Tor and why Cloud.
Cloudflare is sort of being blamed for the degradation of this network.
And we didn't like that.
We think that, you know, towards a valuable tool, we still need to protect our customers
from attacks.
And we, and like, these are this is who we're building the service for.
And this is, these are the people who, you know, we want to use Cloudflare.
We still want to give them that service.
But we also think that the secondary effects on the Internet as a whole, it's, are important
as well. So having more people use an anonymity network, having people gain these properties
of these alternative networks if they choose to use them and not be punished for it is something
that we're really interested in. So what our Tor gateway does is it allows folks who are browsing
websites on Tor to actually access Cloudflare websites through.
as I mentioned, a node that's running in the Tor network that has an Onion address.
And I guess every time that you connect through the Tor network to an Onion service, you connect
through a circuit.
So there's an entry node, there's a transit node, there's a third node, and then you can
connect to the site.
So every one of these circuits is unique for every person.
And when you run an Onion service, you actually get a circuit ID.
You get to know whether or not two different connections to the same
to the same service are from two different people.
And because of that, you can actually apply policies on a very selective basis.
So if someone is actually sending a lot of comments, bam, then you can say, you know,
this circuit, this circuit is bad.
We can block this without blocking legitimate people.
And I think this is one of the great things that we helped put together with this,
with this tour thing.
We work with the Tor browser team as well to help implement this.
So if you visit a site that's on Cloudflare,
we'll send an HTTP header that says,
hey, by the way, if you're going to reconnect,
we have all these onion addresses,
and you can just use these and connect through Tor
instead of connecting through an IP address.
And this has been very successful, actually.
We turn it on for all Cloudflare sites.
With all of this,
And I mean, so you guys are, it seems like quite, quite involved in so the open source space.
In fact, Sunday was mentioning earlier and I wasn't really aware of this, but that you guys have quite a few crypto libraries that are open source.
In fact, some of them are being used by Ethereum and a bunch of other websites, like pretty much half the internet is using your crypto libraries.
How does this and this experimentation with IPFS and this tour stuff that you guys are working on, like how does this all fit into like, you know, your business.
model. Is there, are there specific businesses here that you're looking to develop or is it more
just sort of being at the cutting edge of these technologies and allowing so the, you know, the
experience of everybody using the web to be improved? Well, it's part of the mission statement
of the company, which is to help build a better internet. And open source is something that's
core to what we are. I think Cloudflare's doesn't necessarily have.
secret sauce in the software, right? Almost everything that we use, we try to open source because it
will be usable for other folks online. So, for example, four years ago, we released a library
called CFSSSL, which was a Go-based certificate authority. And you can use it to build certificates
and build a PKI inside your own organization. And it actually got picked up by Let's Encrypt. And now it's
the core of the Let's Encrypt Certificate Authority as well as, you know, Salesforce and a bunch of
other really big companies are using it. And, and we've contributed code to the Go Standard Library.
So the P-256, which is one of the most well commonly used elliptic curves, one of Cloudflare's
engineers, you know, we optimized it because we do so much cryptography. So, you know, why not
share this with the world? And I think it's, it's, um,
there's no drawback for everybody having a better version of cryptographic tools.
And if you have a faster library that's secure and safe, put it out there for people to use.
I guess so so far we've talked a lot about, you know, two major decentralization technology,
which is IPFS and Tor.
But one that we haven't really talked too much about yet, which is probably one of the, you know,
ones that's the most well known is blockchains, right?
And so I was wondering, how do you guys think about blockchains?
You know, I know you have this one protocol you kind of like dubbed clock chains like as a joke.
But, you know, in that one, you're talking about like, you know, a timing system for like SSL certificates.
So you can, you know, like, you know, synchronized clocks.
But, you know, another option is I actually worked on a project where like, you know,
instead of like doing SSL certificates expire expiration, you can do a system where like, you know, a public, a blockchain acts as a public bulletin board where you like list expire or like, uh, compromise, uh, signing systems. Um, another use case for I think like blockchains within your within the web infrastructure is throughout this entire thing. You guys have talked a lot about like using the DNS system, right? So you talked about how you're using DNS for like, um, the IPFS like resolution or, um, um,
You know, with the, you have this other project called encrypted SNI, which you're trying to basically create like a PKI.
And so, you know, you're using the, you're kind of using the DNS system to do that as well.
And like we mentioned, the DNS system is a very like hierarchical system.
Have you ever thought about maybe exploring the option of using blockchains to do so?
Like, you know, so we mentioned Zucco's triangle as earlier as well.
And so, you know, the cool thing was, so Zucco's triangle was this whole thing about human readability and centralization and security.
But Aaron Schwartz actually had this like, you know, he actually made this observation that a blockchain actually is a way to get around Zucco's triangle.
And so that kind of led to projects like name coin and handshake and things like this.
So I guess my overall question here is like, how do you guys think about like integrating like blockchain technology into some of your offerings or just in the general web infrastructure as a whole?
Yeah, so I think there's another kind of trilemma that our CEO Matthew Prince put out in a in a blog post about Tor a few years ago about, you know, making things usable, secure and having low latency.
And I think when you're in the web context, this is something that's very underrated, is the ability to get things fast and to get things.
immediately. And so when it comes to certificates and time and a lot of different things,
if you're connecting to a website, 100 milliseconds is going to kill you. And so there's a number of
initiatives that we're interested in that are blockchain-esque, that are blockchain,
that sort of seem blockchain-esque. And one of those is certificate transparency.
And so one of the, I guess one of the main differences here is that in a lot of the blockchain technologies that we're talking about, we're talking about fully trustless decentralized systems where you have a lot of different peers and then you have to, this is why consensus is so important, is being able to have all these different peers and all sort of agree on a specific thing.
I think in the web PKI, and at least in the website situation, that's fine.
but that's sort of a step too far, or at least it's a step that's a little bigger than the technology is willing to take us right now.
So certificate transparency is an example of one step.
So it's essentially a hash tree of all the certificates that have ever been issued.
And for certificate transparency to work, you need independent groups to manage these certificates as well.
So you end up in something that's sort of the analogous of like a permission blockchain.
And with certificate transparency, you actually don't have to do the lookup on the machine.
And you don't have to run a node on your machine.
And you don't have to synchronize with the blockchain.
And so the cost of latency to a system like this is not big enough to slow its progress.
So I think that the main challenge for,
integrating web PKI, traditional web technologies and blockchains is really about being fast and being
able to synchronize things fast and being able to transfer data fast and be able to have a fast
consensus. And having a fully trustless system is not necessarily conducive to that, although
we've seen some pretty good experiments in that direction. I see. Cool. And earlier you had
mentioned that this IPFS gateway is just one of the first projects in this larger decentralized
web gateway series of projects almost. So, you know, what are some of the other projects that are
like you have planned in the sphere of decentralized web? One that I thought, I think it would be
really cool was like, it would be like, you know, maybe in your Cloudfare DNS like 1.1.1,
maybe integrate like name coin resolution, I thought would be a really cool idea. But I don't know.
what are some of the other ones that you guys are thinking about?
So we've talked to the name coin folks.
We've talked to folks at Ethereum.
We're really kind of testing the waters at this point.
And right now we're mostly investing in, you know,
how can we make the IPFS gateway better?
And that's what the short-term roadmap looks like.
But down the road, there's so many interesting technologies in this space,
solving different problems.
And you shouldn't be surprised to see any one of those pop up down the line.
Yeah.
So you mentioned 1.1.1.1. And so that's basically a free DNS service that you provide. So it's, I guess, similar to, like, Google DNS or Open DNS or something like that. But with privacy, apparently, and I was reading your website earlier, and I guess KPMG is auditing your servers to make sure that you're not actually, like, logging anything. And so privacy is sort of a big deal here. I'm curious, like, what goes into buying,
people will sort of hear about, you know, flipping domain names and paying enormous amounts of money for domain names.
What goes into buying the IP address that 1.1.1.1. Well, we didn't buy 1.10101. It's actually, I mentioned how there's different registration, different authorities that manage IPs. And the one space is actually owned by APNIC, which is the Asia-Pacific region for distributing IPs.
and they never thought that they would be possible to even give this IP address to anybody
because it was so, so bad in terms of the amount of garbage traffic that would come to it.
So anybody who's building any sort of test for an IP address in any documentation,
it's going to say 1-1-1-1.
It's just the simplest example that you can use.
So there's an enormous amount of background, internet background radiation hitting the 1.1.1.
IP address that they were sort of like, we can't allocate this. There's no, there's no reason
anybody would ever want to use it. It's just so it's basically constantly under DDoS from,
from just the background internet radiation. And Cloudflor was one of the organizations that,
in the world, one of the few that could actually, you know, that's no, no big deal to handle
a bunch of unexpected traffic. So we made a deal with APNIC and and they're lending us the IP
address for this project.
And it's been a pretty fruitful collaboration with them so far and a really successful project.
That's pretty funny.
So it kind of shows off your DDoS capabilities as well, protection capabilities.
Yeah, absolutely.
And one of the thing we should have mentioned earlier, but I guess in your office,
in the lobby or something, there's a bunch of lava lamps there, like, generated.
entropy. Can you tell us a bit about that? Sure. Yeah. So anybody who saw the first episode of NCIS this year
might recognize they kind of stole the plot idea from Cloudflare's office. But yeah, so we have a wall
in our front lobby that has about 100 lava lamps and we record it with a with a digital recorder
and we turn that data stream into a source of random numbers that we actually, you know,
send out to our data centers and our servers and feed it into the as an additional
random source.
So is there any academic research or anything like that that would suggest that lava lamps
are actually random?
Well, lava lamps themselves are pretty unpredictable.
But the main thing is it doesn't really matter.
if you have a sufficiently advanced camera,
there's going to be enough noise in it
to actually create enough entropy
to be a useful source.
And also, the lighting is a big part of it.
At any time of day,
you're going to have different sources of light
and people walking in front of the camera.
There's enough entropy in like an HD
HD film to use for a lifetime.
Right.
And I'm sure the temperature fluctuations in the room also affect the lava lamp as well.
Yeah, it's very hard to predict the levels of the lava lamp, but it's to predict everything
else, all the other atmosphere conditions are basically impossible.
And even if they were predictable, we mix it in with other sources such as hardware rent numbers.
Okay, well, with that, Nick, I want to thank you for coming on the show today.
It was a fascinating discussion and look forward to seeing what comes out of Cloudflare in the future.
I think now that things are so easy, thanks to Cloudflare,
we might look into making our website available as an onion domain or like available on IPFS.
You know, maybe do something like that.
Yeah, absolutely.
Thanks for having me on.
Thank you for joining us on this week's episode.
We release new episodes every week.
You can find and subscribe to the show on iTunes.
Spotify, YouTube, SoundCloud, or wherever you listen to podcasts.
And if you have a Google Home or Alexa device, you can tell it to listen to the latest episode of the Epicenter podcast.
Go to epicenter.tv slash subscribe for a full list of places where you can watch and listen.
And while you're there, be sure to sign up for the newsletter, so you get new episodes in your inbox as they're released.
If you want to interact with us, the guests or other podcast listeners, you can follow us on Twitter.
And please leave us a review on iTunes. It helps people find the show, and we're always happy to read them.
So thanks so much and we look forward to being back next week.