Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare One (cloudflare.com)
366 points by jgrahamc on Oct 12, 2020 | hide | past | favorite | 139 comments



What's cool here - is that in order to work, you need a ton of existing infrastructure. Trying to forklift build that probably would have been a disaster. So, instead, Cloudflare bided their time building their DDOS product, which everyone wanted and was willing to pay for, which let them get operational expertise, staffing, technology, and, importantly massive internet infrastructure that had been tested the hell out of.

Then, instead of taking the big leap, they took an incremental step with WARP, (their VPN), and let consumers bang on it for a year (approx 10mm end users). All along - they've been working towards this vision - which is really comprehensive.

Reminds me of how Amazon destroyed the original IAAS/PAAS providers Loudcloud, etc... not by trying to compete with them, but by doing 1% of what Loudcloud did, but very well, for a lot of people. Then 2%, then 4% ....

Amazing how companies that start off building small "trivial" things can use that to lever themselves up to complex and comprehensive ecosystems.

WARP, Magic Transit, CNI - all of them were precursors to this vision. Which, if they pull it off, is going to be $$$.


In ~2010 I was really interested in private server development for popular MMORPG games. People would take the game clients and build their own servers to play off of, then edit the client just enough so it was talking to the private server instead of the real server. People, usually amazing talented teenagers, would construct amazing experiences that rivaled and sometimes surpassed what the $100m+ game companies were producing.

Unfortunately, these servers were incredibly prone to griefing particularly DDOS attacks. And though the private server developers were very talented and supremely motivated, they didn't have the resources or infrastructure expertise to mitigate even relatively small DDOS attacks from 1 or 2 nodes.

Who was there as the universal solution to DDOS attacks? Freaking Cloudflare, and it worked, and it was affordable even by teenagers who had at most two nickles to rub together. Where are those ridiculously talented teenagers who built those private servers now? Probably running the world's infrastructure.


DDOS is really a fundamental weakness in the design of the Internet. I really fear that in the long term proprietary meta-networks like Cloudflare are going to eat the public Internet and replace it with something that fixes these issues but is proprietary.


I wonder what would be necessary to fix DDOS altogether from a technical perspective.


What is needed are ISPs and network operators who give a damn, TBH.

To be clear, they do exist and many of them "do their part" (I, personally, spent ~7 years as the senior (technical) person at an ISP and did my best to ensure that neither we nor our customers were ever part of the problem). The "good ones" are, however, seemingly outnumbered by those who simply can't be bothered.

One reason that is often cited is the lack of a financial incentive to "clean up" their networks. At some point, it may be necessary for the rest of the Internet to "provide" them with one. Note that this is one of the reasons that, to this day, spam e-mail is a thing we all still have to deal with.

Unfortunately, especially for all of us "tech" folks (like here on HN), not every problem can be fixed with a technical solution.


I was recently aggressively downloaded for pointing a finger at digital ocean and AWS for being poor network operators who largely ignore abuse complaints. I understand people not wanting providers to patrol usage but there is a middle ground.


AWS is usually the least of our problems (though when people use AWS they're generally doing something weird enough I have to look at it). It's more the bottom feeders of OVH and Choopa/Vultr. I blacklist them instantly in every network I end up responsible for.

Digital Ocean is a weird bird because to me it's more of an educator than a hosting company (but people will of course abuse it the same way). I'd never run prod on it and I usually end up blocking their ASNs, though I feel a little worse about it.

I wish they'd sell technical writing as a service. Their documentation (especially for common tasks that they don't even directly sell, like OpenVPN setups) is superb.


As an example, torrents are not particularly vulnerable to ddos. The Internet isn't vulnerable to it as a whole, just specific endpoints.

I'm not sure this is fixable for single endpoints: if you want to tell everyone something different, but there are millions coming per second, you're not going to succeed, be it in real life or a webserver.

So the answer seems to be: avoid centralizing too much, and pick existing, DDOS-resistant protocols whenever you can.


It's somewhat directly a "tragedy of the commons" which suggests the answers are likely "sociopolitical" rather than technical.

https://en.wikipedia.org/wiki/Tragedy_of_the_commons


AFAIK a whole lot of cat herding at the level of ISPs and peering administrators and an upgrade of things like BGP. Very hard to do coordinated updates to a federated network, as IPv6 shows... we are 20+ years in and the IPv6 transition is still only crawling along.


You sure? Spectrum is/was not cheap and game protocols are (fortunately) not HTTP.


The seeds of what we will sow in five years we’re planting only just today. My favorite currently-just-a-seed example: https://blog.cloudflare.com/introducing-workers-durable-obje...


A very intriguing seed indeed.


Love this Matt, thanks for posting. Any shortcuts into the beta for HN? :)


compared to how VMWare is going after the same space since 2012. Acquired Nicira, Airwatch, Velocloud, Carbon Black. The way the Threat sector has consolidated, all the firewalls became antivirus, and antivirus is pivoting to become a cloud firewall.


I’m always able to tell what a particular cloudflare product does/is in the first paragraph. However for this one, I’m unable to even after reading the entire blogpost.

(edit) is this like zerotier, tailscale, beyondcorp etc?


The most important thing to understand about Cloudflare One is that the name is marketing fluff. It does a bunch of things with a number of confusingly similar products. (Some of its features are provided by third-party "partners.")

The products are designed to be compatible, which is what the name "Cloudflare One" is designed to reflect, but there isn't just one product/feature being offered here. It's more of a vision statement than anything else.

What they're announcing is the compatibility of three previously released features:

1. Cloudflare WARP, their public VPN product for end users https://blog.cloudflare.com/1111-warp-better-vpn/

Note that despite being a "VPN," when WARP launched, it wasn't designed to connect to any company's internal corporate network. WARP is/was a "public VPN," the sort of thing an ordinary user would use to hide their IP address from web sites for privacy reasons. (Cloudflare claimed that WARP would also improve your network performance.)

2. Cloudflare Magic Transit, which is basically a reverse VPN product for on-premise datacenters, providing DDOS protection and packet filtering.

Magic Transit is kinda like Cloudflare's HTTP CDN product, but for all of a datacenter's traffic, geared toward IT professionals.

3. Cloudflare Network Interconnect (CNI), which lets you connect corporate offices to each other over Cloudflare's backbone infrastructure. Like Magic Transit, it was designed to allow IT staff to do traffic management and packet filtering.

Perhaps you'd have thought that these products would work together in some way, but they didn't, and now they kinda do.

Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.

If you squint and think of a VPN as a giant proxy, even traditional VPN solutions can seem like "Zero Trust," but that is not at all what anybody meant by that term.

What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.


>BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.

BeyondCorp is about trusting nothing and allowing what is allowed. It's an inversion of being Inside or Outside the network, in that everyone is outside. When they say "without a VPN" what they mean is that you arent connecting to inside the trust and then gaining access to everything.

This product from cloudflare, by integrating with an identity manager, is offering that same kind of deny by default, and allow the allowlist type paradigm. Whether or not it is VPN tech is a bit irrelevant, and misses the point of BeyondCorp. Googles implementation was a proxy by choice, but it's not the only way to accomplish the same idea. I get that you get that, but drawing the beyondcorp/not-beyondcorp line at vpn/proxy is missing the forest for the trees.


> Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.

I thought this was referring to the combination of Access (identity constraints on connections) and the tunnel system and your app servers only connect outbound to the CDN nodes, forcing all connections to be made through Access. That seems like zero-trust to me, doesn’t it?


> What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.

This can also be accomplished with rules and micro-segmentation of various types.


ZeroTier is a true "global LAN," basically SD-WAN everywhere, emulates layer 2, and has a rules engine, but does not yet have the IAM integrations that some others have. Guts are very powerful but GUI is more minimal and less mature (as of now).

Tailscale is a Wireguard configurator and P2P hole puncher with IAM integrations and a nice GUI. Runs at layer 3 so it can't do some things that ZeroTier can do, but most stuff runs over IP so only some segments of the market care.

BeyondCorp is more of a concept. Google has their own implementation of it and so do many others.

I too have trouble wrapping my head around this technically speaking. I get the sense that it's basically something that puts your WAN over Cloudflare's network and lets you do access control everywhere in the cloud, which would make it closer to the now-defunct Pertino or some cloud-backhaul-based SD-WAN solutions... but that's probably only a part of it. "One" here seems to refer to "one" bundle of a whole bunch of things.


I expect it to be many of the things in the circle on the right. https://www.sdxcentral.com/wp-content/uploads/2020/03/441737...


Hilariously, I can't see whatever is at that link because Cloudflare.

    Access denied

    This website is using a security service to protect itself from online attacks.

    Ray ID: 5e1522cb6c3cd1c3
    Timestamp: 2020-10-13 01:02:34 UTC


As I understand, it's a VPN with cloudflare in the middle.


SASE is the new buzzword for a SaaS Threat, Identity, Firewall, SD-WAN, Access Rights, Remote Access bundle. The picture in this article illustrates everything I would expect the suite/bundle to cover eventually. https://www.sdxcentral.com/security/sase/definitions/what-is...

It's a bit of a messy space for a couple reasons. Every vendor who made any one of these products is quickly racing to become a kitchen sink through development and/or acquisition. At the same time, they are splitting up what was once bundled into components you can buy separately to piece into a larger puzzle. Because most companies already have relationships with multiple vendors providing these services, they are fighting each other to both create walled gardens AND SIMULTANEOUSLY interoperable compatible components for larger multi vendor buildouts. (Palo Alto buying CloudGenix SD-WAN, while at the same time being the leading supplier of on Edge firewall VM's for Velocloud devices. Velocloud will both tell you you can run Palo Alto, ZScaler, or Checkpoint, but also that they have in house Carbon Black. What risk are you taking by integrating two vendors that are both trying to crush each other, despite the best in breed solution being part of each of their products.) "We have Cisco for this, so maybe Duo makes sense, but then that overlaps Okta, and that overlaps what we already get from Microsoft, which overlaps what we get from VMWare, which is starting to overlap what we have from Palo Alto.

https://www.sdxcentral.com/articles/news/sase-acquisitions-d...

Anyone in the "Zero Trust" space is likely rebranding bundles as SASE. https://telegra.ph/ZeroTrust-Vendors-04-23

On the topic of Cloudflare. They have a leg up over EVERYBODY because they are building on top of Wireguard, and everybody else is stuck with legacy IPSEC that they cant leave anytime soon. From a future proofing perspective, if you don't already have commitments elsewhere, this is likely a VERY ATTRACTIVE bundle. One of the killer products buried in this is Cloudflare for Teams Access. No more need for AnyConnect. And like I said, most/all the other ZeroTrust Access gateways either a) only come in a bundle with other products 2) are a me-too product offered by a vendor that specializes in something else 3) are ipsec. https://www.cloudflare.com/teams/access/


So like everything else in the networking space it's a mess of overloaded terms with multiple meanings and tangled concepts all trying to hit as many buzzwords as possible...?


Yes and no. I think Cloudflare has advantage here of not being that mess of overload. They dont have the legacy cruft, the legacy customers. They purposely ARENT trying to be everything (by supporting all identity providers but not being one. By not being an MDM.)

I feel the same way about Cloudflare as I did about Velocloud. When Velocloud came out, their pitch was that they WERENT "WAN optimization." They purposely werent compressing the data on the edge to squeeze a couple extra bytes down a tiny pile. By starting from the ground up, and not transforming a legacy product, they kept their hardware costs down. They didnt need the extra horsepower to do things that werent necessary in a modern paradigm. Instead they offered a unique cloud service that made their product a bit different than the rest, and at a lower price.

Cloudflare here has that same competitive advantage of being able to design everything from first principal, with no regard for how things were before. Maybe even moreso.


As a potential customer, I guess I am supposed to hypnotised by all these silly names and acronyms but instead I just keep thinking "Just show me the code". Names seem to serve as a way for the authors to avoid telling us exactly what the software does, instead referring to what the software "is". Horribly imprecise and the source of endless arguments. The disagreements in this thread are but a tiny example.

This is nothing new and during the dot-com boom I think the naming nonsense spread to websites, in addtion to software. Software people have been obsessed with wacky names as long as I can remember.

I find this so repulsive and unworkable (e.g., name conflicts, needless keystrokes) that on personal computers I actually name programs I write for myself using an alpha prefix and a numerical suffix. For quick reference I keep a separate index of what each program does. Every program has a unique, sequential number in its name. Every name has the same number of characters.


I have to break down and plug this then:

https://www.zerotier.com/


It's SD-WAN in the cloud with integrated identity federation, DDOS protection, it's own VPN, and I think one or two other things.


To me, this screams: one target for a National Security Letter.

As always: if I do everything in accordance with the way Cloudflare says, and my company suffers a loss due to Cloudflare screwing up, to what extent is Cloudflare liable?

The usual answer is "for a month of what you paid them, or maybe a year, but certainly not anything more". This situation is not unique to Cloudflare.


> As always: if I do everything in accordance with the way Cloudflare says, and my company suffers a loss due to Cloudflare screwing up, to what extent is Cloudflare liable?

The real answer is always "What does your contract with Cloudflare say? What does your insurance policy say?"


I love Cloudflare but at the same time its expansion just make me uneasy. So much of the internet is gathered under cloudflare, a single failure point. And issues like Cloudbleed definitely does not make it better.


So much of the internet is gathered under Cloudflare, a single failure point.

It's worrisome that Cloudflare has a DNS provider, a domain registrar, a certificate authority, and a Border Gateway Protocol system. They can redirect traffic of any site to Cloudflare, generate a fake TLS cert that decrypts the traffic, observe or modify the traffic, and send it on to the destination site. Worse, they could be ordered to do this by a government.

What could possibly go wrong?


BGP hijacks are pretty obvious though if they were to do that.


Certificate pinning helps remedy this, to an extent. Anyway, it's not just Cloudflare that can do this.



With Letsencrypt etc, isn't it still true that everyone who can BGP hijack traffic can get a TLS cert for that domain?

https://community.letsencrypt.org/t/using-bgp-to-acquire-bog...


A single failure point is not what worries me. They are competent enough to avoid that.

When you get your hands on a significant portion of world's traffic, you start feeling a temptation to pivot to a data company, like Google of FB. That's the danger I hope they will avoid as well.


> A single failure point is not what worries me. They are competent enough to avoid that.

I remember when they offered text obfuscation protection service (i.e. hiding emails unless you click on them). It was literally ceasar cypher encoded text with the N argument right there next to it.

I'm sure they are much beyond that now but I find your blind trust and assumption rather hilarious.


My trust isn't blind, it's based on their solid track record in availability and network ops, while your example is about something different (text obfuscation).

Anyway, I wasn't aware about that case, do you have a link to learn more?



Thanks.

Assuming keys vary [pseudo-]randomly, even the Caesar cipher is a viable protection in this particular case (mass e-mail harvesting).


In this case you don't even need to know N, you can just cycle through it until single @ character is in the text and you have the email decoded!

The only thing email harvester would need is awareness of this and few lines of code. The field even clearly identifies itself!

Source: I wrote a generic web-scraper for these emails several years ago :D


> A single failure point is not what worries me. They are competent enough to avoid that.

Like recently, when a single BGP configuration mistake brought down their entire backbone?


I actually like Cloudflare's expansion, as a way to compete with existing monopolies (Google, Facebook).

If I want to run a livestream for church, why do I have to send the packets all the way to Google's servers in California just so it can be on YouTube? I wish Cloudflare could host that right here in the same city. That's where most people are watching from anyway.

Or what about social networking? I'll continue to use Facebook to keep in touch with friends in other places, but the majority of my social life is with people nearby. I don't see why the messages sent from me to a friend in the same city should leave the country.

I don't know if Cloudflare would be willing to do this themselves, but perhaps there's a space for new startups in edge hosting, not just edge caching. Cloudflare's expansion could be good for privacy, so I support them - for now.


Why do you assume your packets get sent to Google's servers in California?

They have data centers all over the world just like Cloudflare does.


Same that happened to Google. That netted mixed results.


This situation is pretty much the norm for cloud.

Just like with mobile, we have happily traded security, privacy, and control for convenience. Privacy, security, and openness advocates keep failing to understand this because they fail to grasp just how massively valuable convenience is in a time-impoverished overly-complex world.


Imagine what happens when you can't jump on the planned obsolescence bandwagon.


All this from the company where the default SSL option is "Make the user think they are accessing a secure website, then tunnel that data over the internet entirely unencrypted to the origin server"...

Oh, and we'll call it "Flexible SSL" so it doesn't sound so horrendously insecure...


Yes, by default all websites hosted with cloudflare are completely insecure. Even if both the client connects via https, AND the server supports https, cloudflare uses an unencrypted http connection.

Even the encryption: "full" setting is useless, since it doesn't verify certificates in any way, so an MITM attacker can just sign their own cert in your name.

I suspect CF does this so they can have their "one-click" on boarding for panicking under-attack companies. It really shows that despite all the blog posts about lava lamps and how important security is for them, in the end sales and the shareholder's interest (profit) is king. The very least they should do is have huge warnings about switching to "full (strict)" asap, but really the other two shouldn't be an option at all.

I'm reminded of this whenever I add a new site to CF, since when port 80 is not open, CF just does not work at all, it just shows "backend server down", even when TLS/443 is set up correctly.

And arguing that "it's fine because it protects the connection between the user and the CF server which is the most vulnerable point" is ridiculous. Your nearest CF server is probably in a neighboring city, so the whole path between that city and the other side of the world is readable and modifiable by whoever.


They might have secure connections to popular cloud providers, so it might not be an issue for most people.


The other way to look at this is at least it gives users SSL where they are most vulnerable, and where they would not have it otherwise, because the service provider is not sophisticated enough to do their own ssl. Perfect is the enemy of good here. Flexible SSL is a terrible name though.


Wall street must be very interested and supportive of this: $NET shares went up 16% so far today (https://finance.yahoo.com/quote/NET?p=NET&.tsrc=fin-srch)


They're barely a year into being a public company and have already more than 3x'd their share price. Impressive.


More than that. 23%. This announcement made me $9k today.


When I saw the title, I thought maybe this could be a cheaper bundled offering for individuals (and cheap users like me). Then I read the description and see it’s a corporate solution. The recent announcement about analytics and about speeding up WordPress sites seemed interesting, but they’re out of my budget (yes, indeed). If there were some sort of bundle at a lower price for individuals running a handful of personal sites, that’d be quite interesting to me.

Off topic: I posted an off topic comment on one such announcement a few months ago asking why new domain registrations were still not open (only transfers are allowed), and got a reply about squatters being a problem, which I didn’t really understand because that could be the case even with domain transfers (in my understanding). I posted a follow up [1], but apparently that wasn’t seen. So I’m linking it here again for visibility if @eastdakota or @jgrahamc or someone else at Cloudflare can respond.

[1]: https://news.ycombinator.com/item?id=23976304


In regards to off topic - They are open. My last domain reg was with Cloudflare directly, give it another peek

E: ah sorry, I must be a randomly selected tester. I didn't think I'd be in any sort of early bird group as I'm a complete Cloudflare freeloader besides domains at the moment


The Help Page for domain registrations, last updated 3 days ago (as of this moment), still says that only transfers are possible and that direct registrations aren’t possible. [1]

[1]: https://support.cloudflare.com/hc/en-us/articles/36001991067...


DM me on Twitter, same username as here.


It hasn’t rolled out to all users yet


Please message me and I'll help.


Correct me if I'm wrong, my read is that this is a competitor to Google's external BeyondCorp solution[0]? (They reference the BeyondCorp papers in the post.)

[0] https://cloud.google.com/beyondcorp


Sure, but "BeyondCorp" the idea has been in use within CF ever since they launched Access in 2018[0].

0: https://blog.cloudflare.com/introducing-cloudflare-access/


Gotcha, so Cloudflare One = Access (BeyondCorp) + firewall/filtering/Wireguard VPN/logging/... ?


ZeroTrust (BeyondCorp) is one component of SASE. For a while marketing departments were throwing ZeroTrust on everything, but eventually a new buzzword arose to better differentiate that component from the bundle of the whole kitchen sink. https://www.sdxcentral.com/security/sase/definitions/what-is...


Great product, terrible name.

- Apple One

- Fitbit One

- Google One

- HTC One

- Motorola One

- Sonos One

- SpaceShipOne

- Xbox One


Can we also add the fact that Cloudfare already has its 1.1.1.1 service, which is what I assumed this post was going to be about? They're competing with themselves here!


I think it was on a Google One post on HN recently that a commenter said "A product name of 'One' means the product manager was just tired (or lazy) and didn't want to have endless meetings about the name so they just called it One, and called it a day."


It was Amazon. You're right about what the commenter said.


Yeah, for sure. The 'One' craze started years ago, and for some reason keeps popping up. I roll my eyes everytime I see it now. It's lazy, and tells consumers absolutely nothing about the product.


I remember the 'One' craze a Microsoft started from an internal movement called "One Microsoft". Microsoft traditionally had lots of different divisions/products competing with each other, and those products did not look like from same company. One Microsoft was about bridging those gaps (between company as well as between products). It resulted in OneDrive, XboxOne, OneNote etc..


Microsoft started it after they got sued and renamed skydrive to onedrive.

Then sinofsky started chanting "one windows."

Then xbox one happened. The rest followed suit


Sounds to me like SV lawyers are pushing this to their lawyer friends to make sure nobody can claim they own the "one" term :)


- Sony Xperia 1

- Ubuntu One

Have we even reached peak One yet? I had thought so a few years ago but it seems to be constantly getting worse.


Not till Apple vertically and horizontally integrates into every possible company and renames itself One. Then you can buy subscription to One One. One subscription, for all you'll ever need...


Subscription One is one subscription for all the Ones you’ll ever need.


"One is more than any one will ever need" Bill Gates, 2020 (/sarcasm)


Don't forget Oneplus


I'm actually surprised no one one-upped them with twoplus yet. Maybe one day.


Even Xperia 1 II exists.


I feel that's generally how it goes at Cloudflare. They build amazing products and give them terrible names.

Name Ideas:

Cloudflare Zero

Cloudflare Connect

Cloudflare Trust

Cloudflare Assist

You can have those for free, just maybe consider opening a fullstack role in SF :)


I don't know, I think WARP is pretty awesome.


Confusingly, Cloudflare Argo Tunnel was at some point named Warp, too. I believe some of the documentation (code?) continues to use Warp for Argo.


Forgot KRS One!

One as a name addon originates in NY graffiti scene of the 70s, adding a written "One" is still popular among graffiti writers or true-school rappers.


Cloudflare Two would have implied that it's better than all of the above. I also heard that customers are mistrustful of version 1 of any product, therefore versioning should start at 2.



Cloudflare Infinity?


It's zero trust so they could have called it Cloudflare Zero.


I am so glad I'm not the only one who noticed this. Don't forget Virgin Hyperloop One too.

There's something about "One" that signals a complete lack of creativity.


It's the generic marketing vacuity in vogue this year. Predecessors:

  Smart
  Power
  Turbo
  Next
  Dyna
  Electric
Sure I'm forgetting some ...


Must resurrect deluxe.


I’m sure, these people[0] don’t mind:

[0] http://www.nic.one/


I assume “One” can’t be trademarked - I wonder how that plays into the calculus.


New Relic One!


oh this wouldn't be an HN post without someone complaining about the name.


+New Relic One


I know nothing about network. Could someone explain this in simple words please?


From what I can tell, this is a bundling of a number of existing / new Cloudflare products. Traditionally, companies used a VPN to allow remote access to their network. If an attacker breached that VPN, they would have unfettered access to the internal network. The idea here is that companies are going to use a "reverse VPN" (not sure if that's the proper term..) where they tunnel all server traffic through Cloudflare's network, and then people needing remote access to whatever service, which would in the past be an "internal" product, can connect over the plain old internet (or using Cloudflare's WARP VPN). Cloudflare Access, which is a product that works with various identity providers, sits in the middle and ensures that only people with the proper roles can access the "internal but now external" app/services. Basically, route all enterprise traffic through Cloudflare and let Cloudflare make sure only people who should have access do. There seems to be a bunch of ancillary services on offer too, like integration with services that provide apps that live on phones/laptops and "ensure" that they haven't been compromised/rooted, which then report back to Cloudflare who then allows/denies access based upon that information.


Before reading the article I thought this might be a joke/riff on Apple+ One or whatever that new 'grouped together' subscription is.

Instead, it's a solution to tie together IT identity services and other bits and pieces for more secure corporate SaaS I guess.


> It is the culmination of engineering and technical development guided by conversations with thousands of customers about the future of the corporate network.

So, Cloudflare PMs are active on news.yc? They've seemed to cloned two of the best consumer (and enterprise) networking products to have launched on news.yc in the past two years:

https://nextdns.io -> https://www.cloudflare.com/teams-gateway/

https://tailscale.com -> https://blog.cloudflare.com/introducing-cloudflare-one/ (for some reason, these are left unused: one.cloudflare.com and cloudflare.com/one)


Gateway is significantly more than a dns provider. It's more like a configurable intercepting proxy where dns is a small facet. The beauty of this is that it's like magic, it just works. No distribution of self-signed certs to all devices necessary because cloudflare already handles tls termination.

Tailscale is ergonomic tunnel management//authentication. Which in itself is a great product, but it's not nearly as granular. Being able to restrict access based on identity provider, individual, etc is a must for a corporate solution.

One of Tailscale's selling points is the data isn't routed through their servers, just between peers. That's the opposite of Cloudflare; their value proposition is centralized granular control, no plumbing, just plug'n play.


I don't see anything in the Gateway docs that make it look like anything but DNS service: https://developers.cloudflare.com/gateway/about

Can you point to something more?


The CTO is active on HN and the CEO commented on elsethread here, though I can't speak to the PMs.


My hunch is the browser isolation product sounds a lot like an experiment I built some years ago and got bogged down in when I was working on it solo.

Is the browser isolation product a "modern web proxy" that presents say, a social media management site (like Tweetdeck) or an internal app via a rewritten URL, rewriting the HTML, JS, and HTTP headers to hide authentication from the user?

If so - wow, to get that to work performantly requires deep understanding at all levels of the HTTP stack. I had a web proxy written in Haskell some years back that implemented online, nested HTML and JS rewriting and injection, and I was so close to getting modern web apps like Facebook and Gmail to render perfectly. Server side rendered sites were feature complete, but sites using a virtual DOM required care to proxy out DOM builtins like createElement and setting attributes, and that surface area is quite large.

For sites using chunked transfer encoding, it worked on a chunk-by-chunk basis, as opposed to blocking until the entire document had been transferred to the proxy. The additional latency was just the time to parse a chunk. Orders of magnitude better perf than any of the web proxies that many of us on HN used as kids to subvert school network restrictions, and much better compatibility.

It's a little sad my project never saw a release, but I would be very excited to see a company ship something very similar or even better.


You can find details on it here [0]

> S2 Systems NVR technology intercepts the remote Chromium browser’s Skia draw commands, tokenizes and compresses them, then encrypts and transmits them across the wire to any HTML5 compliant web browser (Chrome, Firefox, Safari, etc.)

[0] https://blog.cloudflare.com/cloudflare-and-remote-browser-is...


Oh so this is very very different and it would be unfair to say one is better than the other. They're transmitting raw drawing commands a la RDP or X Forwarding which provides pixel perfect rendering and website compatibility by running the JS in a remote browser instance.

I wonder how that impacts accessibility, screen readers and ARIA. If they're rendering a Canvas element as a framebuffer, I have to imagine they've lost support.


This sounds a lot like gameplay recording software that I've worked on in the past using apitrace[1] for GPUs. You can tokenize, compress, and transmit recordings of graphics API calls and re-render at variable resolution in post. I hope S2 Systems/CloudFlare haven't attempted to patent this concept.

1. https://github.com/apitrace/apitrace


I've been looking for a VPN solution for my 10 person team and haven't found a good one that's lightweight and enables us to have a private WAN. I'm curious at the onboarding friction and pricing model.

Also I got really confused by "Google Workspaces". Turned out it's just gsuite re branded. So typically Google!


We were in the same boat and set up tailscale, its been great since.


The difference between this and Tailscale, is that tailscale is everything open by default, and this would be everything blocked by default. Role and Conditional based access would allow people to touch only what they should have access to, at the network level. Tailscale doesnt mesh Identity/Role/Firewall into a denylist.


+1 @ tailscale, one of the best products I have come across in the last few years (!)


Is tailscale a VPN?


re-posting my own comment: https://news.ycombinator.com/item?id=22194454

My opinion is that, in its current form, tailscale essentially provides a cross-platform super-configurable discovery and key-management layer to a P2P network overlay on top of the public internet, secured by Wireguard.

It's like stunnel or ghosttunnel but for L3, and that let's you replace the gargantuan IPSec with something that's way simpler and nimbler like wireguard.

As for LAN vs BeyondCorp... tailscale has BeyondCorp influences. It uses federated identity (OpenID for instance) and device credentials (see: wireguard crypto-routing) to let you in on any mesh network that you have access to be [on]. It is not something novel but super complicated to do it as simply as possible. And wireguard is a key enabler for just that.

BeyondCorp is obviously much more than just SSO. You might also be interested in: https://www.beyondcorp.com/


Yes, it’s wireguard. But they add support for various auth providers (eg, Okta).


Spammers killed email. R-----an trolls killed social networks. DDoSers killed free internet.


Remember when you could just go to a website without being humiliated by cloudflare when you least expect?

They keep saying it all as if centralizing the internet around a single point of failure and letting it also see unencrypted data of millions of websites is a good thing. Maybe I'm too old, but I'm just not having it. That's not at all how the internet is supposed to work.


The comment you replied to was on the right track, but you are barking up the wrong tree. Cloudflare is successful because the internet has fundamental issues that aren't going to get solved in the near future, like trivial abuse and a world where botnets are easier, cheaper, and stronger than ever. It's website and server operators who opt-in to Cloudflare.

It's more helpful to ask yourself why people use it instead of just harping on the downsides.


Any open system that becomes sufficiently popular will be attacked by spammers, malware/ransomware, black hat hackers, and DOS attacks, no exceptions.

Anyone planning to implement any kind of open or federated system today needs to take note of this and bake in mitigations against it from the very first line of code.


Although I have little doubt that this will be useful and well engineered, feels quite daunting as a small business. We might just not be the audience though. Are we? (Startup of 5 people)


We specifically designed it to be self-service and easy to use for small teams. And most of the solution will be free for teams of up to 50 people.


Does One include advanced automated/bot traffic detection/blocking? In other words, does it compete with Distil and others in that space?


No, but we do have a Bot Management product that leverages all of Cloudflare’s traffic data and therefore has much lower false positives and higher true positives than the competition: https://www.cloudflare.com/products/bot-management/


Great work as always! Not a network pro, but know from network engineers I've worked with how complex and expensive MPLS and SD-WAN can be. Going to get them to have a look at this.


>The metaphor that makes sense to me is that the identity provider issues passports and Cloudflare One is the border agent that checks that they're valid. At any particular moment, different passports from different providers may be allowed or forbidden to enter just by updating the instructions the border agent follows.

Can someone please elaborate on this metaphor? I don't quite get it in context.


Happy to help. We can use our network, specifically our Access product, to check for identity. When a user requests an application, our network can stop that request and ask the user to show ID.

The difference is that we don't issue that identity. We aren't an identity provider, like Okta or Azure AD. Instead, teams integrate our Access product with their identity provider which tells us which sources of identity to trust (in the same way a bouncer or border guard doesn't create your identity card for you, but they know what a valid one looks like).


So, is cloudflare building a slightly better internet eventually, that you need to pay up to access? The rest of us will have to use the crappy leftovers which is unstable and dangerous.

How big will they get? Do they have any competition?


This is a really nice product. One caveat - is it possible to restrict egress as well? The example suggested that if I am running a Digital Ocean instance, I will need to change my firewall to make egress ALL open.


It feels like Cloudflare released a lot of stuff lately. How can they create and maintain so many different products? Isn't this a concern that the company lacks focus and might create N low-quality, non-market-leader products instead of a few really good products?


As a dev: all of their products I've worked with are superb (made me even buy some shares of theirs because of that).


I just can't get behind cloudflare. We use them (banking) and their service and customer support has been terrible. The free DDOs service is so ll is, but paid is well behind the competition m


How long before Microsoft buy Cloudflare.


Matthew would never ever let that happen.


Does Matthew personally own 51% of Cloudflare?


I get 404.


Where are you located?


Ah, for the simple days when 404 wasn’t BGP Anycast routing dependent.


this is essentially cloudflare privatizing public networks and the sheep eats is like hot steaming... fudge.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: