IP addresses have historically been treated as stable identifiers for non-routing purposes such as for geolocation and security operations. Many operational and security mechanisms, such as blocklists, rate-limiting, and anomaly detection, rely on the assumption that a single IP address represents a cohesive, accountable entity or even, possibly, a specific user or device. But the […]
Tag Archives: security
Defending QUIC from acknowledgement-based DDoS attacks
On April 10th, 2025 12:10 UTC, a security researcher notified Cloudflare of two vulnerabilities (CVE-2025-4820 and CVE-2025-4821) related to QUIC packet acknowledgement (ACK) handling, through our Public Bug Bounty program. These were DDoS vulnerabilities in the quiche library, and Cloudflare services that use it. quiche is Cloudflare’s open-source implementation of QUIC protocol, which is the […]
Keeping the Internet fast and secure: introducing Merkle Tree Certificates
The world is in a race to build its first quantum computer capable of solving practical problems not feasible on even the largest conventional supercomputers. While the quantum computing paradigm promises many benefits, it also threatens the security of the Internet by breaking much of the cryptography we have come to rely on. To mitigate […]
Contact Form Spam Attack: An Innocent Feature Caused a Massive Problem
How a simple “Send a copy to yourself” feature led to 149,700 spam emails and what you can do to prevent it The Emergency Call It started like many server emergencies do – with a panicked message about massive server performance issues. A client’s website was grinding to a halt, CPU usage was through the […]
Improving the trustworthiness of Javascript on the Web
The web is the most powerful application platform in existence. As long as you have the right API, you can safely run anything you want in a browser. Well… anything but cryptography. It is as true today as it was in 2011 that Javascript cryptography is Considered Harmful. The main problem is code distribution. Consider […]
Introducing Sucuri Academy: Your New Destination for Website Security Education
Learn. Secure. Lead. We’re excited to introduce the beta launch of Sucuri Academy—a cutting-edge learning platform designed to empower website owners, developers, and digital professionals with the skills to defend against cyber threats. Whether you’re just starting out or looking to master advanced security techniques, Sucuri Academy offers structured, expert-led courses to help you protect […]
Enhancing File Transfer Security with SSH Key Authentication
Attackers scan for TCP 22 and 2222 around the clock. When they find an open port, they launch credential-stuffing lists harvested from previous leaks, brute-force scripts, and even malware that hunts for hard-coded passwords in deployment repositories. Verizon’s 2025 Data Breach Investigations Report (DBIR) continues to show stolen credentials as a leading initial access vector […]
15 years of helping build a better Internet: a look back at Birthday Week 2025
Cloudflare launched fifteen years ago with a mission to help build a better Internet. Over that time the Internet has changed and so has what it needs from teams like ours. In this year’s Founder’s Letter, Matthew and Michelle discussed the role we have played in the evolution of the Internet, from helping encryption grow […]
Safe in the sandbox: security hardening for Cloudflare Workers
As a serverless cloud provider, we run your code on our globally distributed infrastructure. Being able to run customer code on our network means that anyone can take advantage of our global presence and low latency. Workers isn’t just efficient though, we also make it simple for our users. In short: You write code. We […]
Automatically Secure: how we upgraded 6,000,000 domains by default to get ready for the Quantum Future
The Internet is in constant motion. Sites scale, traffic shifts, and attackers adapt. Security that worked yesterday may not be enough tomorrow. That’s why the technologies that protect the web — such as Transport Layer Security (TLS) and emerging post-quantum cryptography (PQC) — must also continue to evolve. We want to make sure that everyone […]
