Cloudflare has announced a method to scale up SSL without taking control of the private keys for the SSL Session. Today, Enterprises are buying 10-100GBE of Internet connectivity, building in-house DDOS and oversized load balancers for SSL Termination just to keep the private keys safe and compliant with regulatory issues (and rightly so).
The bankers related that the attacks, which were between 60 – 80Gbps (far shy of the 500Gbps+ attacks we regularly see today), were sufficient to cripple their on-premise network hardware solutions. The multiple banks that we visited that day told us the same story. Whether it was their load balancer, their firewall, their router, or their switch, under attack, something had become saturated and was unable to keep up with the traffic. It didn’t matter how clever the software on the device was, in every case they were dead at Layer 3.
You simply cannot buy enough bandwidth to prevent DDOS in your own data centre, it MUST be handled in the carrier backbone. Until now, the SSL traffic had to be handled in the Enterprise data centre.
Is It Secure ?
We will get the technical details soon and I’m looking forward to the response from the security community
Tomorrow, we’ll publish a full post on the nitty, gritty technical details of how, what has come to be called Keyless SSL™, works. For now, I’ll just tell you about what Sebastien had built. It was a dramatic demo. A simple agent ran on a Raspberry Pi. A web server, running on a remote server on CloudFlare’s network, received HTTPS connections. When the Raspberry Pi was plugged in, the connections went through from a browser as they would normally. The lock appeared and the connection was secured, end-to-end. The minute the Raspberry Pi’s power was disconnected, HTTPS access terminated.
The EtherealMind View
This means the end of big load balancers and fat Internet pipes for inbound Internet/web services in Enterprise networks. If you don’t need to scale up for DDOS then you can spend a lot less and significantly improve latency/response times for your customers. That is a winning combination.
Sell your F5 stock if you have any.
I’m a customer of CloudFlare and have the view that they are an impressive company. This will be a huge change in web hosting.