Web performance and security solutions provider Cloudflare announced this week that all customers will benefit from unmetered mitigation against distributed denial-of-service (DDoS) attacks, and they will be able to choose where they want their private SSL keys stored.
DDoS protection providers typically ask their customers to pay more and even terminate them if they are hit by a massive attack that may cause disruptions to other customers’ services.
Cloudflare, which claims to have the ability to handle more than 15 terabits per second of DDoS traffic, believes it can now protect a website against attacks of any size while ensuring that other customers are not impacted in any way.
That is why the company has decided that it will not terminate customers or jack up their bill regardless of the size of the attack or the plan they use. Customers that use a paid plan will, of course, have more benefits, but when it comes to volumetric DDoS mitigation, even users of the Free plan will benefit from unlimited and unmetered protection.
“Back in 2014, during Cloudflare’s birthday week, we announced that we were making encryption free for all our customers. We did it because it was the right thing to do and we’d finally developed the technical systems we needed to do it at scale. At the time, people said we were crazy. I’m proud of the fact that, three years later, the rest of the industry has followed our lead and encryption by default has become the standard,” Matthew Prince, CEO of Cloudflare, wrote in a blog post.
“I’m hopeful the same will happen with DDoS mitigation. If the rest of the industry moves away from the practice of surge pricing and builds DDoS mitigation in by default then it would largely end DDoS attacks for good. We took a step down that path today and hope, like with encryption, the rest of the industry will follow,” Prince added.
Private key restriction with Geo Key Manager
Cloudflare announced on Tuesday that customers will be able to specify where to store their private SSL keys via a new service called Geo Key Manager.
The company has data centers in more than 55 countries and some of its customers might not be comfortable knowing that the keys to their kingdom are stored on servers physically located in a certain country.
“Even if local governments are to be trusted, organizations may have strong geopolitical-based opinions on security or mandates to adhere to certain regulatory frameworks. That, or they simply may understand there are only so many data centers in the world that can meet our most stringent physical security requirements and controls; as Cloudflare’s network grows, it’s inevitable that we will exhaust these facilities, and thus customers need control over where their keys are held,” explained Cloudflare’s Patrick R. Donahue.
With Geo Key Manager, Cloudflare customers can choose to store their custom certificates only in U.S. data centers, only in E.U. data centers, or only in data centers with the highest security. The downside is that some initial requests will take tens of milliseconds longer to complete compared to allowing the keys to be stored in any Cloudflare data center, an option that provides the best performance.
Cloudflare has pointed out that all its data centers are highly protected against both digital and physical threats, but top tier centers have extra physical security measures, including non-stop security officers, pre-scheduled biometric access, private cages that can be accessed only after passing through 5 checkpoints, and comprehensive interior and exterior security controls and monitoring.
In the near future, Cloudflare Enterprise users may be provided even finer control over where their private keys are stored.