Cloudflare CEO Matthew Prince, like his colleagues, has come to hate his company’s virtual private network, used to connect securely to corporate servers from afar.
“I’d be traveling to god knows where and have to get on the Cisco VPN client to San Francisco,” he explained in a phone interview with The Register in December. “If I was India, for example, it was just this incredible painful experience.”
Prince recalled a corporate event at which Cloudflare’s CISO put up a piñata representing the VPN and had him beat it to death on stage, which must have been very satisfying.
Cloudflare in April launched its own VPN called Warp, built into its 220.127.116.11 App, which provides DNS service. And Warp will play a supporting role as the company expands into a new line of business, dubbed Cloudflare for Teams.
It’s not a collaboration tool like Slack or Microsoft Teams. Rather, it’s a nascent suite of security and access control services.
One of its components is already up and running, Cloudflare Access, a service that provides user-based and application-based security, authentication, and monitoring. It’s currently being used by the likes of 23andMe and Ericsson.
Bring on S2
On Tuesday, January 7, Cloudflare plans to announce its first post-IPO acquisition, bringing technology and talent into the company so it can expand beyond the infrastructure protection business into the market for people protection.
Prince said he expects the acquisition of S2 Systems, a startup based in Kirkland, Washington, to be complete by the end of 2019 and to be announced in early January.
S2 Systems has developed a browser isolation system that enables server-based rendering of web content. It’s similar in some sense to the proxy system used by the Opera Mini browser to render web content remotely before sending it to a resource-constrained mobile device.
There are other companies doing this, Prince explained, such as Menlo Security and Authentic8, but he contends S2’s technology performs better. And with the acquisition complete, it will be integrated into a product called Cloudflare Gateway that forms the second Cloudflare for Teams application, probably by mid-year.
Browser isolation is desirable for companies because the web is a security risk. “When you’re an employee using company-owned device, every web page you load is bringing code back into the organization and running it on that device,” Prince said.
Browser isolation runs web code remotely, where security threats can be dealt with more effectively, and sends only rendered pages to devices.
“There’s no code running in your browser anymore,” said Prince as he described the scheme. “It’s all running on the network.”
“There are two ways that that’s done today,” explained Darren Remington, co-founder of S2 and now product strategy innovation director at Cloudflare, during an interview at Cloudflare’s San Francisco headquarters on Monday.
“The first is called pixel pushing, which is effectively you’re running a browser and remotely they’re taking a video of it and pushing into your local machine and you’re watching a video.”
The drawback with that approach, according to Remington, is that it’s expensive to run because you’re encoding video in the cloud all the time.
The second approach, he said, is called DOM reconstruction. “The idea there is to take the HTML and CSS and everything else that comes in from a website and clean it, take out the actual code, take out anything that could be potentially malicious.”
“There’s two issues with that,” Remington said. “One is that although it’s a lot faster and feels smoother for a user, you’re still using HTML. You’re still using the attack vector. So it’s a little bit like washing mosquitoes, right? You can wash them, but they still carry pathogens.” The other is that is breaks a lot of websites, he said.
S2 developed a third approach, one that involves creating a headless version of Chromium – the open-source foundation of Chrome and about two dozen other browsers – that runs in the cloud and intercepts calls to the browser’s Skia graphics layer.
“Before it actually draws anything virtual, we intercept those Skia calls, we tokenize them, we compress them, we send them through to any HTML5 browser, where we redraw them locally, right on the machine,” Remington explained.
“We use WebAssembly. We push a little Skia library that runs local in your browser, any browser. And so those commands come in, and then they get redrawn. So it’s effectively a headless Chromium that draws locally. Turns out, it’s very secure, because that is not an attack vector. It’s only draw commands.”
During the brief demo, a Chrome browser running on the laptop of David Harnett, S2’s other co-founder and former CEO, now director of product management at Cloudflare, proved quite responsive, with no sign that most of the browser functions were being handled remotely.
According to Harnett, S2’s scheme results in a 60 per cent bandwidth savings.
I got 502 problems, and Cloudflare sure is one: Outage interrupts your El Reg-reading pleasure for almost half an hour
“People are surprised when we say that in many cases, it’s faster than local,” said Remington, noting that the delay to load a Wall Street Journal page, which can involve over 2,000 server requests, all gets done in the cloud, where the bandwidth capacity is much higher