Research Updates from the Cloudflare Blog
2025-10-30 Beyond IP lists: a registry format for bots and agents
We propose an open registry format for Web Bot Auth to move beyond IP-based identity. This allows any origin to discover and verify cryptographic keys for bots, fostering a decentralized and more trustworthy ecosystem.
2025-10-30 Anonymous credentials: rate-limiting bots and agents without compromising privacy
As AI agents change how the Internet is used, they create a challenge for security. We explore how Anonymous Credentials can rate limit agent traffic and block abuse without tracking users or compromising their privacy.
2025-10-29 Measuring characteristics of TCP connections at Internet scale
Researchers and practitioners have been studying connections almost as long as the Internet that supports them. Today, Cloudflare’s global network receives millions of connections per second. We explore various characteristics of TCP connections, including lifetimes, sizes, and more.
2025-10-29 One IP address, many users: detecting CGNAT to reduce collateral effects
IPv4 scarcity drives widespread use of Carrier-Grade Network Address Translation, a practice in ISPs and mobile networks that places many users behind each IP address, along with their collected activity and volumes of traffic. We introduce the method we’ve developed to detect large-scale IP sharing globally and mitigate the issues that result.
2025-10-29 How to build your own VPN, or: the history of WARP
WARP’s initial implementation resembled a VPN that allows Internet access through it. Here’s how we built it – and how you can, too.
2025-10-29 Defending QUIC from acknowledgement-based DDoS attacks
We identified and patched two DDoS vulnerabilities in our QUIC implementation related to packet acknowledgements. Cloudflare customers were not affected. We examine the "Optimistic ACK" attack vector and our solution, which dynamically skips packet numbers to validate client behavior.
2025-10-29 So long, and thanks for all the fish: how to escape the Linux networking stack
Many products at Cloudflare aren’t possible without pushing the limits of network hardware and software to deliver improved performance, increased efficiency, or novel capabilities such as soft-unicast, our method for sharing IP subnets across data centers. Happily, most people do not need to know the intricacies of how your operating system handles network and Internet access in general. Yes, even most people within Cloudflare. But sometimes we try to push well beyond the design intentions of Linux’s networking stack. This is a story about one of those attempts.
2025-10-28 State of the post-quantum Internet in 2025
Today over half of human-initiated traffic with Cloudflare is protected against harvest-now/decrypt-later with post-quantum encryption. What once was a cool science project, is the new security baseline for the Internet. We’re not done yet: in this blog post we’ll take measure where we are, what we expect for the coming years, and what you can do today.
2025-10-28 Keeping the Internet fast and secure: introducing Merkle Tree Certificates
Cloudflare is launching an experiment with Chrome to evaluate fast, scalable, and quantum-ready Merkle Tree Certificates, all without degrading performance or changing WebPKI trust relationships.
2025-10-28 A framework for measuring Internet resilience
We present a data-driven framework to quantify cross-layer Internet resilience. We also share a list of measurements with which to quantify facets of Internet resilience for geographical areas.
2025-10-27 The tricky science of Internet measurement
The Internet is one big open system composed of many closed boxes — which makes measuring the Internet difficult. In this post we explore Internet measurement as a science.
2025-10-27 From .com to .anything: introducing Top-Level Domain (TLD) insights on Cloudflare Radar
Cloudflare Radar has launched a new Top-Level Domain (TLD) page, providing insights into TLD popularity, traffic, and security. The top-ranking TLD may come as a surprise.
2025-10-27 Data at Cloudflare scale: some insights on measurement for 1,111 interns
While large cloud providers hold vast troves of passive network data, analyzing them is complicated. The scale, noise, and absence of definitive ground truth all create major hurdles. Yet by carefully quantifying these constraints and finding alternative forms of evidence, meaningful insights can still emerge.
2025-10-27 Making the Internet observable: the evolution of Cloudflare Radar
Cloudflare Radar has evolved significantly since its 2020 launch, offering deeper insights into Internet security, routing, and traffic with new tools and data that help anyone understand what's happening online.
2025-10-27 Internet measurement, resilience, and transparency: blog takeover from Cloudflare Research and friends
Coinciding with the ACM’s Internet Measurement Conference, the Cloudflare Research team is publishing a series of posts this week to share their research on building a more measurable, resilient, and transparent Internet. These posts will cover foundational concepts in Internet measurement, Internet resilience, cryptography, and networking.
2025-10-27 How does Cloudflare’s Speed Test really work?
In this blog post we’ll discuss how Cloudflare thinks about measuring Internet quality, how our own Cloudflare speed test works, and our future plans for providing Internet measurement tools that help everyone build a better Internet.
2025-10-16 Improving the trustworthiness of Javascript on the Web
There's no way to audit a site’s client-side code as it changes, making it hard to trust sites that use cryptography. We preview a specification we co-authored that adds auditability to the web.
2025-09-24 Automatically Secure: how we upgraded 6,000,000 domains by default to get ready for the Quantum Future
After a year since we started enabling Automatic SSL/TLS, we want to talk about these results, why they matter, and how we’re preparing for the next leap in Internet security.
2025-09-19 You don’t need quantum hardware for post-quantum security
Post-quantum cryptography protects against quantum threats using today’s hardware. Quantum tech like QKD may sound appealing, but it isn’t necessary or sufficient to secure organizations.
2025-07-01 Message Signatures are now part of our Verified Bots Program, simplifying bot authentication
Bots can start authenticating to Cloudflare using public key cryptography, preventing them from being spoofed and allowing origins to have confidence in their identity.
2025-06-26 Orange Me2eets: We made an end-to-end encrypted video calling app and it was easy
Orange Meets, our open-source video calling web application, now supports end-to-end encryption using the MLS protocol with continuous group key agreement.
2025-05-15 Forget IPs: using cryptography to verify bot and agent traffic
Bots now browse like humans. We're proposing bots use cryptographic signatures so that website owners can verify their identity. Explanations and demonstration code can be found within the post.
2025-04-11 A next-generation Certificate Transparency log built on Cloudflare Workers
Learn about recent developments in Certificate Transparency (CT), and how we built a next-generation CT log on top of Cloudflare's Developer Platform.
2025-03-25 Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH
OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project.
2025-03-21 Prepping for post-quantum: a beginner’s guide to lattice cryptography
This post is a beginner's guide to lattices, the math at the heart of the transition to post-quantum (PQ) cryptography. It explains how to do lattice-based encryption and authentication from scratch.
2025-03-20 HTTPS-only for Cloudflare APIs: shutting the door on cleartext traffic
We are closing the cleartext HTTP ports entirely for Cloudflare API traffic. This prevents the risk of clients unintentionally leaking their secret API keys in cleartext during the initial request.
2025-03-19 An early look at cryptographic watermarks for AI-generated content
It's hard to tell the difference between web content produced by humans and web content produced by AI. We're taking new approach to making AI content distinguishable without impacting performance.
2025-03-17 Conventional cryptography is under threat. Upgrade to post-quantum cryptography with Cloudflare Zero Trust
We’re thrilled to announce that organizations can now protect their sensitive corporate network traffic against quantum threats by tunneling it through Cloudflare’s Zero Trust platform.
2024-12-26 Sometimes I cache: implementing lock-free probabilistic caching
If you want to know what cache revalidation is, how it works, and why it can involve rolling a die, read on. This blog post presents a lock-free probabilistic approach to cache revalidation, along
2024-11-08 How we prevent conflicts in authoritative DNS configuration using formal verification
We describe how Cloudflare uses a custom Lisp-like programming language and formal verifier (written in Racket and Rosette) to prevent logical contradictions in our authoritative DNS nameserver’s behavior.
2024-11-07 A look at the latest post-quantum signature standardization candidates
NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization.
2024-09-25 Introducing Speed Brain: helping web pages load 45% faster
Speed Brain uses the Speculation Rules API to prefetch content for the user's likely next navigations. The goal is to download a web page to the browser before a user navigates to it.
2024-09-24 Cloudflare helps verify the security of end-to-end encrypted messages by auditing key transparency for WhatsApp
Cloudflare is now verifying WhatsApp’s Key Transparency audit proofs to ensure the security of end-to-end encrypted messaging conversations without having to manually check QR codes. We are publishing the results of the proof verification to https://dash.key-transparency.cloudflare.com for independent researchers and security experts to compare against WhatsApp’s. Cloudflare does not have access to underlying public key material or message metadata as part of this infrastructure.
2024-09-05 A global assessment of third-party connection tampering
Cloudflare brings visibility to the practice of connection tampering as observed from our global network.
2024-09-05 Bringing insights into TCP resets and timeouts to Cloudflare Radar
New TCP resets and timeouts dataset on Cloudflare Radar surfaces connection tampering, scanning, DoS attacks, and more.
2024-08-20 NIST’s first post-quantum standards
NIST has published the first cryptographic standards for protecting against attacks from quantum computers. Learn what this means for you and your organization.
2024-08-08 Introducing Automatic SSL/TLS: securing and simplifying origin connectivity
This new Automatic SSL/TLS setting will maximize and simplify the encryption modes Cloudflare uses to communicate with origin servers by using the SSL/TLS Recommender.
2024-03-08 Harnessing chaos in Cloudflare offices
This blog post will cover the new sources of “chaos” that have been added to LavaRand and how you can make use of that harnessed chaos in your next application
2024-03-05 The state of the post-quantum Internet
Nearly 2% of all TLS 1.3 connections established with Cloudflare are secured with post-quantum cryptography. What once was the topic of futuristic tech demos will soon be the new security baseline.
2024-01-04 Privacy Pass: upgrading to the latest protocol version
In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the Privacy Pass protocol — including a set of open-source templates that can be used to implement Privacy Pass Origins, Issuers, and Attesters
2023-12-22 Have your data and hide it too: an introduction to differential privacy
Providing software and web services that deliver value for users often requires measuring user behavior. In this blog we discuss emerging cryptographic and statistical techniques that enable collecting such measurements without violating user privacy
2023-10-02 Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups
Need a recap or refresher on all the big Birthday Week news this week? This recap has you covered
2023-09-29 Post-quantum cryptography goes GA
Cloudflare announces Post-Quantum Cryptography as a Generally Available system
2023-09-29 Encrypted Client Hello - the last puzzle piece to privacy
We're excited to announce a contribution to improving privacy for everyone on the Internet. Encrypted Client Hello, a new standard that prevents networks from snooping on which websites a user is visiting, is now available on all Cloudflare plans.
2023-09-29 Cloudflare now uses post-quantum cryptography to talk to your origin server
Starting today, you can secure the connection between Cloudflare and your origin server with post-quantum cryptography
2023-09-29 Privacy-preserving measurement and machine learning
Cloudflare is implementing DAP (Distributed Aggregation Protocol) – a way of aggregating data without exposing individual measurements that uses multi-party computation
2023-09-04 Connection coalescing with ORIGIN Frames: fewer DNS queries, fewer connections
In this blog we’re going to take a closer look at “connection coalescing”, with specific focus on manage it at a large scale
2023-03-16 Post-quantum crypto should be free, so we’re including it for free, forever
Cloudflare makes the most advanced cryptography free for everyone, and it’s in beta today
2023-03-16 No, AI did not break post-quantum cryptography
The recent news reports of AI cracking post-quantum cryptography are greatly exaggerated. In this blog, we take a deep dive into the world of side-channel attacks and how AI has been used for more than a decade already to aid it
2023-01-27 Inside Geo Key Manager v2: re-imagining access control for distributed systems
Using the story of Geo Key Manager v2 as an example, let’s re-imagine access control for distributed systems using a variant of public-key cryptography, called attribute-based encryption.
2022-10-27 Stronger than a promise: proving Oblivious HTTP privacy properties
In this blog post, we describe a formal, computer-aided security analysis of Oblivious HTTP, an emerging IETF standard that applications can use to improve user privacy
2022-10-03 Defending against future threats: Cloudflare goes post-quantum
The future of a private and secure Internet is at stake; that is why today we have enabled post-quantum cryptography support for all our customers
2022-10-03 Automatic (secure) transmission: taking the pain out of origin connection security
Today we’re excited to announce that we will soon be offering a zero-configuration option for security on Cloudflare. If we find that we can automatically upgrade the security connection between Cloudflare and a user’s origin, we will
2022-10-03 Introducing post-quantum Cloudflare Tunnel
Every connection we make post-quantum secure, we remove one opportunity for compromise: that's why we are announcing post-quantum Cloudflare Tunnel to help you secure every connection to our network
2022-08-25 Deep dives & how the Internet works
We have amazing deep dives in our blog, but also research and how the Internet works kind of stories. Here are some highlights from 2022, and before (with glimpses of our history).
2022-08-04 Experiment with post-quantum cryptography today
The future is post quantum. Enable post-quantum key agreement on your test zone today and get a headstart
2022-07-08 NIST’s pleasant post-quantum surprise
On Tuesday, the US National Institute of Standards and Technology (NIST) announced which post-quantum cryptography they will standardize.
2022-06-28 Hertzbleed explained
Hertzbleed is a brand-new family of side-channel attacks that monitors changes on CPU frequency
2022-05-16 Proof of Stake and our next experiments in web3
Cloudflare is going to participate in the research and development of the core infrastructure that helps keep Ethereum secure, fast, as well as energy efficient for everyone
2022-05-16 Serving Cloudflare Pages sites to the IPFS network
Today, we're announcing we're bridging the two. We will make it possible for our customers to serve their sites on the IPFS network
2022-05-16 Gaining visibility in IPFS systems
We've developed the IPFS Gateway monitor, an observability tool that runs various IPFS scenarios on a given gateway endpoint.
2022-04-15 Breaking down broadband nutrition labels
We commend Congress for including broadband nutrition labels in the Infrastructure Investment and Jobs Act, and the FCC for moving quickly to implement the labels
2022-03-31 Future-proofing SaltStack
This blogpost chronicles the recent CVEs investigation, our findings, and how we are helping secure Salt now and in the Quantum future
2022-03-20 Unlocking QUIC’s proxying potential with MASQUE
We continue our technical deep dive into traditional TCP proxying over HTTP
2022-03-19 A Primer on Proxies
A technical dive into traditional TCP proxying over HTTP
2022-03-08 Announcing experimental DDR in 1.1.1.1
The majority of DNS queries on the Internet today are unencrypted. This post describes a new protocol, called Discovery of Designated Resolvers (DDR), that allows clients to upgrade from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known.
2022-02-25 The post-quantum future: challenges and opportunities
The story and path of post-quantum cryptography is clear. But, what are the future challenges? In this blog post, we explore them
2022-02-25 Post-quantumify internal services: Logfwrdr, Tunnel, and gokeyless
A big challenge is coming: to change all internal connections at Cloudflare to use post-quantum cryptography. Read how we are tackling this challenge!
2022-02-24 HPKE: Standardizing public-key encryption (finally!)
HPKE (RFC 9180) was made to be simple, reusable, and future-proof by building upon knowledge from prior PKE schemes and software implementations. This article provides an overview of this new standard, going back to discuss its motivation, design goals, and development process
2022-02-24 Building Confidence in Cryptographic Protocols
This blogpost refers to the efforts to use formal/verification/implementation for post-quantum algorithms to achieve better assurance for them. It also touches on our Cloudflare efforts on this
2022-02-24 Using EasyCrypt and Jasmin for post-quantum verification
This blogpost will touch upon how to practically use Jasmin and EasyCrypt to achieve better security guarantees when verifying KEMs
2022-02-23 Making protocols post-quantum
Post-quantum key exchange and signature algorithms come with different trade-offs that we’re familiar. How do we handle that when updating protocols, is this an opportunity to revisit the status quo?
2022-02-22 Deep dive into a post-quantum key encapsulation algorithm
In this blog post, we will look at what Key Encapsulation Mechanisms are and why they matter in a post-quantum world
2022-02-22 Deep dive into a post-quantum signature scheme
How can one attest to an identity and prove it belongs to one self? And how can one do it in the face of quantum computers? In this blog post, we examine these questions and explain what post-quantum signatures are
2022-02-21 The post-quantum state: a taxonomy of challenges
At Cloudflare, we strive to help build a better Internet, which means a quantum-protected one. In this post, we look at the challenges for migrating to post-quantum cryptography and what lies ahead using a taxonomy
2022-02-21 The quantum solace and spectre
What is quantum computing and what advances have been made so far on this front? In this blog post, we will answer this question and see how to protect against quantum adversaries
2021-11-08 Sizing Up Post-Quantum Signatures
How much room does TLS have for the big post-quantum signatures? We had a look: it’s tight.
2021-10-18 Tunnel: Cloudflare’s Newest Homeowner
Starting today, users who deploy and manage Cloudflare Tunnel at scale now have easier visibility into their Tunnel’s respective status, routes, uptime, connectors, cloudflared version, and much more through our new UI in the Cloudflare for Teams Dashboard.
2021-10-15 “Look, Ma, no probes!” — Characterizing CDNs’ latencies with passive measurement
In this article we describe an alternative approach to active measurements, which accurately predicts network latencies using only passively collected data.
2021-10-15 Multi-User IP Address Detection
We’ve devised novel methods to detect multi-user IP addresses, and today we’re excited to announce their integration into our global threat intelligence products. These will improve the quality of our detection techniques and reduce false positives for our customers, and the clients that visit them.
2021-10-15 Geo Key Manager: Setting up a service for scale
Diagnosing scaling issues in a service associated with TLS termination through a deep dive into some of the incidents it caused.
2021-10-14 Privacy-Preserving Compromised Credential Checking
Announcing a public demo and open-sourced implementation of a privacy-preserving compromised credential checking service
2021-10-14 Unbuckling the narrow waist of IP: Addressing Agility for Names and Web Services
IP addresses associated with names, interfaces, and sockets, can tie these things together in a way that IP was never designed to support. This post describes Cloudflare efforts to decouple of IP addresses from names, the latest in a quest for something we’re calling Addressing Agility.
2021-10-14 Research Directions in Password Security
We've been studying password problems, including malicious logins using compromised credentials. Here's what we learned and here's where we think we can go from here with safer password systems.
2021-10-13 Cloudflare and the IETF
Cloudflare helps build a better Internet through collaboration on open and interoperable standards. This post will describe how Cloudflare contributes to the standardization process to enable incremental innovation and drive long-term architectural change.
2021-10-13 Pairings in CIRCL
Our Go cryptographic library CIRCL announces support for pairing-based cryptography.
2021-10-13 Exported Authenticators: The long road to RFC
Learn more about Exported Authenticators, a new extension to TLS, currently going through the IETF standardisation process.
2021-10-13 Coalescing Connections to Improve Network Privacy and Performance
Real world experiments for evaluating connection coalescing effects.
2021-10-12 Introducing SSL/TLS Recommender
Introducing customized recommendations to improve the security of your website.
2021-10-12 Dynamic Process Isolation: Research by Cloudflare and TU Graz
Cloudflare worked with TU Graz to study the impact of Spectre on Cloudflare Workers and to develop new defenses against it. Today we're publishing a paper about our research.
2021-10-12 Handshake Encryption: Endgame (an ECH update)
In this post, we’ll dig into ECH details and describe what this protocol does to move the needle to help build a better Internet.
2021-10-12 Privacy Pass v3: the new privacy bits
A new version of Privacy Pass for reducing the number of CAPTCHAs.
2021-10-11 Announcing Cloudflare Research Hub
Announcing a new landing page where you can learn more about our research and additional resources.
2021-10-11 Internship Experience: Research Engineer
Over the summer of 2020 I interned at Cloudflare Research. This invaluable experience contributed to Cloudflare’s support of ODoH protocol, and I was awarded the best student paper award at PETS 2021.
2021-10-11 Cloudflare invites visiting researchers
As part of Cloudflare’s effort to build collaborations with academia, we host research focused internships all year long. Interns collaborate cross-functionally in research projects and are encouraged to ship code and write a blog post and a peer-reviewed publication at the end of their internship.
2021-10-10 Cloudflare Research: Two Years In
What Cloudflare Research has been up to for the last two years.
2021-10-01 Announcing The Cloudflare Distributed Web Gateways Private Beta: Unlocking the Web3 Metaverse and Decentralized Finance for Everyone
Cloudflare announces the Private Beta of their Web3 gateways for Ethereum and IPFS. Unlocking the Metaverse, Web3, and Decentralized Finance for every developer.
2021-10-01 Web3 — A vision for a decentralized web
In this blog we start to explain Web3 in the context of the web's evolution, and how Cloudflare might help to support it.
2021-09-30 How Cloudflare provides tools to help keep IPFS users safe
The Cloudflare IPFS module protects users from threats like phishing and ransomware.
2021-08-12 More devices, fewer CAPTCHAs, happier users
Today, we are taking another step in helping to reduce the Internet’s reliance on CAPTCHAs to prove that you are not a robot. We are expanding the reach of our Cryptographic Attestation of Personhood experiment by adding support for a much wider range of devices.