45 comments

[ 1.1 ms ] story [ 95.6 ms ] thread
There was a huge amount of work behind the scenes over the past 3-4 years to pull this off, by both CloudFlare people and Baidu. There will be some engineering posts about it.

I personally wasn't particularly involved in this, but met some of the Baidu engineers. What amazed me was just how smart they were -- they were basically indistinguishable from the engineers I've met at top-tier US companies.

I'm really looking forward to the great Internet services for everyone which will come out of companies in China over the next decade. People outside China really underestimate the potential there. It will mean more competition, but also a lot more awesome products and tools, and will make the world a better place for everyone.

In the very long term, sure. In the medium term no.

If Chinese firms were to start competing with Western firms, then the legality of Chinese protectionism would be called into question.

The fact that CloudFlare even needs to partner with Baidu, rather than just put some servers into a local datacenter, is an example of this protectionism.

Until the Chinese internet market is saturated with Chinese products, the government is not going to encourage internet startups to compete in Western markets, and even then they might decide that trade sanctions/WTO rulings against them are not worth it (compared to having total control of what internet services their citizens use)

There are definitely protectionist aspects to some of China's policies (just like there are protectionist aspects to many US policies, especially outside IT), but there is also a lot of complexity to the market on its own. It is one of the few large, developed markets for Internet products where it makes a lot of sense for outsiders to partner.

Also, it's changing rapidly, so "very long term" might be 5 years, and "medium term" might be 1 year, for anything. Some of the biggest companies in China are less than 5 years old.

> There are definitely protectionist aspects

Do I read it correctly that you are arguing it is significantly less about protectionism and mostly about state censorship/control?

No. It's primarily about the market just being unique. We have maybe 10 people in the company who speak Chinese; trying to build a Chinese-language product alone would be challenging. The language portion is the smallest aspect to localizing a service like ours. The Chinese Internet has evolved differently -- for us to learn how it works on our own, even with full access, would take forever (5y maybe to where it is now, by which point it would have evolved -- would never catch up.)

It's secondarily about regulation for its own sake -- governments regulate because they think they should, especially communications. Communications is one of the most highly regulated sectors of the economy around the world, even in countries which are relatively free market.

It's tertiarily about protectionism. That might have been more true 5-10 years ago, but I'd be amazed if a non-Chinese company could go into the Chinese market directly and out-compete on services built by local companies. There are definitely products (high-end machine tools, luxury goods) where foreign companies are preferred, but Internet services aren't one of them.

It's only minimally about censorship. If you're operating in a country, you're subject to their laws, which doesn't really matter if you're in a partnership vs. have your own servers in that country.

@rdl Thanks for your reply. It is interesting to hear the perspective of someone dealing with a different sector of the China.

For what I do (security/defense) everything is censored by the Great Firewall.

> What amazed me was just how smart they were -- they were basically indistinguishable from the engineers I've met at top-tier US companies.

I'd probably try and rephrase that, because you are basically saying that you were expecting them to be unskilled and unprofessional, but, shockingly, they weren't.

It was that I was expecting them to have different motivations or styles of working. The "conventional" wisdom in the US is that Chinese companies don't innovate, and just do great work copying. The reality is they're just as innovative as anyone in SV. Companies like FB end up building new amazing technology because of challenges at scale, not because it's necessarily core to the user experience for a single user, and the same thing happened in China.
Baidu is actually one of the more SV-like in culture tech companies in China. There's also quite a large number of engineers there who worked in SV and have now returned (bringing some of those engineer skills and culture with them).
More details on the CloudFlare/Baidu partnership and how existing and new CloudFlare customers can get announced on the China network:

https://www.cloudflare.com/china

According to this article, you have to pick one or the other: https://support.cloudflare.com/hc/en-us/articles/209156358-I...

So AWS has had a ChinaNet partnership for years. And Tencent's CDN supports HTTPS today. Not getting what's so new here. Ideally, we need a CDN that allows you to manage China just like any other edge, that's the holy grail.

HTTP limitation going away very soon. At that point, China and the rest of the world will be managed from a single interface with a perfectly parity feature set.
I assume this gives the Chinese government raw access to everything before it's TLS-encrypted, right?
It's not like that'd be anything new... The NSA has been known to do this with other major tech companies (google/msft), wouldn't be a stretch to assume they did it at the CDN level.

Either way if you have full SSL (not flexible) on cloudflare, cloudflare receives encrypted data from your server anyway, which wouldn't let the gov't see your data. They'd only be able to decrypt Flexible SSL.

Looks like it only supports unencrypted HTTP at the moment.
While we extended our network into China, we also took steps to ensure that all customer data would be kept secure. No CloudFlare customer traffic will pass through the China network unless a customer explicitly opts in to the service. Sites' log data from traffic outside of China is never sent into China. And, for customers that opt in to serving content inside China, customer identifiable information such as email addresses, password hashes, and billing information is not sent to the China network nor ever shared with Baidu.

Other potentially sensitive information is also kept outside of China. For instance, CloudFlare's Keyless SSL technology allows us to serve encrypted traffic for customers who opt-in to the China network without having to store private SSL keys inside the country. CloudFlare can keep our customers' keys outside of China, if they choose to, while still providing our full suite of services inside China.

As part of this partnership, CloudFlare was never asked nor did we ever volunteer to provide any data about any of our users to Chinese, United States, or any other governments’ regulatory authorities. Had that been a requirement of entering the region we would have passed on the opportunity.

None of the things you said relate to the government having raw access to the plaintext before TLS is applied.

Given the parties involved, it seems obvious that this is just a second, more efficient GFW that runs on Baidu's servers instead of at the border.

Would your statement "nor did we ever volunteer" still be true if you could assume that the infrastructure you're running on (ie. baidu) is rigged to act as a passive interception point?
Users connect to Cloudflare edge server with its own certificate. Then it's decrypted and re-encrypted to the origin server. Right? I imagine it's like this: http://i.imgur.com/DASFtbw.png
I believe Cloudflare provide their own private CA and let customers set this up to encrypt between Cloudflare and the customer's origin servers.

However from speaking to Cloudflare I don't think this is enforced - i.e., Cloudflare allow their customers to indeed send a web users data in the clear over the internet.

Even assuming the origin server is HTTPS, the content is decrypted while it's on the edge server. The whole path secured, but it's still MITM'd. That's old news, but now that server is in China, I presume.
Yes, Cloudflare can view the unencrypted content if the customer encrypts, but I think that's less interesting than allowing a customer to choose not to encrypt over the internet.
The headline's euphemism – "…Boosts Users Over…" – makes it sound like it could allow users to access content that China wants censored. But, there's no support for that idea in the article, and I can't imagine Baidu could be involved in any sort of anti-censorship effort.

Instead, this appears to just help reduce the firewall's latency tax on non-censored content.

Given the way many of Cloudflare's SSL offerings work, it could presumably also (eventually) mean that outsiders will be able to reach Chinese customers with SSL – but only with a decrypted mid-point under Baidu's control inside China.

(comment deleted)
This, the lauding of the engineering and business efforts involved mentioned in other comments on this article pales in comparison to the continued oppression of human rights in China and government censored access to information. Let's stop praising technology that doesn't do anything positive for the world.
Even if China-based users could access content China wants censored, such as the linked NY Times article, there's still the issue of getting thru the paywall that NY Times and others puts up to keep users out.
On the surface, this seems risky. CloudFare, which manages thousands of U.S. sites, hands over IP (and I assume source code) to a Chinese company. Pretty soon the CCP comes knocking and uses that data in a way that may not be in the best interest of non-Chinese users. Moreover, if this becomes a large revenue source for CloudFare then the CCP is going to have additional leverage over them. Maybe next time, for instance, they don't deal with the DoS attack because China says not to interfere.
This was part of why it took four years to build. We put a lot of engineering and business effort into making sure both Chinese and US customers and their users would be safe.

(Also, by "thousands", you mean 2000 thousand; it's over 2mm sites. And actually quite a bit over that, which will be announced soon...)

A possibility we specifically discussed with our Board who all agreed if it ever came to that we'd walk away from the partnership.
Surely it's going to be hard to maintain that position?

Cloudflare have been involved in a number of projects in conflict with the CCP in recent years. One recent example:

http://thenextweb.com/asia/2014/06/20/cloudflare-hong-kong-d...

There's also Galileo which I'm sure supports a number of organisations which the party would take issue with.

Would such initiatives be at risk?

On a related note, I've asked about how CF would effect egress filtering in the case of another Great Cannon attack elsewhere in the thread - I'd love an answer if you can provide one.
This was flagkilled by users earlier. I'm guessing that's because Chinese censorship is controversial? If it was for some other reason, I'd be curious to know.

The story seems obviously on-topic for HN so we've turned flags off for now. We did, however, give the story a less contentious title.

Isn't it ironic that people abused the flagging feature to basically censor an article about Chinese censorship?

Anyway, you should consider implementing a harsh penalty for people who abuse flagging like that. It was designed to help HN self-moderate, not to allow people to bury or kill things they don't want discussed.

That distinction isn't as easy as you suggest.
What defines CloudFlare as a startup? They are pretty established...
~180 employees is in the startup range. A lot of people say "startup" for anything pre-IPO.

It is borderline, I agree. "Internet infrastructure provider", "Tech company", etc. would be just as accurate as "startup"

"startup" is well defined if you care to think about it - it's an entity looking to find a working business model.

once the model is established, whatever is the size of the entity and the turnover, it's no longer a startup, unless it pivots of course.

this definition rules out all stupid scenarios.

So by this logic, 4sq and Twitter are startups, and Github is not?
it's difficult to call github a startup by any means.

4sq and Twitter could be startups - I'm not sure if they found a business model or not.

They're young (in business terms, 5 years is a pretty short lifetime), growing fast, and aiming to dominate a sector.
So, the obvious question: will this stop Baidu from being used to attack American companies again [1] or not? There's nothing mentioned in the article.

Presumably if Baidu's site has some JS injected to make Baidu customers attack GitHub again, Cloudflare could do some egress filtering?

This would effectively secure Baidu's outbound traffic from the Great Canon.

[1] http://arstechnica.com/security/2015/03/github-battles-large...

How does this work, in practice, for Cloudflare customers based outside of China?

Each customer still needs an ICP licence: "CloudFlare customers that wish to serve traffic for their domains across the China network must possess a valid Internet Content Provider (ICP) license." [0]

ICP licences are only available to Chinese companies/individuals: "Please note that you must be a Chinese passport holder to be named the contact for a website. Foreign companies (unless they have a Chinese subsidiary) cannot apply for an ICP." [1]

[0] https://www.cloudflare.com/china

[1] https://support.cloudflare.com/hc/en-us/articles/209714777

By having a Chinese subsidiary.
So if I'm a company outside China, with a web site that I want to make accessible in China using CloudFlare's collaboration with Baidu, I have to set up a WFOE in China first?
Did I understand this correctly in that CloudFlare now has CDNs in China (operated by Baidu) from which US sites can be quickly distributed to chinese users?

Because this article was giving this ominous impression of using metaphors not to simplify the concept, but to hide a deep-seated ignorance about the actual working principle.