Cloudflare Calls
blog.cloudflare.comThey really do want to be the center of everything it seems. I wish they would stop trying to be the Cisco of Networking in the sense of trying to convince a lot of people to let them handle critical network functions for a ton of networks.
All it will take is one major outage for everyone to see this is a bad idea.
Why trust a cloud provider who could go down and take half the Internet with it? Why centralize it that much where that is even possible?
They just keep building on top of the things they've already built that are working really well, expanding into related services. Doesn't seem that different from what AWS is doing, just with a different focus and in a different place in everyone's (or the Internet's) stack.
The focus on a different place in the stack is really, really key, though. It's what's letting them make the kind of "the whole Internet's middle-man" play that they are.
AWS is going for "the internet's backend". I don't see how that's any different. A SPOF is still a problem, no matter where in your stack it lives.
They're positioned to have much wider reach than even AWS. You probably wouldn't put AWS in front of GCP or Azure. You might put CloudFlare in front of any of those. And once you've done that, well, they offer these other services that compete with the backend you're already using....
Their position in the stack has a great deal of market relevance, which translates to risk if they realize that potential, because they could well end up being a critical part of more of the Internet than AWS is.
AWS has CloudFront... it's the same thing.
It's not. AWS goes out of their way to make mixing it with other providers so expensive that no-one will do it unless they absolutely have to, because they are chasing lock-in. CloudFlare basically does the opposite—their whole thing is positioning themselves as an intermediary so they can snoop on and get a cut of the action on everyone "else's" traffic... and then cut everyone else out completely, as they bring more services to market. They are positioned like a boa constrictor, coiling around all their partners and providers that sit behind them.
They are not mainly a CDN and aren't even particularly interested in competing with other companies that are mainly CDNs, which becomes crystal clear if you ever negotiate enterprise pricing with them. The CDN's just a means to an end.
Nb. despite all that their public-pricing plans are such excellent values (though, beware, last I checked the $200/m one was the only one with any kind of SLA whatsoever, and not an impressive one) that if I were creating a start-up CloudFlare might well be the very first service I signed up for. If you're a small fish it's damn hard to justify not using them. And the coils squeeze a bit tighter....
And GCP has a CDN too. Would you use the GCP CDN in front of AWS, or vice versa? It's fairly common to see Cloudflare CDN (& WAF, etc) used in front of services hosted in AWS, GCP, Azure.
If it were priced appropriately, of course people would do that.
Cloudflare is much more than a CDN.
The parent is referring to concerns of a ubiquitous "man in the middle" and you are referring to SPOF. Those are two very different things. At any rate I can always choose two 2 or even 3 cloud providers for diversity against having an SPOF with AWS.
I think the question you need to ask is: who can build, maintain and operate the needed infrastructure for "task x" better? Cloudflare or you?
For many (most) use cases, CF will operate at a resilience and stability and professionality level far above what they can achieve themselves.
Of course Cloudflare can do it better. That’s not the argument rixthefox presented. The problem rixthefox stated was that when Cloudflare does go down, they take half the internet with them at once.
Honest question, does that matter? Ie if we say that they can do it better than i can, hypothetically that means i'll have more downtime than them - yes? If that's true for everyone, then the internet will, in aggregate, be down less with CF than if we distributed better. Assuming of course that they can handle the scale linearly, and that it doesn't cause them to have a worse uptime than if i hosted.
So the question seems to be does the internet going down at the same time outweigh the internet being down for larger periods in aggregate? I don't know, honestly - seems like a tossup.
Is there a better angle to view this from?
edit: My issues with centralization are more about privacy, incentives, points of authority/leaks/autonomy, etc. Downtime seems the least concerning to me.
> Honest question, does that matter? Ie if we say that they can do it better than i can, hypothetically that means i'll have more downtime than them - yes?
Yes.
> If that's true for everyone, then the internet will, in aggregate, be down less with CF than if we distributed better.
That depends on what we define as “the internet”. If we use any single service as a point of measure, then “the internet” will have more downtime. But my desire to use the internet is very seldom to use one specific service. Instead, I want to accomplish a specific task, and if my usual service goes down, with any luck they will have a competitor which is still up. This is why I think this alternative is better; it will encourage competitors to exist, which will provide a level of redundancy above the simple network layer.
This isn’t really a value proposition to any of the companies that are looking to use cloudflare.
When something big like AWS goes down, it’s just understood by users that stuff is all broken everywhere. It’s not really an opportunity to get more users just because your thing is still up during this huge outage.
On top of that, if the alternative is less reliable than CF, any marginal gain in users during that outage (users that were only interested in your service because it was still up) will again be lost during subsequent outages for the exact same reason.
I was arguing from the point of view of an internet user. From the point of view of an individual service provider, of course it makes sense for them to use CF. But in aggregate, the widespread use of CF makes the internet worse.
We've seen AWS go down. It's sort of a "haha, look at how much broke" but mostly it's a bunch of images don't load and maybe a few communication apps like Slack fail. 99% of the sites that go down are sites that really don't matter at all.
Obviously if you need uptime better than AWS, don't use AWS, or use AWS and someone else. The reason people are fine accepting this is because the impact of "50% of the internet goes down" is hilariously unimpactful - 99% of the internet is just not anything to care about.
So if I understand your reasoning correctly, you’d rather have 60 minutes of downtime per self hosted service per year (all at different times), than 60 minutes of downtime per decade for all these services at the same time (all fixed once CF fix their incident)?
Yes. For each individual service outage, I’ll probably be able to find a replacement or do without that single service for a while. When ⅓ of all the internet goes down, that’s it; we’ll all just suffer for the duration.
It’s like with stocks. A single stock I own might go bust, but with a diversified portfolio, I won’t really care. But if ⅓ of all stocks go bust at the same time, that’s a market crash.
It reminds me the days of Google flourishing in early 2000s: they added more and more wonderful stuff (such as mail, or maps) while improving their flagship offering, search, more and more. A lot of people were their sincere fans.
Sort of agree, except Cloudflare's new products all seem to scale nicely off their core competencies, so they can offer them more cheaply and (hopefully) more reliably. Maps and mail were more like "ways of getting to know you really really well".
That's why I've been really impressed with their strategic execution: they seem to have a pretty laser focus on "Given what we already have now, and how much it costs to operate, what can we do that Amazon/Google/Microsoft can't easily duplicate at a competitive price point?"
With a healthy dash of "What are people actually trying to accomplish?"
The weakness at hyperscale is that all products feel like some mistranslation of the generalized form of an HR request: almost for everyone, but perfect for no one. Probably because nothing less than a TAM of "everyone" moves their revenue needle.
But then what happened....
Apparently the fire nation attacked ...
Isn't that what AWS, Google, Azure, etc. have done forever? Cloudflare is easier to use, and IMO, just plain better.
It's actually kinda nice to have half the internet go down at once. People can just stop work, wait a few minutes, and it magically comes back up. Making downtime somebody else's problem is a huge advantage...
History always repeats itself. Popular company gets too big, then splits up, then slowly merges back, ala AT&T.
I saw a chart of this a while back. It really is consolidating right back down to where it was before it broke up.
what you say makes sense and even I doubt that cloudflare will remain committed to being content neutral even if they want to be, a different issue. Government can get corporations to do what they want.
However, people continue to use cloudflare because it is easy, solves problems people don't like dealing with, and does the job. I don't know what the alternative pitch is to businesses so that cloudflare isn't so central to the internet.
Yeah, also for cloudflares core business proposition (ddos mitigation and DNS forwarding/filtering) you need to be massive and to have multiple PoP's in order to assess whether or not a certain IP requesting a certain URL and sending over a certain length of packets should be accepted or whether a challenge should be served. You can't know any of these things unless you have an extensive network and clients.
“Pardon me, Cisco”: https://youtu.be/T47T_mG7YbU
The opening of that ad backfired by making me nostalgic for the earlier, more decentralized Internet that I accessed via dialup as a teenager. The good news is that lots of sites and services still can run just fine on a single dedicated server, as they did back then, especially since some dedicated server providers (like OVHcloud) have DDOS protection. So while Cloudflare's marketing efforts sometimes succeed in making me excited about your products (as I'm afraid you can see from my other recent comments), I think I'll continue to resist the further centralization of the Internet under big providers like Cloudflare.
I'm waiting for them to buy tailscale.
That would certainly improve the UX on their own product. Tailscale completely nailed that - even the daemon is nicer to use and manage than Cloudflare's.
Agreed. I think they do a lot of good for the ecosystem, but there's no reason to give one organization so much trust and to continue centralizing everything you do on their platform. They're very, very good at cultural and enterprise marketing though. My boss and countless others are completely sold that they should handle all of our complexities.
The Cisco of Networking is Cisco.
> Why trust a cloud provider who could go down and take half the Internet with it? Why centralize it that much where that is even possible?
The problem is that governments worldwide have done little to curb abusive behavior that makes this all but necessary to survive on the Internet:
- India (for US/UK based callcenter scams) and Turkey (for German based) don't do shit against scam callcenters. There have been multiple high-profile Youtubers making videos exposing these scammers and police there hasn't done anything, some have even boasted about having connections to bribed police officers protecting them.
- Russia, China, North Korea and Iran haven't been kicked off of the Internet despite both nations actively running hacking campaigns and sheltering hackers and "bullet proof" hosters.
- Western governments still don't mandate open source or at least audits for Internet-connected appliance software, which means that there are tons of devices (smart cameras, other smart home systems, routers, ...) out there that end up compromised, and on top of that residential Internet connection speeds routinely cross 100 MBit/s these days giving compromised appliances an awful lot of leverage for DDoS attacks (which is the chief use case for employing Cloudflare, AWS Cloudfront+WAF and others).
There simply is too much abuse in the system
Yes! We need centralize the abuse where the NSA can get what they want.
I'm having trouble understanding how giving this metadata to a centralized entity makes the transaction more "private".
In the example, now instead of sharing my IP with a therapist, (who I presumably trust enough to... not ddos me?), I'm sharing the fact that I was talking to a therapist with a company I possibly didn't even know existed.
Better yet, I suppose I can now be barred from accessing webrtc services if said company decides I'm a "threat" based on all the metadata they've been collecting through their other services.
This comment asks all the right questions!
This allows CF to construct a person graph, which is the only power Facebook have in the advertising business. ;)
This will also allow CF to police WebRTC and block people out, like they already do for the rest of the internet. Get ready to answer webRTC captcha(TM) on every call if you use linux or such.
This infrastructure isn’t needed for two person conversations. What you’ve missing is that in a group situation, you’re not just trusting the group leader, but everyone in the call. The larger the group and the lower the barriers to entry, the worse it is.
That said, I’m not sure that leaking an IP address is a big deal for most people. (It might be important in Ukraine, though.)
I'm so tired of this FUD cloudflare throws around. So far, I don't see a single cloudflare product that solves the purported problem without introducing three others that they conveniently don't talk about.
And when the inevitable curation / editorial / policing challenge of running half the internet does knock on their doorstep, they go "well we're not the ones who are supposed to be policing it, but what are you gonna do?!"
> "With a traditional WebRTC implementation, both the patient and therapist’s devices would talk directly with each other, leading to exposure of potentially sensitive data such as the IP address... When using Calls, you are still using WebRTC, but the individual participants are connecting to the Cloudflare network. If four people are on a video call powered by Cloudflare Calls, each of the four participants' devices will be talking only with the Cloudflare network. To your end users, the experience will feel just like a peer-to-peer call, only with added security and privacy upside.
Can someone clarify this? WebRTC is encrypted generally even if you leak metadata like IP address. Is Cloudflare stating they will be the middleman and therefore have access to the decrypted video stream?
As far as I understood it: the premise of added security is based on the fact that the other WebRTC peers only see Cloudflare's IP instead of your own. Also nobody knows who you are exactly talking to except Cloudflare. I would still expect that the media channels itself still remain encrypted when even when multiplexed by Cloudflare's network.
edit, yes it's encrypted:
> Finally, all video and audio traffic that passes through Cloudflare Calls is encrypted by default. Calls leverages existing Cloudflare products including Argo to route the video and audio content in a secure and efficient manner.
It doesn't say that Cloudflare can't or doesn't access the encrypted data. It seems to be written in a way that everyone would assume they can't but AFAICT it doesn't explicitly say it. Which makes me think they phrased it like this for a reason but I definitely could be wrong.
> WebRTC is encrypted generally even if you leak metadata like IP address.
Yes, WebRTC does end-to-end encryption by default. The IP is "leaked" because the peers directly connect to one another, so they will naturally require each others' IP address (which is required to talk to one another).
There are both upsides and downsides to direct P2P connections.
1. Pro: The minimal number of parties can analyze the call.
2. Pro: The call depends on a minimal number of parties.
3. Pro: The call is generally more performant, limited only by the connection between both peers.
4. Pro: No need for third-party services other than a network connection.
5. Con: The peer learns your IP which may be used to help identify you or DoS your internet connection.
6. Con: Intermediates anywhere on the network can see which two peers are talking. (With a SFU only the SFU knows the ends of the connection for sure)
> Is Cloudflare stating they will be the middleman and therefore have access to the decrypted video stream?
I see nothing in this article that suggests that they will have access to the decrypted video. However I wouldn't be surprised if that is added in the future.
The reason is that in order to to big calls you need to support multi-quality streams. This can in theory be done on decrypted connections but not all browsers support this right now (notably Firefox). So if you want the widest support you need to do video transcoding at the SFU.
There are also other features such as recording and live-streaming that (generally) require access to the raw video. (Of course this can be done as adding the recorder/streamer as a "peer" to the E2EE call when needed, but that is still giving the keys to the company at this point).
Regarding performance: we've been collecting (anonymized) data from real-world WebRTC calls for several years, and sadly it's no longer true that p2p routes are generally more performant.
It definitely used to be true that most p2p routes were lower latency than bouncing through a server at, say, an AWS data center. In 2019 we looked closely at this and it was fairly rare to see cases where latency was improved by switching over from a p2p connection to an SFU (media server) connection. Now, the reverse is true. It's usually the case that routing through a media server at AWS (or any other major provider) is as good or better than a p2p route between any two end users.
Early in the pandemic, we assumed this was a temporary thing. ISPs had not built out their networks expecting much upstream traffic. But they'd adjust.
well, ISPs have evolved. Now we see much better performance in general than we did early in the pandemic. But we still see better performance to "the backbone" than we do between ISPs.
Another step in the Internet become less of a decentralized network, perhaps.
WebRTC is end-to-end encrypted to the peer. So you're right, when you do actual peer to peer WebRTC between you and another user in a browser, you have end-to-end encrypted communication. When you go through a server, it's just another peer. So the word end maybe doesn't fit anymore, because it's a server that is the peer and they can decrypt the stream. Transcoding is pretty common at that stage because it's helpful for scaling.
That isn't necessarily true. I guess it is a bit opaque but when you negotiate a WebRTC connection you get a key and a list of network endpoints that you can use. It is entirely possible to add a proxy server in that list of endpoints without giving the proxy server a key as far as I am aware.
That being said for big calls you start wanting to do selective forwarding and you probably need to drop down to a lower layer in the WebRTC stack to manage this and allowing the Selective Forwarding Unit (SFU) to be allowed to drop chunks without messing up the connection. However it is definitely possible to do all of this over WebRTC with full E2E encryption (see Jitsi Meet).
With today's browser implementations of WebRTC, you can proxy through a TURN server while still maintaining end-to-end encryption, but you can't proxy through any kind of customized endpoint/server, because each endpoint necessarily has the encryption keys as part of the session negotiation.
Chrome implements experimental user-space media stream processing APIs that allows you to build "end-to-end encryption" at the javascript level. But, to me at least, it's a bit hand-wavy to call that "end-to-end encryption" because the keys are created, managed, and accessible from user-space. And neither Safari nor Chrome yet support these APIs.
There's ongoing work on this: https://datatracker.ietf.org/wg/perc/documents/
Regarding Pro #4: Wouldn't you still need a signaling server to establish that P2P connection and handle network switches and reconnections and such?
That's a good point. You do need something to do the negotiation. However this is not an intensive task and there are a handful of approaches that can avoid needing a dedicated third-party.
1. IPFS PubSub can be used for sharing this info (although you do still need to bootstrap the IPFS DHT).
2. You can share blobs over text chat. (Including services like Jami which are distributed)
Instead of "patient and therapist" a better example might be "livestreamer and griefer"
A traditional form of griefing is "get your victim's IP address from a direct-connecting service like Skype and DDOS them while they're doing something latency-sensitive"
"If you don't trust each other, trust us": a very understandable value proposition. Also very understandable trade-offs.
Personally I wouldn't want even more people involved in my medical communications. Imagine if this data was leaked or sold and then used against you, like say for instance, receiving a consultation or help regarding an abortion or drug habit.
Cloudflare has to have access to the decrypted video just like Google Meet does, because browsers by default encrypt to the peer and they are the peer. After all these years there still isn't universal browser support for actual E2EE. What support does exist uses hacky APIs.
> the patient and therapist’s devices would talk directly with each other
For health data that's what you want. So I'd like to see how it would go with the GDPR agencies if used in a medical app.
Was hoping they'd release a stand-alone TURN service first. The WebRTC-based product I've been working on for months now (finally wrapping up v1) is one-to-one by nature, and I actually want the connection to be peer-to-peer when possible. But access to a TURN server in every Cloudflare datacenter would be nice.
We did! [1] It's currently in beta, if you're interested feel free to drop me a line at achiel [at] cloudflare.com
[1] https://blog.cloudflare.com/announcing-our-real-time-communi...
Talk to your account rep, think they can help you out with that
This sounds badass to be honest. Having written some WebRTC browser applications from scratch, that architecture turns into a complicated mess real fast, I can only imagine the nightmare that becomes at less than well equipped tech startups. This sounds like the right way to actually solve the problem.
Dammit. We should have made the internal code name for this BADA55.
Haha you can keep that one in your back pocket :)
Thank you. D2BA DA55.
I suppose this would be mostly a direct competitor to Twilio's solution that's a few years old now: https://www.twilio.com/webrtc
Other long-standing direct competitors include Vonage, who acquired the original WebRTC platform-as-a-service, OpenTok; AWS Chime Video; and Daily (YC W16).
https://www.vonage.com/communications-apis/video/ https://aws.amazon.com/chime/chime-sdk/ https://www.daily.co/
Google missed their opportunity to do this: they've had Google Meet / Hangouts / ... for years. They have the same backend infrastructure that can scale to thousands and low latency to everywhere. Meet already does this with a custom Google protocol in the browser.
If Google had just opened their APIs, they could have provided this to everyone...
Don't forget about Google Fi (which, it seems sometimes, that _Google_ has forgotten about) which ties it all together with traditional carrier services too. Well it did until they sunset Hangouts, I suppose.
Another “Let’s make Cloudflare the central server of the Internet” service, from what I can see.
I'm really getting tired of this kind of take. You never really see that if AWS adds a product, or GCP adds a product or any other products from bigger CDNs.
What do you suggest? Cloudflare should stop releasing products? Regulation that you are only allowed to handle x% of the total internet traffic?
I agree, this rhetoric is getting old.
So we're supposed to go use one of thousands of other tiny cloud platform providers?
Okay let's entertain that idea. The first bare minimum items on your vendor approval checklist are things like "can I trust this business to exist in 10 years" , "do they have enough resources to support me when shit hits the fan", and "are they mature enough to deliver on the shiny bullet points on their homepage and in their sales pitch".
Isn't this process going to naturally select a small handful of providers? What am I missing here?
> Isn't this process going to naturally select a small handful of providers? What am I missing here?
No. It's possible to not do a lot and still last a very long time. Consider zippers, YKK has existed for almost a century and they only manufacture zippers.
"The YKK Group is a Japanese group of manufacturing companies. As the world's largest zipper manufacturer, YKK Group is most known for making zippers. It also manufactures other fastening products, architectural products, plastic hardware and industrial machinery."
followed by
"On September 19, 2007, YKK was fined €150.3 million by the European Commission for running worldwide price-fixing cartels and sharing markets with zipper-makers Prym and Coats."
Perhaps not the best example? (source: https://en.wikipedia.org/wiki/YKK )
YKK has the unique advantage that everyone working with clothing knows that the only brand to deliver consistently high quality is, you guessed it, YKK. There have been a number of HN submissions on that subject in the past.
the fact that they were fined isn't really relevant to my point. you can use patagonia if you'd like
I know you know this but there is quite the difference between a multi-faceted cloud compute offering and the thing that holds my hoodie together.
The point is that it's possible for a company to focus on one thing for a long time. Do you dispute this?
I am, surprisingly, capable of understanding that companies can exist for long periods of time. Time to walk away lol
If you understand that then I don't know why you posted your original comment. It isn't true in theory nor in practice. cya, lol
> So we're supposed to go use one of thousands of other tiny cloud platform providers?
Capitalism requires competition. If it’s only natural that one company grows larger and better than all others, then this is bad for consumers, and in this case bad for all of us, since it limits who can even be on the internet in any meaningful way.
But doesn't competition... well, compete? That implies winners. There can only be so many winners.
I do not at all understand how anyone is walled off from being on the internet, if anything I feel like it's massively insanely easier to do that today than it was twenty years ago.
It's not like capitalism doesn't have its faults, but using competition to forge winners is literally what it's meant to do. At least in my very basic layman opinion.
Competition can also result in multiple "winners" - especially when there is a product that could go two ways, so you have two companies that focus on the different ways.
Or when there's no real difference in product so there can't really be a winner (sugar water/Pepsi/Coke).
There don’t need to be “winners” in every market. Consider the market for grain. Whether suppliers tend to centralize depends on market characteristics.
Keeping markets competitive often does require regulation. (For example, common carrier regulations.) Thriving markets don’t happen by accident; they are often tough to get going and don’t necessarily happen without a stable government that allows trade to happen.
We only tolerate capitalism since it brings better results for consumers and society. If a “winner” is allowed to take over and have too much control, this condition fails, and it’s time to do some of: 1. break up monopolies, 2. regulate corporate behavior, and/or 3. nationalize industries. And let the cycle start again.
Well, why hasn't that happened yet then? I'm all for dreaming about a utopic perfect world-- I too wish we could just have it. But here we are still, and it just doesn't seem to be changing.
I do think we should point the finger at companies like Amazon and Microsoft before Cloudflare though.
We would also likely not have those companies without capitalism to begin with. Or computers. Which actually sounds pretty nice... haha
> Well, why hasn't that happened yet then?
It hasn’t happened because revolving doors, fascism, etc. The state, tasked with doing these things, is not doing them.
> I do think we should point the finger at companies like Amazon and Microsoft before Cloudflare though.
Luckily, I have more than one finger to point. There is certainly enough blame to go around. But if you try to argue against criticizing Cloudflare because others also deserve blame, then you’ve lost me.
> That implies winners.
It seems to me that competition does not imply winners. At least not permanent winners. The difference between capitalism and a traditional competition being that a traditional competition has an end point (at which point a winner can be declared), whereas capitalism has no ending point and thus can only have a winner for a time.
Imagine a sporting competition that started with 20 teams in a league and every year the bottom team was eliminated until after 19 years there was only 1 team left. We would not want to leave the competition in that state, we would want to introduce more teams to sustain a level of competition. And if the introduced teams consistently had no chance of winning due to the dominance of the top team, then we'd likely change the rules to level the playing field.
They're a bit different from AWS. First, they have less competition. Like, competition exists, but they really dominate the market and are the only ones onboarding serious traffic for free loss leader accounts. Second, for all their "we're neutral" talk, they regulate a lot of online traffic in a way that AWS never did. AWS cloudfront shield will not cut you off from majority of the popular internet without recourse just because you accidentally tripped some rule.
So yeah, not being able to handle more than x% of the internet traffic (unless they're running a real dumb pipe with only IP routing logic) sounds great. I'd welcome anther Bell systems breakup.
> What do you suggest? Cloudflare should stop releasing products? Regulation that you are only allowed to handle x% of the total internet traffic?
Regulation sounds about right. Monopolies are regulated in the real world, so why don't we do the same in the virtual one?
> You never really see that if AWS adds a product, or GCP adds a product or any other products from bigger CDNs.
Accusations of hypocrisy is not an argument. Instead of accusing me (and all other detractors) of not criticizing others enough, please elaborate why this isn’t what I described.
Cloudflare (and others) keep releasing products which makes their central role more central and less vulnerable to competition. They ought not to do that, and I would argue for laws which prevent them from doing that if necessary.
Regarding the problem, this kind of problem should not be solved by one central actor. Instead, these problems should be solved by new network and protocol designs.
From that line of argument, we should really get folks off Linux. And nginx.
Is Linux a central actor? No, it’s not; any people could continue development at any time if the current people stop developing it.
Also, the comparison is flawed, since neither Linux nor Nginx are network services.
please elaborate why this isn’t what I described
Approximately 1/3 of the most popular websites use Cloudflare[1]. That's not really an argument against the fact that Cloudflare might want to be 'the central server of the internet', but it's a suggestion that they have some way to go yet. I'd bet that Google Tag Manager and some AWS services are integrated into more than 1/3.
What, “They’re not an empire, they only rule ⅓ of the Earth’s surface!”?
Or “Cloudflare cannot possibly be taking advantage of their market share, since they have competition!”?
Google Tag Manager can be down without affecting websites uptime and as a visitor I can block them. I do block them, by the way. So, it's quite central, but at least not really a point of failure.
AWS and Cloudflare, on the contrary… (and also Google products like fonts.googleapi.com, or probably anything under googleapi.com)
That’s too much government control for my liking. Just being honest. Laws that prevent free enterprise never end well. There should be laws that prevent companies from selling a product at a “loss” to gain market share. But to prevent companies from releasing products is completely different level of control which is undesirable.
>"I'm really getting tired of this kind of take."
Which take is that? An opinion or outlook that differs from your own?
>"You never really see that if AWS adds a product, or GCP adds a product or any other products from bigger CDNs."
Sure, you do. When AWS released it's DocumentDB(MongoDB competitor) and "Open Distro for Elasticsearch" there was plenty of uproar, both form the companies behind these products as well as the community. Those concerns were also registered on HN.
> I'm really getting tired of this kind of take.
I'm really getting tired of this kind of hand-wavey response.
You do see plenty of complaining about Amazon and Google, and yes, [some] people on here are very much pro regulation.
Unlike Google or Amazon? What happens when there is an outage on either of those? I think it is great that there is more competition in the space writ large.
No, not unlike, but exactly like Google and Amazon. I don’t actually think there should be competition in the space of “being a central point of everything” – there should be no such thing as the central company for everything.
> Remote 'fireside chats' where one or multiple people can have a video call with an audience of 10,000+ people in real time (<100ms delay)
I keep hearing this term 'fireside chat' used like this, and ever time there's no actual fire and it's not intimate (10k viewers?). What is it supposed to mean?
I believe it's a reference to President Roosevelt's ["Fireside chats"](https://en.wikipedia.org/wiki/Fireside_chats) radio addresses during the 30's-40's
It's just a hipsterism for "interview of a CxO".
How much will this cost after the beta?
As the main author of Janus, I didn't appreciate at all them proactively suggesting Calls as a replacement for existing deployments based on Janus and mediasoup. I'd understand them aggressively marketing against other RTC cloud providers like Agora, Twilio, and others: trying to "steal" users from open source projects (who share everything and so often live on consulting) really feels like a d*ck move, instead, and basically stealing candy from kids.
TLDR: Remember how Skype allowed you to talk directly with one another without pesky servers and middle men positioned to intercept calls and metadata? Remember CALEA (Communications Assistance for Law Enforcement Act to allow wiretapping on digital phone networks)? Remember how Microsoft scrambled to dismantle peer-to-peer infrastructure and switch Skype to a typical server model while simultaneously joining PRISM program? Wouldnt you want to do the same with WebRTC? Why trust your doctor when you can trust Us instead!
>"With a traditional WebRTC implementation, both the patient and therapist’s devices would talk directly with each other, leading to exposure of potentially sensitive data such as the IP address... When using Calls, you are still using WebRTC, but the individual participants are connecting to the Cloudflare network
Does this support RTC data channels, too, or just A/V?
I'd love to know more about
> Calls uses anycast for every connection, so every packet is always routed to the closest Cloudflare location.
Is this true for the UDP media (and data channels) traffic, or just for the initial signaling and connection setup?
If the UDP traffic is all anycast, that's truly impressive engineering work. Bravo!
I work on the team that works on Calls. Thank you for the kind words.
It is true, both media and signaling is over anycast and advertised from every Cloudflare location. We manage things like ICE and DTLS state in a distributed way.
Super happy to be part of the super talented team that made this happen!
Is anycast "just" (!) broadcasting different routes for different parts of the internet for the same IP address? I cannot imagine this is trivial to get right at all.
Definitely non-trivial! Deep BGP expertise is required to operate anycast at any significant scale. And RTP/WebRTC media traffic is perhaps particularly tricky, because UDP is so stateless but media servers need to maintain a relatively large amount of state for each "connection."
Speculating here, but I would read this as "anycast" as a concept, where each user is connected to the closest location. versus anycast as in the IP protocol. The complexity far outweighs benefits with routing each UDP packet to different servers within the same session.
Cloudflare uses Anycast for the TCP connections they terminate. See e.g. https://blog.cloudflare.com/magic-transit-network-functions/ or ponder DNS-over-HTTPS to 1.1.1.1
I don't think they've talked much about what happens if the connections gets routed to a different PoP mid-stream.
I wonder if there's a way to integrate this with https://snowflake.torproject.org/, such that blocking Tor would require also blocking all of Cloudflare?
This basically turns phone/video chat into a feature. If this actually works with 10.000 people in a room as advertised Zoom is in a lot of trouble.
Zoom is an app. This is an API for building apps.
... that makes creating Zoom competitors much easier.
Why did Cloudflare say "encryption" but not "end-to-end encryption"?
Should we be reading deeper into this?
Short answer: it's not currently possible to do true end-to-end encryption through media servers with a key that is inaccessible from user space.
Longer answer...
WebRTC was designed as a fundamentally peer-to-peer protocol. The spec defines (and basically mandates) the use of end-to-end encryption. Which is great! Among other things, this means that browsers can implement e2e in a standardized and provably secure way.
On top of WebRTC's fundamental peer-to-peer-ishness, you can build an architecture to forward or process media and data streams through media servers. This is what Cloudflare has done, and what every major WebRTC platform/project does in order to scale up participant counts, improve performance by moving routing closer to the network edge, and implement things like recording. But there's no support (yet) in the WebRTC spec for encrypting media streams so that they can be handled and routed by a media server without decrypting them.
There's ongoing work on this. Here's a nice blog post covering how the early working group effort was being organized: callstats.io/blog/2018/06/01/examining-srtp-double-encryption-procedures-for-selective-forwarding-perc
Thank you for this long answer. Actually, I have always wondered why it isn't possible to treat the stream as arbitrary data, so it can be encrypted and decrypted in "userspace". Something like how Firefox Send works, with a key as a URL fragment. E2EE with intermediate forwarding peers unable to decrypt the contents.
Other than giving cf your encryption keys to https traffic, your eSIM Ki and now your unencrypted voice calls? Noooo.
This is the same approach that getstream.io (disclaimer, my startup) and agora.io take for video calling. A global edge network with support for SFU cascading is optimal for the call quality.
The Cloudflare Calls launch post is really well written! But I agree that it perhaps somewhat overstates the uniqueness of their approach, given that Agora, Jitsi-as-a-Service, Stream, and Daily all offer WebRTC platforms with a mesh/cascading SFU architecture.
Relatedly, I didn't know that Stream had launched SFU cascading. That's awesome! I'd love to compare notes sometime if you're up for it. (I'm a co-founder of Daily.)
That sounds fun, @tschellenbach on twitter or the email in my profile
I for one think this could be a very useful idea for my use case (education) and am looking forward to see how it turns out.
I've been wondering when CF was going to build this for years. It only made sense given the moving parts in WebRTC.