British software engineer also talks HTTP/3, zero trust, and lava lamp-powered cryptography

John Graham-Cumming

INTERVIEW The hegemony of CAPTCHAs, the reliably infuriating means by which websites distinguish human users from bots, is – mercifully – in peril.

John Graham-Cumming, chief technology officer (CTO) at web security and performance specialist Cloudflare, tells The Daily Swig that an alternative technology developed by Cloudflare, Apple, Google, and others eliminates the friction and privacy infringements involved in clicking squares that contain bicycles, vans, or traffic lights.


RELATED WWDC 2022: Apple showcases next-gen security tech at annual developer event


Incidentally, CAPTCHAs – or ‘Completely Automated Public Turing Tests to tell Computers and Humans Apart’ – reference the legendary computer scientist Alan Turing, who received a posthumous apology from the UK government in 2009 following an online campaign by Graham-Cumming.

Graham-Cumming, the POPFile architect who shares with fellow Brit Turing a remarkable mathematical acuity, also talks HTTP/3, ‘zero trust’ architecture, the distributed denial-of-service (DDoS) landscape, and novel ways to generate random, cryptographic numbers.

Daily Swig: Last month Cloudflare announced Private Access Tokens, a technology that leverages ‘private attestation’ to offer an alternative to CAPTCHAs. What drove the decision to focus on this area of authentication?

John Graham-Cumming: Does anybody like CAPTCHAs? They're the most frustrating thing ever, and are often used across websites, so can potentially be used for tracking.

We’ve driven down our use of CAPTCHAs over time by replacing them with other methods.

Private attestation demonstrates that you are essentially coming from a known device. Apple knows who I am, what I use my device for, and they are able to say to a website, ‘This is a legit human, the device hasn't been hacked’.

And private attestation uses a bunch of clever cryptography to prove that you are legit without Apple saying who you are. We think this is going to remove CAPTCHAs in a way that preserves people’s privacy.


Unveiled at WWDC 2022, will Private Access Tokens become the CAPTCHA-killer?Unveiled at WWDC 2022, will Private Access Tokens become the CAPTCHA-killer?


DS: Cloudflare has also just added new capabilities to its network-as-a-service zero trust platform, Cloudflare One. How important is the move to zero trust architecture and is it happening quickly enough?

JGC: Businesses used to keep their employees, servers, and applications inside heavily guarded walls. If you needed to travel, there were VPNs.

But the castle walls got stormed from the inside out when applications started moving out of the business with SaaS, the cloud, and mobile devices. Suddenly the castle walls didn’t make sense.

‘Zero trust’ provides a much more flexible and less expensive [alternative] and Cloudflare has been a player in this space for a long time.

Before the pandemic we announced Cloudflare for Teams, which allows teams to work remotely, and we launched zerotrustroadmap.org to help businesses plan out which applications are going to be outside and inside the firewall, how you connect, [and] who you connect [with].

I think that businesses are, by and large, on a journey towards zero trust. Some are more advanced, some are less advanced. The US federal government has talked about zero trust as the right architecture.


RELATED US government’s ‘zero trust’ roadmap calls time on perimeter-based paradigm


It reflects how we work, and Covid just accelerated this trend because suddenly everybody was at home and needed access.

How significant was the recent news that the HTTP/3 protocol received RFC 9114 standardization?

JGC: About 25% of traffic on Cloudflare already uses HTTP/3, and major browsers are implementing it very quickly, so it’s clearly getting taken up very quickly.

It’s fantastic to see this level of innovation because we depend on HTTP for pretty much everything we do online.

There was a very long standardization process between HTTP/1.1 and HTTP/2, so the fact HTTP/3 was able to follow on quite quickly is a sign that we really are continuing to innovate at fundamental levels on the internet.

What important trends are you seeing when it comes to defending your clients against DDoS attacks?

JGC: Attackers don’t just go after the front door anymore – knocking your website offline. Now attackers are more business-like, especially in ransom-related DDoS where they might go after your DNS, email server, or VPN servers.


Read more cybersecurity interviews


Second, although there are still very large attacks at the network level, there has been a rise at the application level. And I think this is partly because we’ve got very good at defending against network-level attacks.

We’ve also seen more use of cloud providers as the source of attacks. I think this is partly to get the request-per-second up really high, because you get more compute power, and because everything on the web is becoming HTTPS, then attacks are also running over HTTPS and that’s more expensive for the attacker.


rererereCloudflare’s John Graham-Cumming: ‘We really are continuing to innovate at fundamental levels on the internet’


What inspired Cloudflare’s use of lava lamps to generate random numbers for SSL encryption?

JGC: It’s part [practically useful] and part art project. You can generate random numbers in all sorts of ways using different physical processes. Radioactivity is a classic one [as ripening bananas can demonstrate] and there are interesting quantum things.


Catch up with the latest encryption security news


In London we have a wall of double pendulums, because it turns out that a pendulum attached to a pendulum moves in a very unpredictable way.

We wanted to make the point that randomness is fundamental to keeping things secure online, but computers are not fantastic at creating random numbers. You, me, and everybody else have been told over and over again not to pick easy-to-guess passwords – which is a way of saying ‘pick random passwords’.

Cloudflare has evolved considerably since its foundation in 2009 as an email spam protection platform. How might it continue to evolve in the coming months or years?

JGC: Fundamentally, Cloudflare makes things that are connected to the internet faster, more available, more secure, and more private.

Our product roadmap is really about bringing those attributes to internet-connected things across our application services, CDN [content delivery network], DDoS, network services, and our compute platform, Cloudflare Workers.

We recently acquired an email protection company called Area 1, so email is becoming a big area for us.

Don't forget email – it’s old, but it’s still important. Something like 80-90% of security problems at companies start with email, through phishing and stuff like that.

What are you most proud of in your career and why?

JGC: Having built Cloudflare up from having 20-something people to making a real impact on everybody’s use of the internet in terms of security and performance is probably the most satisfying thing.

And doing that with a curious, empathic, open culture is very satisfying.

Everybody always asks me about the Alan Turing thing. I’m glad I did it, but it feels like a long time ago now!


RECOMMENDED HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges