CloudFlare and Baidu launch China service without HTTPS

Website owners who want their China-based users to have a faster experience can tap CloudFlare’s technology through Chinese search engine, Baidu, so long as encryption isn't required.

CloudFlare announced the new partnership on Monday, which extends its network of 45 points of presence to 62 through an additional 17 data centres across China that are owned and operated by Baidu.

The service is available to Chinese website operators under Baidu’s website accelerator brand Yunjiasu, while CloudFlare customers outside of China will soon have the option to enable its “China network” — delivered from Baidu infrastructure — to serve website visitors inside China.

The partnership extends the reach of CloudFlare’s existing services including a cloud delivered firewall, load balancing, WAN optimisation, DDoS protection, and content distribution network (CDN) and domain name service (DNS) services.

But as CloudFlare highlighted today, there’s one hoop that customers need to jump through before taking up the China service and one missing security feature missing that is available under its services for the rest of the world today.

The hoop comes from the fact that to host or cache content within mainland China, a website operator needs to have been granted an internet content provider (ICP) license number from the Chinese Ministry of Industry and Information Technology (MIIT). As CloudFlare notes in a support document, the number must be displayed on the website and lacking one can mean the government unilaterally decides to shut down the site.

Websites that haven’t been granted a license are still permitted through China’s Great Firewall, they just won’t be able to take advantage of speed improvements, which CloudFlate claims will cut latency by more than 200 milliseconds for China traffic and generally improve availability.

While China’s firewall blocks Google properties like its search page and Android app store, CloudFlare says 99 percent of its customers are available in to China’s 700 million internet users today and they stand to benefit if they have high volume traffic from China.

Besides physical infrastructure, government licensing is where Baidu’s value comes in for CloudFlare customers outside of China thanks to a system that allows the Chinese search firm to automatically submit applications to the government on CloudFlare customers’ behalf.

The missing security feature that may sideline some customers in the short term is support for Secure Sockets Layer (SSL) or HTTPS websites, which encrypt data in transit between the enduser and web server.

“For the moment the China network does not support HTTPS traffic (HTTP only). Support for SSL/TLS will be made available in the coming months,” CloudFlare notes on its China network page.

Presumably this is an issue for Baidu to resolve. CloudFlare doesn’t offer an explanation for why it’s not supporting HTTPS on the China network from the outset. It notes in a support page that sites that require HTTPS should not sign up to the Yanjiasu service.

Many of the top HTTPS domains blocked by China are owned by Google, according to Chinese anti-censorship group Great Fire.

CSO Australia has asked CloudFlare for comment and will update the story if it receives one.

There are nonetheless security benefits to the service, according to CloudFlare, which says the new China region makes it overall better able to stop DDoS attacks emanating from China.

“With a network inside China, CloudFlare is now better able to sinkhole attacks before they leave the country. This means that attack traffic originating inside China is less likely to cause disruptions for customers outside of the region,” CloudFlare said.

There’s also an separation between Baidu and CloudFlare that should benefit the security of both companies’ respective customers.

“No CloudFlare customer traffic will pass through the China network unless a customer explicitly opts-in to the service. A customer’s traffic and log data from outside of China is never sent into China. And, for customers that opt-in to serving content inside China, customer identifiable information such as email addresses, password hashes, and billing information is never stored in the China network or shared with our partner.”

CloudFlare added that customers who adopt the China network don’t need to store their private SSL keys within the China network.

“This allows any customer to receive the benefits of CloudFlare’s full suite of services, even if they elect to have their keys stored outside of China,” the company said.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Copyright © 2015 IDG Communications, Inc.

What is security's role in digital transformation?